SBP Directs Banks To Make Arrangements to Meditate Cyber / Hacking Attacks

With the increase in hacking attacks on the banks that cost losses and inconvenience to customers, State Bank of Pakistan has given a wake-up call to all commercial, microfinance banks and DFIs directing them to enhance cyber security through all possible measures, mechanisms and precautions by the end of 2016.

Banks are advised to enhance their cyber security controls, processes and procedures in order to anticipate, withstand, detect, and respond to cyber attacks.

In this regard, banks are asked to adopt a standard mechanism to ensure that all existing cyber security controls, processes and procedures are continuously being monitored to detect, prevent and respond to any potential cyber security incident in shortest possible time.

Banks are asked by central bank to formulate cyber security controls as an integral part of their IT risk management policy, accompanied by appropriate Standard Operating Procedures to safeguard against potential cyber threats.

Further, the banking institutions shall monitor all network communications to detect and/or block unauthorized network communications amongst servers, systems and endpoint devices.

The new instructions require the Board of Directors (BoD) of the institutions to regularly evaluate the adequacy of cyber security systems and action plans with regard to emerging cyber threats.

The senior management of banks would ensure that an organizational plan of action for cyber security management exists in each institution and is regularly reviewed and updated for implementation.

Banks shall ensure that periodic independent assessments are conducted to evaluate the adequacy and effectiveness of cyber security controls and procedures. Such assessments may include vulnerability assessments and penetration testing, which can be conducted by officials independent of the area under review. Where it is not possible to conduct such assessments by internal teams due to unavailability/shortage of skill set, the Banks may engage external parties having sufficient expertise in IT security assessments.

Further, banks shall properly enhance and regularly test their Incident Response Mechanism and Business Continuity Plan to prepare for eventualities of cyber attacks.

Industry Collaboration and Contingency Plan

Since cyber attacks could aim at multiple institutions within a short period of time, the Banks/DFIs/Microfinance Banks may explore appropriate opportunities of collaborating with other institutions/associations/bodies for sharing and gathering cyber threat intelligence in a timely manner.

Such collaboration may help the institutions to prepare for potential cyber attacks
It has also been decided that henceforth, all Banks/DFIs/Microfinance Banks shall maintain records of all attempts / breaches of cyber security and produce the same to SBP as and when required.

Cyber threats have become a global phenomenon and are continually growing in sophistication and impact, despite the advances in cyber-security technologies and practices.

While the new technologies and their application in banking system has created new opportunities for the efficient and cost-effective delivery of services such as internet banking and mobile banking, these have also posed a number of new threats and risks.