Only four of the 60 banks in the country have set up cyber security operation centres in line with a Bangladesh Bank directive to thwart large-scale cyber-attacks.

In the absence of an effective cyber security system in most banks, the country's banking sector remains vulnerable to cyber criminals even about five years after the $101 million cyber heist from the BB's account with the Federal Reserve Bank in New York.

Though the central bank in its 2016 directive specified an IT security solution for all banks with an investment of Tk 2-5 crore each, most of the banks either went for partial-fix or no-fix at all.

Dependence on digital banking tools has been growing fast in recent months as many now do online banking from home instead of going to banks amid the Covid pandemic.

"This has created more cyber risks to the banking system than ever," said Tanvir Hassan Zoha, an IT expert and an assistant professor at Bangladesh University of Business and Technology.

Following the cyber heist in February, 2016, the BB on March 3 the same year asked all banks to immediately set up IT security solution system, namely cyber "security operation centre" (SOC).

But banks are persistently ignoring the instruction to set up SOC as they seem uninterested in investing additional funds, putting the entire banking system at risk, Zoha said.

Contacted, Debdulal Roy, an executive director of the central bank, said only four of the 60 banks in the country have been able to set up SOC.

He said a lack of skilled manpower is one of the main reasons for most of the banks' failure to put the system in place.

Many banks may have financial capabilities to set up SOC, but they don't have trained manpower to run such a centre, he mentioned.

Asked why most of the banks failed to create skilled manpower despite the BB initiative about five years ago, he said many of the banks lack willingness to do so.

"We have written to the banks from time to time, asking them to put in place the cyber security system. We also conveyed it to bank officials at various meetings."  

The central bank is now thinking of fixing a deadline for the banks for setting up SOC once the coronavirus pandemic comes under control, he noted.

Debdulal further said the IT security units of the government agencies should help create skilled manpower in the banking sector.

"The police and the Rapid Action Battalion have strong wings to tackle cyber-attacks. Such government agencies can play a positive role in improving the skills of IT officials in banks," added the BB official.

SOC is a centralised function within an organisation employing people, processes and technology to continuously monitor and improve its security posture while preventing, detecting, analysing and responding to cyber security incidents.

It acts like a hub or a central command post, taking in telemetry from across an organisation's IT infrastructure, including its networks, devices, appliances and information stores.

For instance, if anyone tries to steal money from an automated teller machine (ATM) booth of a bank with SOC, the central security system of the bank will be alerted and the fund transfer will be stopped automatically.

Zoha said the IT departments of banks are largely dedicating themselves for setting up infrastructure or fixing the existing IT-related problems.

"Risks will deepen further in the days ahead due to the rapid expansion of digital banking. The banks should take immediate measures to this end," he added.

Except for the branches of three specialised banks, the branches of almost all other banks (99.21 percent) had online banking facilities last year, according to BB data.

The foreign commercial banks had 100 percent online banking facilities, followed by private commercial banks (99.98 percent) and state-run commercial banks (98.12 percent).

In September and November this year, the central bank and the finance ministry issued cyber security alerts for banks soon after receiving information from different local and global agencies.

Following the BB's alert in September, almost all banks suspended the service of ATMs and point of sales (POS) from 12:00am to 7:00am for the time being.

Talking to this newspaper, Syed Mahbubur Rahman, managing director of Mutual Trust Bank, said all stakeholders of the banking sector should make a concerted effort to strengthen the IT security.

"Banks enjoy profits from their loan disbursement immediately. But they do not see any profit from investment on the IT security in the short term," he said.

Several executives of IT departments at three banks said a good number of banks are now on track to set up SOC.

It's a tough job for the banks as they have to upgrade their digital systems and also make a huge investment, they pointed out.

The bank officials said they are now trying to mitigate the risks of cyber-attacks by using various manual and digital tools in the absence of SOC.

Many banks are using two-factor authentication and SMS alert system for every financial transaction. Imposition of a ceiling on each card transaction is another option to reduce the risks, they mentioned.

They, however, admitted that SOC is the most effective way to protect a bank from cyber-attacks.

Syed Almas Kabir, president of Bangladesh Association of Software and Information Services (BASIS), said it is alarming that most of the banks don't have SOC.

"The government needs to have policies to encourage and ensure cyber security. Currently, there are high import duties on security hardware and this is detrimental to the industry."

"We expect the government will heed our request [to lower duties] so that the country can benefit in the long run," he said.