Cybersecurity has turned out to be a massive challenge for the global banking industry. Vulnerabilities of cybersecurity are on the rise, as fintech and digital consumer banking operations through smartphone, tablets, computers and online shopping are increasing manifold.
Just recently, Pakistan suffered the largest cyber-attack to its banking system. In the last week of October, over 19000 debit cards of worth US $ 2.6 million from some 22 Pakistani banks have been found to be stolen by certain unknown outside hackers. After cashing out US $ 2.6 million via ATM and POS at various international locations including Russia and USA, the cyber outlaws dumped these cards for sale at prices ranging from US $ 100 TO 135 each on Dark Web under the title “PAKSTANWORLD-EU-MIX O1″1. Thus, the cyber criminals succeeded in getting illicit access to the customer coffers. When Bank Islami was reported to be the biggest victim of this cyber-attack, international transactions were temporarily suspended by SBP. This situation requires that the cybersecurity infrastructure of the banks must be bolstered without any delay.
The modus operandi of above security breach is being probed. But it is likely to have been worked through skimming, whereby unlawful devices when placed over POS keyboard or ATM, remove or skim off data from legitimate debit or credit card. Later on, this data is transferred by the cyber criminals to the stolen cards for carrying out fraudulent transactions followed by subsequent selling of these felonious cards on the Dark Web2. An opinion is that the local criminals served as a conduit to their foreign accomplices. Linking of such culpable acts with Pakistani banks could attract dire consequences for terrorist financing and FATF regime3.
Impact of cybersecurity incidents is mostly underestimated, as it goes beyond the loss of money and data. Confidence of the customers and financial markets drops down and the cost of repairing the damage and communication with the stakeholders is very high4. Therefore, banks and financial institutions must deploy resources to prevent, identify, assess and report cyber frauds so that the interests of the financial markets are safeguarded effectively.
In order to beef up cybersecurity of the banking sector, a number of measures can be adopted so that the susceptibility of the financial organizations to hacking assaults is minimized.
Cybersecurity is a monster risk growing up for the financial sector in the era of fintech. Most banks are not able to realize this and they only see it an element of I.T. infrastructure. This is where fault lies. The banks must have cognizance of the situation by investing more funds in cyber security systems. After having holistical analysis, the banks should establish a new Cybersecurity Operating Model by providing CISOs and a framework for information security risk management5.
Financial institutions need to be aware of the nature of cybersecurity that is a combination of defense, resilience and assurance. Defense stands for an immediate detection of cybersecurity breach with suitable real-time reaction. Resilience is the capability of the framework to restore normal operations with least damage. Assurance is built on incorporation of defense and resilience into day-to-day banking operations6. Knowledge of this cybersecurity combination is the key to effective control.
Banks have essential outsourcing requirements for many services and equipment. However, many banks do not have the necessary systems and protocols to monitor and oversee the operations of these third parties. So, the banks have to assume the responsibility to keep vigil over these I.T. partners to ensure cybersecurity.
A cybersecurity awareness culture must be nurtured across the board. Regular awareness initiatives for the customers are needed to propagate guidelines for conducting secure ATM, POS, mobile and internet banking transactions while protecting PIN. Sensitivity of the cybersecurity has also to be inculcated in the employees in charge of I.T. based operations. Sharing of password should be subject to stern disciplinary action. Then, keeping consumers updated about the various cybersecurity scams would also be handy.
State Bank of Pakistan has to come up by setting up a stand-alone Cybersecurity Regulatory Framework while getting insight from global best practices. International Organization for Standardization and the International Electrotechnical Commission has issued ISO27k series of regulatory standards on information security management system. These standards provide practical guidance for process, documentation, audit and management relating to information system security. Similarly, the European Union’s General Data Protection Regulation explains how to protect data through confidentiality, identity and access management. BaFin, the German banking regulator has also issued standard procedures on outsourced product & services and information security. SBP must evolve a comprehensive set of prudential regulations on cybersecurity from these standards.
Cybersecurity is no more a run-of-the-mill area. Cybersecurity is a mammoth menace that requires a strategic re-think by taking it out of I.T. silo and treating it as separate risk equal to credit, compliance and counterparty7. Such approach is indispensable to secure the banking system in digital age.
The author is a banking expert and currently serving as Country Manager of JSC Subsidiary Bank NBP Kazakhstan (Foreign Subsidiary of National Bank of Pakistan).
Published in Daily Times, November 14th 2018.
Leave a Comment