Banks to buy insurance
against losses from cybercrime

Central Bank issues circular

to regulate protective measures

The Central Bank (BDL) has instructed the banks and financial institutions to take protective measures against electronic crimes, according to BDL.

BDL detailed these measures in basic circular no. 144, which was issued recently.

Banks and financial institutions should allocate funds to set up information technology (IT) security systems and must have insurance against e-crime risks.

They have to create a specific taskforce for protection from e-crimes and must prepare incident response plans, business continuity plans, immediate intervention plans, and other cybercrime protection plans.

Banks and financial institutions are required to assess potential e-crime risks and always be well-informed of the latest developments in the field of IT security.

Banks have to carry out awareness campaigns to educate employees and clients about how to protect themselves from e-crimes including not using emails for money transfers. Customers should submit written consent if they are willing to assume these risks.

Banks, financial institutions, and their customers should exchange information pertaining to e-crimes with concerned internal and external entities such as correspondent banks, and BDL’s Special Investigation Commission.

Banks must be vigilant and cautious when commissioning external contractors for tasks relating to IT systems and they have to make sure that these contractors do not in turn subcontract these tasks to less trustful secondary contractors.

Banks must employ at least two procedures to authenticate the identity of external users, especially regarding their right to access the system. A safe coding technique must be used for vital databases to prevent their loss and strict rules must be applied to the filtering of inbound emails. Devices put at the disposal of employees for external use must be secure. Tests must be carried out to identify weaknesses in the network that make it vulnerable to potential hacking. The network traffic, the database, and employees with major access to the IT system must be monitored in order to detect unusual or illicit activities.

The banks must also abide by BDL's guide to protection from email crimes, which was issued last year in collaboration with the Association of Banks and the Internal Security Forces. The banks ought to set up specific internal rules to deal with money transfer requests received through electronic means such as emails and electronic banking. The contracts signed with customers should include specific clauses that identify means other than emails to contact clients, such as phone calls to verify that the money transfer requests received electronically are authentic.