Govt to audit banks’ IT capacity to curb cyber security threats

The government will carry out an information technology (IT) audit on banks and other financial institutions to determine their capacity for dealing with cyber security threats.

Necessary measures will also be taken to help facilitate uninterrupted online transactions and ATM services by countering cyber-attacks.

Moreover, the government has decided to formulate a policy for discontinuing the use of foreign software in the financial sector, collecting data on foreign nationals involved in the matter and lessening the participation of third parties that install and maintain such software.

These matters were discussed at a virtual meeting of Financial Institutions Division (FID), presided over by the division's Senior Secretary Asadul Islam on Thursday. Stakeholders at the meeting discussed ways to counter the ever looming threat of cyber-attacks on the financial sector, an official present in the meeting told The Business Standard.

Policy makers also stressed the need for setting up some guidelines – termed as the Standard of Procedure (SOP) – in coordination with private banks to tackle cyber-attacks, conduct IT audits of financial institutions, and create an infrastructure to back up their financial data.

Pointing at the country's weak track record of dealing with cyber security threats, the stakeholders said the country still lacks in necessary capability to identify, analyse and make forecasts about such threats.

For example, hackers had stolen data regarding online banking from banks in Bangladesh, and then sold them in the dark web. The Bangladesh Government's e-Government Computer Incident Response Team (BGD e-GOV CIRT) later bought the data and warned the banks about the leak.

Quoting senior executives of the state-owned banks, more than one banker present at the meeting told The Business Standard that the banks do not have the necessary manpower to bolster IT and cyber security. There is also no government-recognised firm for conducting IT audits.

Not all banks are using locally developed core banking software, and dependence on foreign software is forcing the institutions to seek support from third parties, which is elevating the cyber security risks, one of them said.

FID's Senior Secretary Asadul Islam said, "The use of technology for local and foreign transactions is increasing. Newer financial technology (fintech) are always arriving. As the internet is being utilised more and more in this sector, the risks of cyber-attacks are increasing too.

"Cyber security must be bolstered to mitigate such risks. For this reason, we must make use of up-to-date technology and conduct IT audits on financial institutions."

CIRT's Director Tarek M Barkatullah said, "Different banks have already started storing data in the cloud, and such information is getting stolen by cyber criminals in foreign countries. Hackers are infiltrating financial institutions' systems due to the carelessness of the employees.

"Many are not using their email, social networking accounts and pen-drives safely and securely. Outside the cities, many banks are using pirated software."

He continued, "Hackers are stealing a lot of data related to Bangladesh's internet banking sector. There are now more than 2,500 IPs (internet protocols) in the country that are infected with ransomware.

"Hackers are using such loopholes to steal a significant amount of data from Bangladesh. Such information is being made available on the dark web. The CIRT has bought data that posed cyber security threats to several Bangladeshi banks, and then warned the institutions about it."

The government is building a facility in Jashore to back up the data of financial institutions, Barkatullah said.

Bangladesh Bank's Executive Director Zakir Hasan said, "The banking sector has made significant progress in the cyber security sector. The central bank and other banks have their own CIRT. However, the Bangladesh Bank still lacks adequate capability in identifying, analysing and making forecasts about such threats.

"The Bangladesh Bank and the government's CIRT should collaborate on this issue."

The Bangladesh Telecommunication Regulatory Commission's (BTRC) Director General Brig Gen Mustafa Kamal said, "Third parties are involved in the financial sector's technological infrastructure. Such parties are installing and managing core banking software for many banks."

He added that the banks must discontinue such practices.

Digital Security Agency's Director General Rezaul Karim said, "The government will build a National Forensic Lab to support the information technology sector. The lab will have a specialised unit for the financial sector."

Bangladesh Financial Intelligence Unit (BFIU) Chief Abu Hena Mohd Razee Hassan revealed that a rule has already been prepared for conducting the IT audit.

Sonali Bank's Managing Director Md Ataur Rahman Prodhan said, "Many experts involved with the banking software are foreign citizens. Moreover, some were born in Bangladesh, but later became foreign citizens.

"There should be a policy for appointing manpower with such a background."

Prodhan also emphasised the need for conducting IT audits through state-recognised and competent firms.

Agrani Bank's General Manager Muhammad Mahmud Hasan said, "If the audits are carried out through a foreign firm, the risks might increase further. I propose that the financial institutions locally create skilled manpower for this purpose."

Agrani Bank's Managing Director Mohammad Shams-ul Islam also reiterated the need for lessening the participation of third parties in the country's financial sector.