By Lee Chipongian
Since cyber threats in the banking system occur on a daily basis, the central bank has tightened its rules in the reporting of such incidence to be able to contain its spread and damage.
On October 31, 2018 Bangko Sentral ng Pilipinas (BSP) Circular No. 1019 (Technology and Cyber-Risk Reporting and Notification Requirements) as it tightened reporting of major cyber-related issues, including system attacks on automated teller machines (ATMs), from within 10 days after it happened to within two hours from first detection.
When or if hit, local banks are ordered to submit to the BSP a follow-up report within 24 hours of the incident and this should contain information such as the manner and time of initial detection, impact of the incident, and initial remedial response.
Quick reporting is key in stopping cyber-related crimes from spreading. The BSP said this is necessary due to the “speed of exploitation, proliferation of attack tools and actors, and potentially massive extent of damage.”
The BSP circular has detailed guidelines for banks’ periodic reports (or annual IT profile) and event-driven reports on cyber-related issues. Reportable major cyber-related crimes are everything that would “seriously jeopardize the confidentiality, integrity or availability of critical information, data or systems of BSP supervised financial institutions.” These would include “compromised state” when someone or something has maliciously broken into networks, systems and computers; data breach; hacking; pharming (a form of cyber attack that redirects website traffic to a fake website); spearphishing; and threat actor (a person, an organized group or government that has superior capabilities to cause major damage to institutions).
What doesn’t need immediate reporting or not considered as major reportable incidents are security events and/or attacks which could be stopped by security systems. However, these could become major incidents if there are a multitude of customer accounts that were hit such as fraudulent transfer of large sums of money.
This is to prevent further disruptions of financial services and operations such as when a data breach has occurred. The BSP described data breach as “an incident in which sensitive, protected or confidential data or information has potentially been viewed, stolen, leaked, used or destroyed by unauthorized persons.
Financial institutions continuously watch out for bigger threats such as massive data breach and financial losses resulting in compromised cyber security systems.
The incidents at the Bank of the Philippine Islands (BPI) and BDO Unibank, Inc. in 2017 were very much publicized, though both claimed they did not involve loss of money. But most incidents did not come out openly and were known only by the bank involved and its regulator, the Bangko Sentral ng Pilipinas (BSP).
But cyber attacks have become so brazen that there is now a strong clamor for public disclosure. This was highlighted by the 2016’s cyberheist by an international group of hackers who stole Bangladesh Bank money from the Federal Reserve Bank of New York and funneled $81 million of cash to a local bank.
Recently, US cyber security software provider Symantec, issued a global warning after it allegedly discovered how the Lazarus cyber crime group deployed the so-called “FASTCash” that are hitting ATMs in Asia and other parts of the globe. FASTCash works by emptying ATM accounts. The warning on massive ATM attacks which fall as a data breach were just one of several that have already been issued this year by several governments, mainly the US which warned the world about the Lazarus’ ATM cash thieving back in October.
Recently, Microsoft has commissioned a study with Frost & Sullivan on cybersecurity risks where it estimated that in 2017, a financial services firm located in Asia Pacific that has been targeted incurred an economic loss of $7.9 million. The study noted that about 56 percent of financial services companies have had cyber security incidents last year, whether they are aware of it or not.
Regulators expect more ATM-related crimes
A number of banks are still transitioning to the EMV (Europay Mastercard Visa) regime even as deadline for compliance already expired in June 30 this year.
EMV is a global standard for chip-based technology for credit, debit and prepaid payment cards. Also known as smart cards, these payment cards contain a small microprocessor, which is basically a small computer chip that contains all the information and security features. These chip cards are more secure than the traditional magstripe payment/ATM cards. Skimming or illegally copying magstripe cards to gain access to ATM accounts is the most common crime for the old cards.
In the months before the full migration deadline to EMV technology, BSP Deputy Governor Chuchi G. Fonacier had anticipated that fraudsters would step up their illegal activity to take advantage of banks that have yet to shift to EMV.
The EMV compliance includes software updates, upgrading ATM and POS terminals, and replacing credit cards, debit and prepaid cards.
In anticipation of fraudulent attacks, the BSP implemented the EMV Card Fraud Liability Shift Framework in 2017 to discourage banks from delaying the EMV migration process.
The liability shift addresses the liability and resolution of disputes on fraudulent transactions. Essentially, the banks or the issuing banks that have yet to adopt the EMV technology will shoulder all liability from fraud.
The EMV compliance was reiterated when the BSP released the revised reporting rule on cyber security issues last October 31.
The BPI and BDO incidents were in the news for different reasons. BPI said it suffered an electronic glitch that resulted in massive mispostings of their debit and credit transactions but they insisted it wasn’t a cyber security attack.
BDO, on the other hand, dealt with ATM skimming that victimized a number of cardholders. They resolved it – as most banks do – by reimbursing customers after they have filed disputes claims.
BSP Governor Nestor A. Espenilla Jr. has said that what happened to both banks was a threat that banks face on a daily basis. The Bankers Association of the Philippines said internal glitches or ATM hits are common incidents and at the end of the day, these glitches do not affect banks’ ability to provide service to clients.
Still, BPI and BDO were called by the Senate Committee on Banks, Financial Institutions and Currencies to explain the situation and more importantly, to enlighten the banking public.