The Presidents/CEOs
All Banks/ MFBs/PSOs

Dear Sirs/ Madams,

As we all know that Coronavirus (COVID-19) pandemic is forcing organizations to adapt to innovative ways of working and financial institutions are no exception. Accessing organization’s IT systems and business applications from outside the trusted business network through remote access, (teleworking/work-from-home) introduces new business challenges as well as increase level of cyber threats. To ensure continuity of business operations, financial institutions shall exercise due diligence and implement stronger and robust cybersecurity measures to counter cyber risks associated with remote access functionality.

In this regard, Banks/MFBs and PSOs are advised to strictly adhere to the cyber/information security requirements laid down in BPRD Circular No. 05 of 2017, PSD Circular No. 09 of 2018 and other relevant instructions issued from time to time. In addition, Banks/MFBs and PSOs are advised to implement following measures on urgent basis:

1. Banks/MFBs and PSOs shall ensure that internal organizational resources made available through remote access are hardened appropriately against external threats. Remote access to internal resources shall be explicitly defined by allowing only designated and authorized users duly approved by the line management concerned. In this regard, Banks/MFBs and PSOs shall implement the principles of ‘Least Privilege’ and ‘Need-to-Know-based Access Control’ in line with international standards and best practices including recommended control measures as specified at Annexure A.

2. While enforcing telework/remote access, Banks/MFBs and PSOs shall ensure that security policies are adequately reviewed and implemented based on the risks of eavesdropping, interception, and modification. Such threats shall be mitigated by using strong user and device authentication, encryption and antimalware technologies, network segmentation and tier-based access control to protect the confidentiality and integrity of organizational assets.

3. Banks/MFBs and PSOs shall immediately establish dedicated Cyber Threat Intelligence Units (CTI-U) and Emergency Response Teams (ERTs) with the objective to minimize and control the damage resulting from cybersecurity incidents, offer guidance for response & recovery activities and affiliated proactive measures. Details of CTI-U and ERT shall be submitted to SBP PSD as per Annexure B.

4. IT and information security teams shall enhance their existing monitoring capabilities with special focus on VPN connections, remote user authentications and externally exposed systems logs. Information security teams shall continuously monitor organizational network on 24/7 basis by logging access requests and identify, detect and respond to malicious activities in a timely manner. In this regard, remote monitoring tools and mechanisms shall be deployed after necessary due diligence, testing and validations.

5. Banks/MFBs and PSOs shall actively participate in information-sharing communities/groups and subscribe to threat intelligence platforms within the country to receive, assess/validate and share cyber threat intelligence and information about suspicious cyber activities, Indicators of Compromise (IoCs) and early warning indicators relating to cyber threats.

6. Banks/MFBs and PSOs shall make arrangements, preferably online, to train their employees to exercise caution in handling all emails with suspicious/work-related subject line, attachment, or hyperlink especially those related to recent phenomenon related to COVID-19. Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information. In this regard, specific employee awareness measures are recommended in Annexure C.

7. With reference to Para 3 above, Banks/MFBs and PSOs shall appoint CTI focal persons for coordination and information sharing with SBP. The details (Name, Office Phone, Mobile Number, Email ID) of the focal persons shall be emailed with the subject line [CTI Focal Person: Bank Name] at [email protected] latest by March 31 , 2020. In this regard, CTI focal persons from SBP shall be communicated to the concerned focal persons directly.

8. For any clarification, please contact Mr. Rehan Masood, Joint Director, Payment Systems Department email: [email protected] Phone: 021-3311-3391.