Nepal: Central bank asks banks to update their cybersecurity infrastructure

KATHMANDU (The Kathmandu Post/ANN) - Following the case of the ATM hacking, Nepal Rastra Bank formed a task force to investigate the incident. 

Nepal Rastra Bank on Tuesday asked banks and financial institutions to implement precautionary measures to minimise the possible threat on their cybersecurity infrastructure after the recent ATM hacking exposed significant security vulnerabilities in the banking system.
Nearly two weeks ago, the police arrested four Chinese citizens who were involved in stealing cash from ATMs by using cloned debit cards to breach processing systems. The incidents exposed significant security vulnerabilities in the Nepali banking system, including a failure to conduct periodic security audits, comply with the latest technology and invest adequately in digital security.

Through issuing a circular on Tuesday, the central bank asked the banks to take necessary measures to minimise external risks such as spam, phishing and spoofing, among others that could result in the loss and theft of data. Nepal Rastra Bank has also pointed out cyber attack, malware viruses and ransomware as the major risks in the information technology being enforced by the banks.

Malware, a type of software, is used to infiltrate and damage the entire network system. Ransomware variants encrypt the files on the affected computer making the files inaccessible to the concerned authority. The hackers mainly use the software to block access to a computer system or computer files until a sum of money is paid.

Banks were also reminded to monitor for suspicious activity on their websites, mobile apps and social media platforms.

Following the case of the ATM hacking, Nepal Rastra Bank formed a task force to investigate the incident. The team recommended the banks to invest heavily in implementing state of the art ATM cards and vending machines.

The central bank has come up with the guidelines after discussing with the executives of all 28 commercial banks on Monday.

The apex monetary authority has sought the banks to strengthen their system in perimeter defence, access control, encryption, antivirus and firewall along with remaining updated in the information sharing and improving the payment order system. The central bank also expressed its concern on the need for regular monitoring and instant reporting system on suspicious transactions.

The banks have been asked to prepare a Preventive, Detective and Responsive IT Security Strategy while conducting a security audit of the existing IT system. Implementation of the international best practices in the banking system along with capacity development of banks’ employees and awareness among cards users are also among the concerns of the central bank.

Bam Bahadur Mishra, executive director and chief of Payment Systems Department of Nepal Rastra Bank, said they have come up with the directives based on the preliminary report submitted by the team of digital forensic analysts. The analysts from Singapore were mandated to explore the causes behind the high-level cyber crimes.

According to Nepal Rastra Bank officials, forensic analysts will be submitting the final report after a thorough study in the next few months.

Meanwhile, Nepal Rastra Bank has asked the banks to blacklist individuals or firms that deliberately issue a cheque by using the wrong signature. The banks will have to report to the Credit Information Bureau about those involved in fraudulent cases of issuing fake payment orders.

Through enforcing a revised unified directive on Monday, the central bank has also asked the banks to report to the bureau if the banks issue credit cards allowing the borrowers to spend more than Rs100,000. “If the borrower fails to pay back the credited amount in three months, the bureau blacklist the individual,” reads the unified directive.

Laxmi Prapanna Niroula, a spokesperson at the Nepal Rastra Bank, said the monetary authority had issued the directive citing increasing cases of cheating via issuance of fake cheques and an increasing number of credit card defaulters.

The bureau has blacklisted 789 individuals in over one and a half months’ since mid-July of this fiscal year. So far, the bureau’s blacklist contains the names of 14,478 individuals, collected over the past three decades.


No photos has been attached.