Overcoming Cybersecurity Threats in Sri Lanka's Banking Industry

1. Overcoming the Cybersecurity Threats of Sri Lanka’s Banking and Financial Industry

2. Contents The Evolving Cyber Threat Landscape needs Increased Regulations Increased Regulatory Requirements Payment Card Industry Data Security Standard– Are you PCI DSS Compliant? Three Pronged Approach to Managing Cyber Risks and being PCI DSS Compliant India Contacts

3. The Evolving Cyber Threat Landscape needs Increased Regulations Disruptive Innovations in the Banking and Financial sector are not only bringing about newer opportunities but are also paving in new threats. Digitization has changed the Banking eco-system from the traditional banking models. With the advent of Omni channel Banking, consumers now interact across Multiple Channels, newer technologies are playing its part and there is high penetration of mobile, internet and smartphones across consumers. This is changing consumer behavior, including buying behavior, with social networking, word of mouth, peer reviewing of products, and online research becoming the norm. Digital payments are becoming significant in Sri Lanka, and the evidence of the digital disruption is mounting in financial Industry which is leading to more profound open areas for Cyber attacks. According to a recent Cyber Security study by analysts, Banking & Financial Institutions are operating on boundary-less and unregulated ecosystems and thus are more vulnerable to be exploited by the ever evolving Cyber Threats. Incidents like Account Takeovers, Vishing, Fraudulent monetary transfers, ATM Skimming, Mobile Banking Exploitation using malwares are prevalent and are only evolving with the cyber criminals getting more innovative the attacks are only going to get bigger. Banking & Financial Institutions now need to ensure they follow the compliance and mandates from regulations within their industry, the adherence to the regulations is essential for the security of their business and to keep up with cyber-crimes.

4. Increased Regulatory Requirements Central Bank of Sri Lanka (CBSL) Directives or guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, define the fundamental information security requirements which all Banks need to follow. In addition to the above guidelines, there are multiple regulatory requirements related to Internet Banking, Payment Systems, Mobile Banking, IT Outsourcing, etc., which may be applicable to a particular bank depending on the context of the organization and the nature of its operations in Sri Lanka. To proactively manage the vulnerabilities that could be exploited by hackers, patches and updates have to be rolled out .However, as the compromise often involves internal systems, such steps may not necessarily solve all the problems for an organization. The Central Bank of Sri Lanka (CBSL)has released a set of guidelines to manage the risks associated with cyberattacks. CBSL’s circular covers several notable suggestions, ranging from arrangements for continuous surveillance, creation of a cyber security policy that is distinct from the broader IT policy and an immediate assessment of gaps in preparedness to be reported to the regulator. To diminish future risks and fortify safety mechanisms, institutions using global payment services should conduct a complete security review of their IT infrastructure. Lastly, a proactive forensic analysis of all the systems may be beneficial to ascertain if there has already been a breach or compromise. Banking in Sri Lanka is governed through various legal and regulatory requirements issued by the Government of Sri Lanka and the banking regulator – Central Bank of Sri Lanka (CBSL) . Periodically, CBSL issues various circulars and guidelines on various aspects of Banking. The regulations may also vary depending on the type of bank e.g., Scheduled Commercial Bank, NBFC, Regional Rural Bank, Authorized Dealer Banks, etc. :

5. Payment Card Industry Data Security Standard • The Payment Card Industry Data Security Standard (PCI DSS) establishes standard requirements protecting cardholder information. It applies to all entities that store, process or transmit cardholder data, such as retail merchants, payment processors and banks. PCI DSS took effect in January 2005 after being co-written by VISA and MasterCard and endorsed by other leading card providers. • There are 12 requirements for PCI DSS compliance, grouped into six IT control objectives. Each outlines a different area of security best practices, ranging from information security policy development to assessment and monitoring of threats, vulnerabilities and misconfigurations. • In October 2010, version 2.0 of PCI DSS was released by the PCI Security Standards Council. Reflecting input from the Council's global stakeholders, this latest version is designed to provide greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants. • Some examples of the language and key challenges in PCI DSS which our solutions address include:

6. Are you PCI DSS Compliant? • PCI DSS Requirement 2.2 Develop configuration standards for all systems components. • PCI DSS Requirement 4 Encrypt transmission of cardholder data across open, public networks • PCI DSS Requirement 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. • PCI DSS Requirement 7 Restrict access to cardholder data by business need-to-know • PCI DSS Requirement 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components. • PCI DSS Requirement 10.5 Secure audit trails so they cannot be altered. • PCI DSS Requirement 11.5 Deploy file integrity monitoring software to alert personnel of unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. • PCI DSS Requirement 12 Maintain a policy that addresses information security for employees and contractors

7. Three Pronged Approach to Managing Cyber Risks and being PCI DSS Compliant • Our PCI DSS Solutions • Our award winning and industry-recognized solutions can help in establishing and ensuring the requirements of PCI DSS are met on a continuing basis. Specific products that assist with PCI DSS compliance efforts include: • Identity Manager–Enforcement of consistent access controls across physical, virtual and cloud networks, with detailed, dynamic reports so you can prove it • Sentinel Enterprise–Monitoring and auditing of systems and networks, and creating alerts and reports that meet PCI-DSS process/response requirements • Access Manager–Single sign-on for enterprise web applications as well as federation for private and public cloud applications without risk to assets. • Secure Configuration Manager–Configuration assessment, compliance reporting and IT risk management for heterogeneous environments • Security Manager–Integrated security information and event management to protect critical data and streamline incident response • Change Guardian–User activity and change monitoring across Windows systems, Group Policy Objects, and Active Directory • Security Solutions for iSeries–Simplified auditing, intrusion protection, vulnerability management and security administration for the IBM System i (formerly IBM iSeries or AS/400) platform Identity Access Security • Governance • Provisioning • Privileged Identity • Self Service • Social Registration • Unified Identity • Roles • Analytics • Risk Based Access • SSO • Privileged Access • Federation • Multi-Factor • Mobile • Social Access • Analytics • SIEM • File Integrity • Privileged Monitoring • Configuration Monitoring • Change Monitoring • Analytics

8. For a more détails or Face to Face Meeting and/or Workshop contact us: Email: -Rachana.Karanth@microfocus.com Phone: +91 080 4002 2063 www.microfocus.com India Offices: Bangalore Laurel', Block 'D', 65/2 Bagmane Tech Park, C.V. Raman Nagar, Byrasandra Post Bangalore - 560093 New Delhi Unit No 03 & 04 1st Floor, Salcon Ras Vilas District Center Saket New Delhi - 110017 Mumbai Leela Galleria, 1st Floor, Andheri Kurla Road, Andheri, (East) Mumbai - 400059