Cyber attacks on banks in South-East Asia have increased in scale, persistence, and sophistication according to a report by the legal journal Lexology. There have been several violations of information security, for example, leaks of customer information, use of malicious codes and breaking passwords all intended to penetrate banks' information systems.
On October 21, 2020, the State Bank of Vietnam issued Circular 09 which sets out minimum requirements and conditions to heighten the security of the information system used in banking operations in the country. The minimum requirements and conditions apply to credit institutions, branches of foreign banks, intermediary payment service providers, credit information companies, the National Payment Corporation of Vietnam, Vietnam Asset Management Company, National Banknote Printing Plant, and Deposit Insurance of Vietnam that establish and use information systems to support their technical and professional operations. This replaced Circular 18 which was seen as being out of date and inadequate to counter the now and more sophisticated threats from cybercriminals and hackers.
Circular 09 has made significant changes in the existing framework. The most important is the re-classification of information systems in Vietnam. The change in the framework has resulted in a change in the management of information systems security, has changed awareness and has tightened compliance.
There are four major changes:
1. Classification of information – Personal information
The previous Circular 18 included only 3 banking information categories: public information, internal (private) information and classified information. Stated differently, Circular 18 did not provide specific management and protection of personal information. Previously, personal information was referenced only in regulation regarding backup requirements (ie, institutions that owned both main and standby information systems that existed outside of Vietnam had to store personal information and transaction data belonging to their clients located in Vietnam, in accordance only with general provisions of Vietnamese law). Circular 09 now defines personal information as it relates to banking.
2. Classification of information systems - New Levels
Information systems have classifications under Circular 09. There will now be a five-level system rather than the old three-tier one.
The five-level information system is expected to be more effective and more tailored to specific needs. The new arrangement is also expected to use resources more effectively by decentralising the classification of information systems.
In short, the 5-level system is more specific and it is now easier to classify the parts of the information system and to treat them each appropriately.
3. Multi-factor authentication
In addition to creating a mechanism to ensure greater security, there are now, new requirements for authentication of data. It is a multi-factor authentication method that requires a user to provide at least two forms of authentication to prove identity. From a security standpoint, this is a significant step forward.
4. Enhancing the management of information security incidents
Circular 09 carries over and upgrades certain regulations on the management of information security incidents from Circular 18. Circular 09 can be seen as an adjunct to the Law on Cyber-Information Security. It is also intended to enhance several requirements for security and confidentiality in line with the rapid and diversified development of information technology and the situation of cyber-information security in the banking sector.
Circular 09 is expected to strengthen the information system security in banking operations against the growing number of sophisticated attacks that occur each year.