In recent years, cyberattacks have occurred on a larger scale and with greater intensity against various institutions. This can be understood by reviewing news and listening to the statements of security experts. The banking system is not immune to these attacks.
According to IDEA, banks have always been considered as potential targets for cyberattacks worldwide, and safeguarding the security of users’ information and assets is carried out through highly complex methods. Iran is no exception to this rule, although sanctions and a lack of emphasis on the importance of security have possibly increased the vulnerability of systems.
The Electronic Security Management Company, Kashef, is one of the companies responsible for implementing the Central Bank’s directives and requirements regarding bank security. Recently, this organization has developed a framework for security controls in the banking system and banking information systems. According to this framework, developed in collaboration with the Central Bank’s Information Security Department, 113 obligations have been defined for banks. However, the formulation of these obligations is not the beginning of what Kashef has been working on for years.
In previous years, this company monitored bank websites, internet banking services, and mobile apps. Violations committed through banking applications are also reviewed by the committees and commissions of this company and continue to be so. However, the diversity of oversight organizations for banking security and the lack of cohesion in the plans of each bank and financial institution have compelled Kashef to develop a unified program for each bank. These programs vary depending on the maturity level of a bank’s security.
Nevertheless, banks that do not pay sufficient attention to security not only endanger their own customers but also the entire banking system. They spread risk throughout the entire banking system. Masoud Najjar, the head of Kashef’s Supervision Unit, has stated that 90% of banks have had and still have very good cooperation with Kashef, but the remaining 10% also have a significant share of customers.
The maturity level mentioned by Kashef officials has five levels. Banks at levels one and two have the lowest security levels. However, the expectation of Kashef’s managers and the Central Bank is for banks to be at levels four and five. In the early months of 1402 (Iranian year), this company held meetings with most banks in the country and defined the responsibilities of banks regarding the security framework.
These banks stated their concerns in the field of security, and discussed the framework that is expected to govern their activities in the near future. Each bank will implement the defined obligations based on its current security level. Three or four banks did not attend these meetings, and it seems that Kashef needs to consider other measures to assist them.
Najjar stated that Kashef expects the banks in the first year of implementing this program to declare their programs and both their achievements and shortcomings in relation to this program.
He said: ‘This framework is an overview that has been defined by the Central Bank and Kashef, and now we want to ask the banks where they stand in this overview.’
In response to a question about the measures taken by Kashef to increase the security level of banks, Najjar explains that first, the maturity level of the banks must be increased, and then information about the actions taken should be communicated. Kashef and the Central Bank are working to inform about the necessary features of bank programs and websites that indicate their security, but it takes time, and the duration depends on the cooperation of the banks and the performance of Kashef.
Step by Step with the Security Control Framework in the Banking System
One year after the obligations that banks are required to implement have been identified, it is now time for each bank to prepare and announce its own plan. They will specify in which year they will meet the defined obligations. Then it is the turn of Kashef, the supervisory role.
Some variables of these obligations are reviewed annually, while in some cases, they are reviewed quarterly, and in others, every six months. The circle of auditing gradually becomes smaller. It is planned that every two months, the status of the banks will be communicated to themselves and they will be ranked. The issues that banks had during these audits will also be communicated to them. Kashef provides the infrastructure and shares the results of the evaluations with the Central Bank.
The low level of maturity in banks can be observed in four main areas:
processes, human resources, technology, and organizational structure. Experts at Kashef believe that to establish a security umbrella in banks, progress must occur in all four areas, including processes, human resources, technology, and the organization itself. There is a significant focus on the human resources active in the security domain.
The movement of these individuals between organizations and their migration can pose challenges to the security of institutions. These specialists are placed at various levels; some are responsible for establishing security, while others work in technology units. Even non-technical personnel are part of the body that shapes and influences the organization.
Najjar, the head of Kashef’s Security Unit, believes that security is a governance issue, meaning it should be addressed at the governance level of a bank or organization.
He continues: “Currently, we are facing the migration of managers who had a constructive role. Private sector companies in the security sector are also dealing with this challenge and are losing their developers.
In terms of technology, there are also challenges due to sanctions. Banks’ security equipment is gradually becoming obsolete, and replacing them with new technologies or even repairing existing equipment is a subject that private sector security companies have also raised.
Everything Ends with Cultural Transformation
Implementing this framework and giving structure to the activities of bank security experts in a situation where regulatory bodies and banks have different interpretations of security is challenging. This is a “cultural transformation” that Kashef aims to carry out. Najjar believes that this activity has been neglected in the past. He says, “Security begins at the CEO level of an organization, and its expansion requires the kind of cultural transformation mentioned in the framework.”
Part of this cultural transformation in the security domain is related to how officials in an organization respond to cyberattacks. People expect that after cyberattacks, the extent of the damage should be communicated to them, even though the cost of such disclosure may be substantial for banks.
The head of Kashef’s Monitoring Unit says that Kashef is responsible for reporting attacks and warnings to banks and the central bank. He adds: “Information is for the public’s awareness of the banks. Banks need to consider that the consequences of disclosing the extent of security will factor into their business risk calculations, so it’s up to the banks to manage it.”
One of Kashef’s requirements for banks is the establishment of a cyber laboratory within banks to examine programs, websites, and other banking tools for security and the presence or absence of malware. Kashef itself launched this laboratory in 2021. According to the head of Kashef’s Monitoring Unit, this laboratory can provide the necessary security services to various organizations.
In general, by implementing the control framework, Kashef monitors and assesses bank systems. This assessment goes several steps beyond self-assessment, as it checks both performance and security aspects against violations such as gambling. For payment service providers (PSPs) and payment companies, these actions are carried out by Shaparak Company.
Are We Lagging Behind in Banking Security?
In response to this question, Najjar says, ‘We demand an expectation that has been neglected for more than the lifetime of IT. With the onset of the pandemic, the IT industry worldwide has made a leap, and all processes have become non-contact. Has the security sector grown in proportion to IT? Security experts say there are two types of organizations: those that know they have been targeted and those that don’t. As long as the illusion of security exists, there will be no action to improve security. Kashef’s duty is to explicitly present challenges to the central bank officials and describe the worst-case scenarios for them.
Kashef was supposed to play the role of an operator among the various actors in the security field—a role that, according to Najjar, had been neglected, but now Kashef is seeking to reclaim it.
The Deputy Head of Kashef’s Monitoring Unit has announced that the company has initiated negotiations with companies active in the cybersecurity field and regularly holds meetings with them. In these interactions, the capabilities of these companies, and in some cases, their tools, are evaluated in the laboratory.
According to him, Kashef requests assistance from everyone involved in this field to help improve the ecosystem in a way that benefits everyone.
No Comment! Be the first one.