SBP to Set Up Wing to Curb Cyberattacks in Financial Sector

The State Bank of Pakistan (SBP) is working to establish a specialized wing to curb the cyberattacks and online financial frauds in the financial sector, according to a special report issued by the SBP on “Financial Stability Review 2021”.

The division called Computer Emergency Response Team (FinCert) will be set up under the mandate of National Cyber Security Policy 2021 by the Ministry of Information Technology and Telecommunication.

It will supplement the flow of information in the robust and real-time environment among the stakeholders so that cyberattacks can be responded in an effective manner. The wing will also aid effective coordination between the industry members and the regulators.

The report noted that the industry should put its resources as whole into combating such attacks in case of a cyberattack on any one financial institution because any attack has implications for the rest of the system.

The banking watchdog has already issued instructions along with standardized formats to financial institutions to collect information on digital banking frauds or attempted frauds through call centers.

The collaboration at the international level is of immense importance in countering the risks arising from cyberattacks. These attacks are mostly of global in nature and collaboration among states, regulatory and supervisory authorities, law enforcement agencies, and institutions is vital for effectively managing and mitigating the risks arising from the attacks.

Banking Supervision Group

SBP has established a dedicated division in its Banking Supervision Group for continuous oversight and supervision of cybersecurity risks. The prime objective of SBP’s supervisory processes is to delineate supervisory activities for supervising the financial institutions according to their size, complexity, and riskiness. This risk focused approach, results in more rigorous oversight of FIs that pose enhanced risk to the financial system. The supervisory process for this purpose included both onsite and offsite assessments.

SBP is deploying its technology adoption policies in a phased manner. The purpose is to give sufficient time to FIs to develop and strengthen their cybersecurity systems before employing advanced technological systems in their business operations.

Cyberattacks Rampant in Post Covid-19 Times

The COVID-19 pandemic has caused a paradigm shift in customers’ preferences by exposing them to the benefits of digital finance products and services. Both financial institutions and policy makers are now increasingly realizing the potential of technology and digital finance, and they are endeavoring to explore their potential to achieve cost and operational efficiencies, enhance customer convenience, promote financial inclusion and facilitate documentation of the economy.

However, digital transformation also exposes the financial sector to several new risk challenges. As the financial sector is more digitized, it is exposed to different kinds of challenges including unintended incidents and intentional attacks.

These cyber threats can be of varying in nature including ransomware, phishing, data leakage, denial of service, malware propagation, or cyber extortion, etc. FIs are seeing a rapid rise in the cyberattacks over the years as they have increasingly employed technology to improve their business operations. According to The Global Risks Report, 2021 by World Economic Forum, cybersecurity failure ranks among the highest risks of the next ten years in terms of both likelihood and impact. The Global Risks Report, 2022, published earlier, also notes that, among others, cybersecurity failure risk has also worsened since the start of the pandemic.

The PwC 24th Annual Global CEO Survey notes that cyber threats are fast becoming a major source of anxiety for the institutions and their top management around the world. Nearly 50 percent of the CEOs are concerned about cyber threats in 2021 as compared to only 33 percent in 2020. Cyber threat ranked second after pandemic and health crises in the list of threats that CEOs were extremely concerned about in 2021.201 However, according to the PwC 25th Annual Global CEO Survey, cyber risks have surpassed health risks to become the top ranked threat to growth as per the CEOs.

Cyberattacks in Pakistan

Pakistan has also witnessed increasing instances of cyberattacks, especially after the onset of the pandemic. Besides increases in the instances of cyber frauds, there have also been large-scale cyber-attacks on some of the state institutions and banks. Moreover, the latest SBP’s SRS shows a significant rise in the participants’ perception of cybersecurity risks. As such, SBP has instituted a comprehensive regulatory and supervisory framework to mitigate the cybersecurity risks

SBP has advised financial institutions to adequately cover the cybersecurity threat intelligence and advisory services including an update of the indicators of compromise (IOCs) and ensuring immediate compliance with preventive actions. Since the technology landscape and the associated risks are evolving at a fast pace, SBP has enhanced its focus for continuous review and strengthening of its regulatory frameworks.

SBP’s regulatory regime on cybersecurity of banks is based on National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and BIS’s Guidance on cyber resilience for financial market infrastructure.

The banking regulator has taken several policy and regulatory measures to protect itself, the financial market infrastructure, financial institutions, and their customers from cyber threats. These measures aim to improve overall governance arrangements in FIs and at service providers’ end that provide IT services to FIs, strengthen the operational resilience in SBP itself and the FIs it regulates, and promote a culture of collaboration and coordination in the industry to respond to cyber threats in real time. As technology becomes an integral part of the operations of FIs, such technology usage and dependence, if not properly managed, could heighten technology risks.