As you are aware, Information and Communication Technology (“ICT”) has become a key business enabler and its rapid adoption has enabled the banking industry to efficiently deliver innovative products and services to their customers. Consequently, threat and potential impact of cyber attacks have increased manifold and any incident involving data/money theft or critical system failure may have severe and immediate repercussions on an institutions’ reputation and business operations.

2.         In view of the above, it is advised that Banks/DFIs/Microfinance Banks shall continuously enhance their cyber security controls, processes and procedures in order to anticipate, withstand, detect, and respond to cyber attacks. For this purpose, Banks/DFIs/Microfinance Banks shall formulate cyber security controls as an integral part of their IT risk management policy, accompanied by appropriate Standard Operating Procedures to safeguard against potential cyber threats.

3.         The Board shall, preferably on bi-annual basis, evaluate the adequacy of Banks/DFIs/Microfinance Banks’ cyber security action plan with regard to emerging cyber threats. If material gaps are identified, the Board shall ensure that the institution has proper risk management strategy in place for acceptance and controlling the risks arising out of the gaps. The risk management strategy shall be supported by concrete implementation plan with adequate manpower and financial resources to mitigate relevant risks.

4.         Senior / Executive Management of the Banks/DFIs/Microfinance Banks shall ensure that an organizational plan of action for cyber security management exists and is reviewed and updated regularly for implementation. Further, senior management shall also periodically inform the Board on the latest developments on cyber security action plan, its implementation status and a summary report on major threats and attacks faced by the institution and their possible impact on its operations. Further, the Banks/DFIs/Microfinance Banks shall device a continuing cycle of assessments of their institution's security versus emerging threats and risks covering at least the following areas:-

1. Risk ownership and management responsibility – Banks/DFIs/Microfinance Banks shall define and establish ownership and management’s responsibility of the risks associated with cyber threats by taking into account the ICT and all relevant business functions. Keeping in view the technical aspects of cyber security management, the Banks/DFIs/Microfinance Banks shall ensure that sufficient resources with relevant skill set and expertise are available within the security function to exercise effective and on-going checks and balances.
   
   
2. Periodic evaluation and monitoring of cyber security controls – Banks/DFIs/Microfinance Banks shall adopt a standard mechanism to ensure that all existing cyber security controls, processes and procedures are continuously being monitored to detect, prevent and respond to any potential cyber security incident in shortest possible time. Further, the Banks/DFIs/Microfinance Banks shall monitor all network communications to detect and/or block unauthorized or atypical network communications amongst servers, systems and endpoint devices.
   
   
3. Regular independent assessment and tests – Banks/DFIs/Microfinance Banks shall ensure that periodic independent assessments are conducted to evaluate the adequacy and effectiveness of cyber security controls and procedures. Such assessments may include vulnerability assessments and penetration testing, which can be conducted by officials independent of the area under review. Where it is not possible to conduct such assessments by internal teams due to unavailability/shortage of skill set, the Banks/DFIs/Microfinance Banks may engage external parties having sufficient expertise in IT security assessments. Further, the Banks/DFIs/Microfinance Banks shall properly enhance and regularly test their Incident Response Mechanism and Business Continuity Plan to prepare for eventualities of cyber attacks.
   
   
4. Industry collaboration and contingency plan – Since cyber attacks could aim at multiple institutions within a short period of time, the Banks/DFIs/Microfinance Banks may explore appropriate opportunities of collaborating with other institutions/associations/bodies for sharing and gathering cyber threat intelligence in a timely manner. Such collaboration may help the institutions to prepare for potential cyber attacks

5.         Banks/DFIs/Microfinance Banks shall make necessary arrangements to comply with the above instructions by December 31, 2016.

6.         It has also been decided that henceforth, all Banks/DFIs/Microfinance Banks shall maintain records of all attempts / breaches of cyber security and produce the same to SBP as and when required.

Please acknowledge receipt.