Cyber Security Risk Measures in Bank Financial Institution in Nepal

Technology has become part and parcel of life for both individuals and entities. Banks, like in Nepal are at the forefront in deploying modern technology creating a new era in banking industry that not only provides efficiency gains and improved access to services to customers but also fosters financial inclusion. However, with the inclination towards bank’s digital business model the number of cyber frauds has outnumbered other forms of risks both in amount and sophistication. Cyber security is an increasingly important part of our life today as well as in bank because we are attached to digital devices, apps and Internet of things (IOT).

Dmitri Alperovitch, a Russian-born American computer security industry executive rightly stated – “There are only two types of companies: Those that have been hacked and those that will be hacked”. This implies that cyber security is cup of tea for all institutions – big or small.

Cyber securities are the techniques of protecting computers, networks, programs and data from unauthorized access or attacks. Nowadays it extends beyond the physical and logical securities of computers to human psychological aspects as well.

There are only two types of companies: Those that have been hacked and those that will be hacked.

Cyber Crimes & Consequences:

The recent media coverage on bank fraud vividly reveals that there is an alarming increase in cyber crimes in Nepalese banking industry questioning the safety of public deposits and shareholders value. While we are creating awareness on cyber security programs, attacks on banking industry (banking frauds of high sophistication and monetary value such as hacking of SWIFT, ATM cash-out, hacking bank’s network etc) are already occurring.

There are different forms of cyber crimes being carried out by cyber criminals. Legal definition of cyber crime includes wide variety besides banking fraud including identity theft, cyber bullying, copyright issues, social media issues, revenge porn etc. Some of the major cyber frauds/ crimes rampant these days in banking industry are:

• Fake mobile apps: are created to steal information from hand held devices.
• Fake website: are created to dupe customer.
• Phishing: Customers are asked to provide bank account details or credit or debit card information by sending fake emails purporting to be from bank.
• SIM swap: is a technique where fraudster manages to get a new SIM issued against customer’s registered mobile and used to steal customer’s personal banking information. Bank officials can also be part of such fraud.
• Spoofing: is the act of using a fake/ spoof email header of IP address to fool the recipient into thinking it as legitimate.
• Skimming: Information used to clone cards which can be used at ATMs and POS machines.

As the banks and their customers are being aware of these above mentioned cyber frauds, cyber criminals are finding new ways to trick them. They are swiftly moving towards crimes targeting the like payment systems using advanced approaches such as hacking SWIFT infrastructure of banks, ATM cash-out, ATM jackpotting, entering banks private network to carry fraudulent transaction and even Core Banking System (CBS) too. . Such crimes are of high sophistication and huge monetary value. This also means that the consequences of such attacks are of high degree threatening the financial stability. Banks have to endure following losses:

Consequences of Cyber Attack

i) Loss of data: Banks lose their most important asset compromising the confidential data related to customers and their transactions. Such data breach has strategic implications on the victim entity.

ii) Financial Impact: Besides the direct financial loss caused due to cyber theft, there are other costs and hassles that the banks have to face such as time and cost involved in independent forensic tests, costs of replacements of instruments (servers, cards, software and likewise), cost of interruption in regular business, cost of lost opportunity and switching of customers etc.

iii) Loss of data: Banks lose their most important asset compromising the confidential data related to customers and their transactions. Such data breach has strategic implications on the victim entity.

iii) Regulatory fines: Banks regulator, Swift Network, ATM Networks etc may also impose fines and bans for the inability to maintain security due to lapses and negligence.

iv) Loss of reputation: All above material impact can be recoverable but the jeopardization of bank’s reputation in the market has no value to measure and thus irreparable.

v) Loss to stakeholders: There are other multiple stakeholders who fall prey to such attacks such as bank depositor/ clients (interruption of services), innocent employees (unnecessary litigations and investigations), shareholders (decline in market value of share) and the banking community at large.

Cyber Security Framework

It is pertinent to have a strong Cyber Security Framework for banks to protect themselves against cyber attacks. While formulating such framework, factors like security of information, resilience of operations, reliability of connectivity, robustness of critical functions and emergency preparedness should be encapsulated. Broadly it should include but not limited to following aspects:

• Awareness and Strong Governance: Sensitize the board and management about the evolving threat landscape emanating from cyber attacks
• Cyber Resilience: Cyber Crisis Management Plan to address the full life cycle of detection, response, containment and recovery
• Protecting Customers: protecting customer data, customers against financial crimes
• 24×7 Security Operations Centre with adaptive threat defence mechanisms
• Proactive Reporting and Collaboration: effective cyber security monitoring and detection capabilities
• Cyber Security Policy: separate or different from IT/IS Policy

Cyber Security Controls

At the implementation level, following cyber security controls have to be ensured:

• Inventory Management of Business IT Assets
  a. Categorize Hardware/software/network devices, key personnel, services, etc. indicating their business criticality
  b. Classify data/information based on information classification/sensitivity criteria of the bank
• Preventing execution of unauthorized software
• Network Management and Security
  a. up-to-date/centralized inventory of authorized devices connected to bank’s network (within/ outside bank’s premises) and authorized devices enabling the bank’s network.
• Application Security Life Cycle (ASLC)
  a. security requirements relating to system access control, authentication, transaction authorization, data integrity, system activity logging, audit trail, session management, security event tracking
  b. Best practice guidelines: Open Web Application Security Project (OWASP)
• User Access Control / Management
  Implement centralized authentication and authorization system including enforcement of strong password policy, two-factor/multi-factor authentication depending on risk assessment and following the principle of least privileges and separation of duties.
• Secure mail and messaging systems
  a. Implement secure mail and messaging systems, prevent email spoofing, identical mail domains, protection of attachments, malicious links.
  b. Anti-phishing/ anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications
  c. Risk based transaction monitoring
  d. Risk based transaction monitoring or surveillance process as part of fraud risk management system across all delivery channels

Conclusion:

Cyber security is a concern for all big and small entities. Cyber security have been an ultimate solution to mitigate the cyber risk and attack in bank and financial institution in Nepal. It should be an ongoing process since cyber attacks are not a onetime event.
Cyber security is about management and not mitigation. Cent percent risk free cannot be guaranteed as smart cyber criminals are always looking out for short falls in system. Security programs should be done in collaboration since single or individual effort is not sufficient to protect self and community.
Most preventive thing to do is periodic User awareness campaigns with behavioral change than
just investment on robust and huge IT infrastructures and security programs. Cyber attacks are largely transnational and offenders act with a great degree of sophistication Cyber security is board agenda.