In February 2016, the Bangladesh Bank Heist rocked the nation, wherein hackers stole $81 million from our central bank’s account in the US’s Federal Reserve.
Such attacks are uncommon in most developed countries, as these incidents necessitate the use of a large number of accounts to transfer the stolen funds. With stringent guidelines, anti-money laundering measures, multi-level transaction authentication criteria, and AI-based “unexpected” transaction monitoring, carrying out such operational processes would go a long way, barring gross negligence by the bank and/or related parties.
Direct money siphoning from banks via cyber attacks is typically a small-scale scam involving phishing attacks and the cloning/stealing of payment cards, net banking identities, and information in most countries. These are frequent but relatively minor occurrences.
Most banks in Bangladesh, however, are at high security risks. In 2016, nearly Tk1,793cr had been invested in the banking IT sector, according to the Bangladesh Institute of Bank Management (BIBM). And yet our financial sector is still not free of the threat of cyber crime.
According to a study conducted by BIBM, 52% of our country’s banks are at significant risk. Of that 52%, 16% seems to be at “very high risk” whereas 36% are high risk. Risks are moderate in 32% of banks, low in 14%, and extremely low in 4% of banks. Cyber security in the banking sector has been a burning question in recent years, especially after the Bangladesh Bank Heist.
Also Read
The greatest risks that a bank faces from cyber attacks are breach of customer information privacy, reputational harm, business discontinuity, loss of assets and business data, post-breach data security reworking costs, third party claims, and regulatory penalties.
Strong customer information privacy protection norms and severe penalties for their infringement have been the primary drivers of rigorous cyber security arrangements by banks in the majority of OECD countries. For example, the General Data Protection Regulations (GDPR) in the EU impose a penalty of up to 20m euros, or up to 4% of global annual revenue, for breach of norms.
Data protection norms in Bangladesh are less strict than those of the GDPR. Furthermore, the dominance of public sector banks gives the impression of an implied sovereign guarantee against such banks’ failure.
This decreases the risk of public sector banks losing their reputation as a result of cyber attacks. Moreover, the serious consequences of a breach appear to be lost on a large number of bank executives. These factors may have contributed to local banks’ relaxed approach to cyber risk management.
Around the same time, sensitivity to cyber attacks has increased dramatically over the last decade in developed countries, as have investments in risk management. For the majority of this time, Bangladeshi banks -- particularly those in the public sector -- have faced serious asset quality deterioration, limiting their ability to invest in cyber security.
Bangladeshi banks do not have many options when it comes to cyber security. Cyber attacks occur worldwide and, as OECD countries improve their risk preparedness, hackers are progressively concentrating on vulnerabilities in emerging market countries.
This may cause issues for our local banks.
Risk management by certain banks reveals significant disparities in risk preparedness among Bangladeshi banks. While private sector banks are more cyber mature than public sector banks in general, there are numerous exceptions. However, the perception that smaller banks have relatively low levels of risk preparedness and thus increased vulnerability does not appear to be correct.
Several of the “old” private commercial banks seem to be better prepared than their larger counterparts. Bangladeshi banks appear to place a greater emphasis on cyber attack detection and prevention than breach-tracking, crisis management in the immediate aftermath of tracking, and remedial action.
As examples of massive worldwide banks such as Bank of America, Citi, JP Morgan Chase, PNC, USB, and Wells Fargo demonstrate, cyber breaches are a near certainty for banks regardless of cyber investment, preparedness, or management. The impact of such incidents on banks is determined by timely breach tracking and appropriate corrective actions.
It's indeed high time for Bangladeshi banks to wake up to cruel cyber realities.
Afsana Rubaiyat is a freelance contributor.