Combating cyber attack threat to banking system.
In this connection, FIs shall use a platform within the industry for the purpose of collecting and exchanging timely information that may facilitate in detection, response, remedy and recovery of FIs systems following a cyber-attack, breach or any level of cyber security incident.
Banks shall gather and interpret information about relevant cyber threats from participating banks, services, utility providers and other FIs.
In this context, relevant cyber threat intelligence may include information that may trigger cyber-attacks on any entity within the FI's ecosystem.
Banks shall ensure that cyber threat intelligence is shared with relevant staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels through a secure method. Banks shall monitor technological developments and keep abreast of new cyber risk management processes that can effectively counter existing and newly developed forms of cyber-attacks.
SBP rolled out its instructions in the Framework on Information Technology Governance and Risk Management Framework for Financial Institutions. The framework has been developed after extensive consultation with both internal and external stakeholders.
The framework is based on international standards and recognised principles of international practices for technology governance and risk management and shall serve as SBP's baseline requirement for all FIs.
The framework shall apply to all FIs, including commercial banks (public and private sector), Islamic banks, Development Finance Institutions (DFIs), and Microfinance Banks (MFBs).
In this regard, SBP has asked financial institutions to upgrade their systems, controls and procedures to ensure compliance by December 31, 2017.
The FIs shall formulate IT policy framework which shall be reviewed and updated after every three years. This framework, at a minimum, shall, cover the following areas: Information/cyber security, services delivery and operations management, project management, acquisition, development and implementation of IT systems, business continuity and disaster recovery.
FIs shall determine threats and vulnerabilities to their IT environment, which comprises the internal and external networks, hardware, software, applications, databases, systems interfaces, operations, data centres and human elements.
FIs shall adequately protect information system assets from unauthorised access, misuse or fraudulent modification, insertion, deletion, substitution, suppression or disclosure.
The FIs shall put in place secure configuration of hardware, operating systems, software's applications, databases and servers with all unnecessary services and programmes should be disabled or removed. Banks have been prohibited from installation of unlicensed software for the use of staff and banking systems and operations.
FIs shall execute quarterly software vulnerabilities identification operation across the entire institution covering all IT systems and supporting infrastructure assets (networks, PCs, laptops, servers, operating systems, software, applications, and databases. On the basis of threats and vulnerabilities, the FIs shall formulate a list of all risks that may create severe harm and disruption to the operations.
Meanwhile, major firms, airports and government departments in Ukraine have been struck by a massive cyber attack which began to spread across Europe.
In Ukraine, government departments, the central bank, a state-run aircraft manufacturer, the airport in Kiev and the metro network have all been paralysed by the hack.
In the UK, the advertising firm WPP said its systems had also been struck down, while in the Netherlands a major shipping firm confirmed its computer terminals were malfunctioning.
The virus is believed to be ransomware - a piece of malicious software that shuts down a computer system and then demands an extortionate sum of money to fix the problem.
It comes just a few weeks after the WannaCry hack which affected more than 150 countries and crippled parts of the NHS.
American and British analysts believe that attack, which unfolded in May, was carried out by North Korea. It remains unclear who is responsible for the latest attack.
"The National Bank of Ukraine has warned banks... about an external hacker attack on the websites of some Ukrainian banks... which was carried out on July 4," Ukraine's central bank said in a statement. A spokesman for Ukraine's Presidential Administration said it was paying "a high level of attention" to the situation.
Maersk, a Danish transport and logistics company with branches worldwide, announced that "multiple sites and business units" had been shut down after the cyber-attack.
It came as Russian oil giant Rosneft said that its servers had suffered a "powerful" cyber attack, as the company is locked in a bitter court fight with the Russian conglomerate Sistema.
Ransomware known as Petya seems to have re-emerged to affect computer systems across Europe, causing issues primarily in Ukraine, Russia, England and India, a Swiss government information technology agency said.
"There have been indications of late that Petya are in circulation again, exploiting the SMB (Server Message Block) vulnerability," the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) said.
It said it had no information that Swiss companies had been impacted, but said it was following the situation. The Petya virus was blamed for disrupting systems in 2016.
Russia's top oil producer Rosneft said a large-scale cyber-attack hit its servers, with computer systems at some banks and the main airport in neighbouring Ukraine also disrupted.
|Printer friendly Cite/link Email Feedback|
|Date:||Jul 31, 2017|
|Previous Article:||Tariq Pasha: the relevant man for FBR top job.|
|Next Article:||Facebook to go after fake accounts, hateful material.|