Security breaches have clearly validated that why cybersecurity apprehensions have influenced the State Bank of Pakistan (SBP) legislation governing all Financial Institutions.
The fact that the majority of data gathered and compiled by banks and other financial institutions is now in electronic format and the failure to secure your network and Infrastructure against emerging threats can open you to threats and greater risks.
The only reason to store that customer information electronically is less costly as compared to store it locally but on the other hand, it has also provided more opportunities for data to be lost, stolen or corrupted.
This paper will discuss the SBP regulatory requirements and it will also provide some solutions that can help your organization defend against threats and mitigate risks allowing you to not only protect your private and confidential data but also help you maintain compliance with the SBP regulations governing your business.
The SBP Regulatory Landscape
The financial sector of Pakistan constitutes banks, Development Finance Institutions (DFIs), Microfinance Banks (MFBs), Non-banking Finance Companies (NBFCs), insurance companies, Modarabas and other financial intermediaries.
The financial sector of Pakistan predominantly comprises of banks, as they hold the largest share of financial assets as a percentage of GDP. State Bank of Pakistan (SBP) regulates Banks, DFIs, Exchange Companies and MFBs, while Securities and Exchange Commission of Pakistan (SECP) regulates NBFCs, Insurance Companies and Modaraba Companies.
In order to protect sensitive customer data and safeguard intellectual property and financial records, SBP has issued the Guidelines on Information Technology Security. These IT Security guidelines addressing the following areas:
- Commitment to IT Security
- IT Security
- IT Security Risk Management
- IT Security Policy Development
- IT Security Awareness & Training
- IT Security Team
- Contingency & Disaster Recovery Planning
The objective of these guidelines is twofold:
- To increase IT Security awareness of the Banks/DFIs
- To provide them with guidelines to formulate an effective institution-wide information technology security framework in order to protect their valuable financial and technical assets.
Note: For complete guidelines kindly visit at http://www.sbp.org.pk/bsd/2004/Guidelines_on_IT_Security.pdf
Current Security Challenges to Financial Institutions of Pakistan
Cybersecurity is the most critical and immediate concern for banks, their customers, and the wider financial system. Financial institutions face a daily barrage of cyber attacks that can cause the loss of data, assets, and confidence, and as digital banking expands they are increasingly exposed. Still, many have no effective plan to respond.
The Growing Information Security Threat
Cyber attacks are becoming more numerous, ambitious, and effective, with •criminals regularly targeting payment systems, IT systems, and databases.
Threats vary in style and intent. Distributed denial of service and payment system attack is common, but attackers can also route through suppliers or seek to gain some advantage by taking private data hostage.
Brand Reputation & Trust Impact
The financial impact of a loss of brand reputation and trust after a cybersecurity incident can be significant and customer churn caused by this loss can be a leading contributor to the growth in the increased indirect cost of a data breach.
IT Security Threats
Financial institutions have long been a lucrative target for cybercriminals because of the massive volumes of data and money that can be stolen. Below IT Security threats are common across all Banks.
- DDoS Attacks
- Employee Negligence or Insider Threat
- Unencrypted Data
- Third Party Services that Aren’t Secure
- Data Manipulation
Possible Weaknesses in Banking Defense
- Asset Management
- Prioritization of Cybersecurity
- Focus on Protection over Detection
- Lack of Security resources
- Lack of Security Awareness
Solution to overcome the Security Challenges and Next Actions
The building of a new Cybersecurity Operating Model
Banks must holistically rethink their organizational capabilities. That means instituting a dedicated operating model and providing CISOs and executives with a framework for information security risk management.
Ramp up Operational Capabilities
Employing a transformed operating model and assimilating new human competences and technology present substantial challenges.
Technical and Management Mitigations
- Use of Efficient Detection Mechanism
- The inclusion of Proper Log Management
- Introduction of a robust incident Management system
- Forensic Analysis
- Patch & Vulnerability Management
- Access Management Review
- Risk Management
- ISO 27001 and PCI-DSS enforcement
- Comprehensive SOC establishment and efficient SOC processes
- Aggressive Awareness Programs
Corporates cannot afford to hold back on cybersecurity – they need to prioritize and invest in it now. Taking a more holistic approach impacts the success of the cybersecurity program. While technological defenses remain vital, we shall progressively see employees being the innocent agents of cyber attacks, unless we educate them in how to prevent attacks – that way, they become instrumental in mitigating cyber risks.
The Writer is the Cyber Security Expert you can reach him at
Mirza Azfar Baig <[email protected]>