The local and international media has been flooded with the news about the hacking of Pakistani banking systems. This has raised serious concerns among banking customers across the country.
Khyber Pakhtunkhwa Cyber Emergency Response Center (KPCERC), Khyber Pakhtunkhwa Information Technology Board (KPITB) finds it concerning that consumer’s data is potentially at risk. Such incidents not only shake the digital consumer’s confidence about electronic banking systems but also hamper the adaptability of digital services at large.
Despite the State Bank of Pakistan’s (SBP) denial about the data breach, banks / financial institutions are nevertheless advised to take necessary measures for the security of their IT infrastructure generally, and consumer`s data particularly.
The following directives have already been issued by the SBP to all banks in Pakistan to ensure that:
- Security measures on all IT systems including those related to card operations are continuously updated to meet any challenges in the future.
- Resources are deployed to ensure the 24/7 real-time monitoring of card operations related systems and transactions.
- All the payment schemes, switch operators and media service providers of the banks are effectively integrated to identify any malicious activity of suspicious transactions. In addition to these recent directives, the SBP had earlier issued the following regulations and guidelines:
- “Regulations for The Security of Internet Banking” applicable to financial and non-financial transactions through internet irrespective of the software tools used by banks and access devices used by the customers. These Regulations are accessible at http://www.sbp.org.pk/psd/2015/C3-Annexure-A.pdf
- “Guidelines on Information Technology Security” available online at http://www.sbp.org.pk/bsd/2004/Guidelines_on_IT_Security.pdf
- Recently issued “Electronic Fund Transfers (EFT) Regulations” to ensure consumer’s privacy protection and payment transparency, available at http://www.sbp.org.pk/psd/2018/C3-AnnexA.pdf
In addition to directives issued by the SBP, KPCERC finds it obligatory to share the following security guidelines with the banks for the protection of its critical infrastructure and consumer`s data:
- Apply effective security protocols and frameworks for data protection in the light of already stated regulations and guidelines, and ensure the privacy and security of consumer’s personal data at every stage of its life cycle
- Review and implement specialized consumer data protection frameworks such as “Data Breach Notification Law” and the “General Data Protection Regulations (GDPR)”.
- Deploy/subscribe to threats intelligence reports/feeds/alerts to stay updated on the emerging cybersecurity threats.
- Closely monitor and analyze consumers spending profiles. Any anomaly in consumer`s transactions should be identified and reported immediately.
- Although stopping international transactions is a type of preventive measure, it is, however, recommended to ensure uninterrupted delivery of service with standardized security.
- Ensure all necessary infrastructure services to enable proof of data security and enable the institution for compliance by performing a regular security audit, penetration testing, and vulnerability assessment.
- Employ proper encryption standards, anti-spoofing techniques, anti-malware software, and access control lists.
- Enforce SLAs / contracts with third party service providers including provisions relating to Non-Disclosure to ensure the confidentiality and security of bank and consumer`s data.
- Device a comprehensive data breach control, loss prevention, response plan and execute when required.
- Adopt an awareness framework such as the social media campaign in line with the breach response framework.
- In case of any breach, immediately take the affected customers into confidence through established communication channels.
Rafi us Shan,
Ph.D. Chief Cyber Security,
Khyber Pakhtunkhwa Information Technology Board (KPITB),
Government of Khyber Pakhtunkhwa, Pakistan.