Banks face IT audits
Objective is to determine their cyber security strength
The ICT Division will likely commence an IT audit on banks next month to measure their capability to thwart cyberattacks as growing digitalisation and remote working arrangements have augmented the financial sector's exposure to online crimes.
The Digital Security Agency, a wing of the ICT Division responsible for tackling cyber threats, will carry out the audit as most banks are vulnerable to cyber-criminals in the absence of an effective security system.
Tarique M Barkatullah, director of operations at the Agency, said almost all the preparations needed to begin the audit are complete.
"The agency will commence the audit within the next two months. We have already arranged several meetings with the stakeholders to conduct it."
Banks in Bangladesh are increasingly embracing digital banking means by rolling out various retail banking products. For instance, many banks have already introduced app-based banking, enabling clients to carry out banking activities online. In addition, some banks are setting up cash recycling machines to replace the existing automated teller machines at a fast pace.
The ongoing coronavirus pandemic has given a boost to these digital initiatives as they help people settle transactions without having to visit their local branches.
Against this backdrop, there is a strong requirement to strengthen IT security in the banking sector.
S&P Global ratings firm has said banks are key targets as direct sources of finance, because of their key infrastructure role and also their possession of a wide range of sensitive personal data, according to Reuters.
Accelerated digitalisation and remote working arrangements have increased the financial sector's exposure to cyber-risks and could lead to more complex cyberattacks that trigger higher losses, it said.
Initially, state-owned banks in Bangladesh will be audited, with Rupali Bank set to be the first.
"After completing the audit programme in state-owned banks, the agency will verify the strength of private banks," Barkatullah said.
Brac Bank will be the first lender among private banks to undergo an IT audit, which will take a maximum of five days to complete for each lender.
In February last year, the agency carried out an IT audit on Sonali Bank on a pilot basis.
"The piloting helped us make the decision," Barkatullah added.
The audit team will scrutinise all IT infrastructures, ranging from core banking solutions to hardware, to detect loopholes that may become potential threats for the lenders.
The agency will also verify whether the banks follow the government's information security manual.
Zunaid Ahmed Palak, state minister for ICT, said the government decided to conduct an IT audit to bring all the banks under official guidelines by pointing out their cyber-security flaws.
The audit will identify the banks' cyber-security flaws and make recommendations for the necessary measures to solve them.
The team will submit a full report to the Digital Security Agency on the companies that will implement their recommendations within a stipulated timeframe.
"This will reduce the risks of the banking sector and make it safer," Palak added.
Ali Reza Iftekhar, chairman of the Association of Bankers Bangladesh, welcomed the government's decision.
"All kinds of cooperation will be extended in this regard. However, the details on how the IT audit process will start and the terms and conditions have not been finalised," he added.
This is a good initiative by the ICT Division to keep the financial institutions safe from cybercrime, according to IT expert Tanvir Hassan Zoha.
"But the question is whether the Digital Security Agency and the Computer Incident Response Team have enough skilled workforce to conduct such an audit," he said.
There are just 70 people in the two agencies, while the number of banks and non-bank financial institutions stands at 95.
"How can they audit all these organisations?" added Zoha, also the managing director of Backdoor Private Ltd.
He questioned how the ICT Division could complete these audits without assistance from the Bangladesh Bank, which lays down the laws and guidelines for the local lenders.
The BB has asked banks to introduce a Security Operations Centre (SOC) to keep them safe from digital threats.
"If a SOC system is introduced in all banks, it will be possible to prevent cyberattacks," Zoha said.