Vietnam reviews its banking system to counter cyber threats

Vietnam is planning a major overhaul of its banking system responding to increasingly more sophisticated and dangerous attacks over the last few years.

Cyber attacks on banks in South-East Asia have increased in scale, persistence, and sophistication according to a report by the legal journal Lexology. There have been several violations of information security, for example, leaks of customer information, use of malicious codes and breaking passwords all intended to penetrate banks' information systems.

On October 21, 2020, the State Bank of Vietnam issued Circular 09 which sets out minimum requirements and conditions to heighten the security of the information system used in banking operations in the country. The minimum requirements and conditions apply to credit institutions, branches of foreign banks, intermediary payment service providers, credit information companies, the National Payment Corporation of Vietnam, Vietnam Asset Management Company, National Banknote Printing Plant, and Deposit Insurance of Vietnam that establish and use information systems to support their technical and professional operations. This replaced Circular 18 which was seen as being out of date and inadequate to counter the now and more sophisticated threats from cybercriminals and hackers.

Circular 09 has made significant changes in the existing framework. The most important is the re-classification of information systems in Vietnam. The change in the framework has resulted in a change in the management of information systems security, has changed awareness and has tightened compliance.

There are four major changes:

1. Classification of information – Personal information

The previous Circular 18 included only 3 banking information categories: public information, internal (private) information and classified information. Stated differently, Circular 18 did not provide specific management and protection of personal information. Previously, personal information was referenced only in regulation regarding backup requirements (ie, institutions that owned both main and standby information systems that existed outside of Vietnam had to store personal information and transaction data belonging to their clients located in Vietnam, in accordance only with general provisions of Vietnamese law). Circular 09 now defines personal information as it relates to banking.

2. Classification of information systems - New Levels

Information systems have classifications under Circular 09. There will now be a five-level system rather than the old three-tier one.

The five-level information system is expected to be more effective and more tailored to specific needs. The new arrangement is also expected to use resources more effectively by decentralising the classification of information systems.

In short, the 5-level system is more specific and it is now easier to classify the parts of the information system and to treat them each appropriately.

3. Multi-factor authentication

In addition to creating a mechanism to ensure greater security, there are now, new requirements for authentication of data. It is a multi-factor authentication method that requires a user to provide at least two forms of authentication to prove identity. From a security standpoint, this is a significant step forward.

4. Enhancing the management of information security incidents

Circular 09 carries over and upgrades certain regulations on the management of information security incidents from Circular 18. Circular 09 can be seen as an adjunct to the Law on Cyber-Information Security. It is also intended to enhance several requirements for security and confidentiality in line with the rapid and diversified development of information technology and the situation of cyber-information security in the banking sector.

Circular 09 is expected to strengthen the information system security in banking operations against the growing number of sophisticated attacks that occur each year. 


Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security