State Bank of Pakistan (SBP) has directed financial institutions (FIs) to promote collaboration at an industry level for combating increased threat of cyber-attacks in the banking system.
In this connection, FIs shall use a platform within the industry for the purpose of collecting and exchanging timely information that may facilitate in detection, response, remedy and recovery of FIs systems following a cyber-attack, breach or any level of cyber security incident.
Banks shall gather and interpret information about relevant cyber threats from participating banks, services, utility providers and other FIs.
In this context, relevant cyber threat intelligence may include information that may trigger cyber-attacks on any entity within the FI’s ecosystem.
Banks shall ensure that cyber threat intelligence is shared with relevant staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels through a secure method.
Banks shall monitor technological developments and keep abreast of new cyber risk management processes that can effectively counter existing and newly developed forms of cyber-attacks.
SBP rolled out its instructions in the Framework on Information Technology Governance & Risk Management Framework for Financial Institutions (FIs). The framework has been developed after extensive consultation with both internal & external stakeholders.
The framework is based on international standards and recognized principles of international practices for technology governance and risk management and shall serve as SBP’s baseline requirement for all FIs.
The framework shall apply to all FIs including commercial banks (public and private sector banks), Islamic banks, Development Finance Institutions (DFIs), and Microfinance Banks (MFBs).
Banks Asked to Upgrade Their IT Systems By 2017-End
SBP has asked to financial institutions to upgrade their systems, controls and procedures to ensure compliance by December 31, 2017.
The FIs shall formulate IT policy framework which shall be reviewed and updated after every three (03) years. This framework, at a minimum, shall, cover the following areas
- Information/cyber Security
- Services delivery & operations management
- Project management, acquisition, development & implementation of IT Systems
- Business Continuity and Disaster Recovery.
FIs shall determine threats and vulnerabilities to its IT environment, which comprises the internal and external networks, hardware, software, applications, databases, systems interfaces, operations, data centers and human elements.
FIs shall adequately protect information system assets from unauthorized access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure.
The FIs shall put in place secure configuration of hardware, operating systems, software’s, applications, databases and servers with all unnecessary services and programs should be disabled or removed.
Banks have been prohibited the installation of unlicensed software for the use of staff and banking systems and operations.
FIs shall execute quarterly software’s vulnerabilities identification operation across the entire institution covering all IT systems and supporting infrastructure assets (Networks, PCs, Laptops, servers, operating systems, software, applications, and databases.
On the basis of threats and vulnerabilities, the FIs shall formulate a list of all risks that may create severe harm and disruption to the operations.
The complete draft could be viewed here.