Ensuring security and safety of information systems in the implementation of deposit insurance activities

16:43-15/08/2022

Along with the trend of digital transformation, there are also challenges in cybersecurity and information safety, when financial institutions such as banks are always the "target" of cybercriminals. In that context, Deposit Insurance of Vietnam (DIV) always focuses on ensuring security and safety of information internally as well as in the network environment during the implementation of professional activities; thereby better protecting the legitimate rights and interests of depositors, actively contributing to maintaining the safety of the credit institution system.

Cybercrime tends to be more complex

The digital transformation process has made particularly strong strides for the banking industry, many financial and banking services have been made possible entirely on digital channels (payment, deposit, savings, etc.) to meet the needs of online transactions anytime, anywhere of people and businesses. However, the fact that there are attacks to steal money in bank accounts is one of the typical trends of cybercriminals over the past time.

The tricks of the subjects are scanning for security holes, privilege escalation attacks, unauthorized access to the management system of servers at banks to withdraw money from customers' accounts. Sophisticated tricks in cyberspace allow cybercriminals to steal money from victims' accounts and collect large amounts of personal data (names, addresses, identity card numbers or citizenship numbers, phone number, date of birth and occupation). This information can be bought and sold in the cybercriminal community or sold for further attacks on the victim. This situation poses many challenges to the banking industry in completing legal regulations, synchronizing and standardizing infrastructure to connect, integrate, create a digital ecosystem, hence change the customer needs and behavior, ensuring security, safety and confidentiality of customer data...

According to Insights' Cybersecurity Report (2021), more than 25% of malware attacks are aimed at banks and financial institutions, more than any other industry. The reason comes from the specificity of the financial-banking industry when the business model as well as the provision of products and services of the industry is based on digital technology.

The SBV pays special attention to information security and has constantly researched and issued a legal framework on information security. In the Directives issued by the Governor of the SBV from the beginning of 2022, all have the task of ensuring security and safety of information technology activities. Specifically, in Directive No. 01/CT-NHNN dated January 13, 2022 on organizing the implementation of key tasks of the banking industry in 2022, one of the important tasks for units under the SBV is “Promoting digital transformation in banking activities; promote non-cash payments; ensure the security and safety of information technology activities, electronic payment, card payment”. Hence, the Governor of the SBV requested that it is vital to strengthen and improve the supervision of important payment systems, provision of payment intermediary services; security, safety and confidentiality in payment activities, information technology application and digital transformation of the SBV. Carry out safety and security assessments of important information systems; timely warnings and recommendations on risk issues as well as solutions to enhance security and safety. Ensure the continuous and safe operation of the interbank electronic payment system.

Information security with deposit insurance activities

As a member of the national financial safety net, the DIV has actively researched and strictly complied with the guidelines and policies of the State's laws, such as: National Cybersecurity Strategy; Directive No.28-CT/TW dated September 16, 2013 of the Secretariat of the Party Central Committee (term XI) on strengthening the work of ensuring network information security and safety; Directive No. 46-CT/TW dated June 22, 2015 of the Politburo on strengthening the leadership of the Party in ensuring security and order in the new situation; Law on Cybersecurity, Law on Cyberinformation Security; Law on protection of State secrets; Decree No. 26/2020/ND-CP dated February 28, 2020 of the Government detailing a number of articles of the Law on Protection of State secrets; Directive 02/CT-TTg dated July 4, 2018 of the Prime Minister on the protection of State secrets in cyberspace; Decision No.1820/QD-NHNN dated October 26, 2020 of the Governor of the State Bank of Vietnam (SBV) on the Regulation on safety and security of the information system of the SBV; Circular No.09/2020/TT-NHNN dated October 21, 2020 of the Governor of the SBV on information system safety in banking activities.

On that basis, the DIV has issued guidance on crisis handling when a cyberinformation security incident occurs (in 2021); and is expected to promulgate the Safety Regulations on the Information System of the DIV in 2022…The assurance of information security is carried out according to the principle of clearly defining the rights and responsibilities of each department and individual at the DIV and legal regulations. The DIV's information system is classified according to regulatory level and the appropriate information security policy is applied. These documents clearly mention the identification signs, methods of classification, timely assessment as well as effective solutions for each type of information technology risk that may occur to the DIV.

At the same time, the DIV focuses on promoting the equipment of employees with skills to respond to cyber-attacks in the entire system; focus on raising awareness and knowledge about protecting State secrets in cyberspace through personalized security training courses for employees in each professional field.

The DIV continues to develop and improve the system of administrative documents and regulations on ensuring network security, information safety, and protecting State secrets in cyberspace; especially regulations on the use of internal computer networks, internet connection; attach responsibilities of leaders of specialized units and sections and have specific sanctions to handle violations.

At the same time, the DIV also focuses on investing in physical facilities and technical equipment to ensure network security and information safety such as periodically reviewing and re-evaluating the entire information system in the whole DIV system; replacing outdated network models with centralized governance systems; automatic managing and updating systems of security patches offline; monitoring, detecting and warning system of network attack activities (SIEM/SOC); notice not to buy new equipment originating from a number of countries/technology companies that have been warned of the existing security holes, at risk of insecurity and information safety.

In the coming time, DIV says that they will further strengthen the inspection and examination of network security, information safety, and the protection of State secrets on computer networks and in cyberspace at every unit of the entire DIV system. They will ensure that staff in charge of network administration and information system administration have sufficient political standards, professional qualifications and working capacity; ensure timely detection of loopholes and omissions in ensuring network security; prevent and promptly handle cyber espionage activities aimed at the deposit insurer.

Communication Department