BB issues 17-point cybersecurity directive amid rising threats
In an attempt to counter growing cyber threats targeting the financial sector, Bangladesh Bank has issued a sweeping 17-point cybersecurity directive for all banks, non-bank financial institutions (NBFIs), and mobile financial service (MFS) providers.
The directive, issued Tuesday via a circular from the central bank's Information and Communication Technology (ICT) Department, underscores the heightened risk of sophisticated cyberattacks -- both locally and globally -- on financial entities.
For all latest news, follow The Daily Star's Google News channel. The BB urged all regulated institutions to urgently bolster their cybersecurity infrastructure and implement globally recognised best practices.
The comprehensive directive aims to minimise risks and enhance the resilience of the country's financial institutions. It outlines both technical and procedural safeguards that must be implemented across all banks, NBFIs, and MFS providers.
Among the key measures, the central bank has mandated the timely patching of all servers, applications, and network devices to swiftly address vulnerabilities. Institutions must also enforce the principle of Least Privileged Access, ensuring that employees have only the permissions necessary for their roles, it added.
Data protection has been given particular importance, with a directive to adopt the 3-2-1 backup strategy and ensure full encryption of data in transit, at rest, and during processing. Multi-Factor Authentication (MFA) is now compulsory for all critical systems, strengthening identity verification processes.
Banks are also required to install Security Information and Event Management (SIEM) systems and Network Intrusion Detection Systems (NIDS) for robust threat monitoring.
To improve response capabilities, institutions must maintain actionable incident response and disaster recovery plans, as per BB notice.
It also said that enhanced security protocols for VPNs and privileged remote access have also been mandated to reduce exposure from off-site operations. Furthermore, dedicated security personnel must be appointed to ensure 24/7 security monitoring.
The directive also requires all institutions to maintain and regularly update comprehensive Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP).
Comments