By IkhlasTamaliyeh

 Cyber security issues have always been of common interest for Palestinian financial institutions in general, and banks in specific. In light of the expansion of digital technology in Palestine, the accelerated development which the financial techniques witnessed gave opportunities for banks towards developing the level of services for clients. In light of  the trends towards adopting technology in wide aspect in the financial and  banking sector , we cannot in any means overlook the accelerating risks of cyber-attacks who find banking institutions an attractive goal to target due to their vital role in  financial intermediation which may threat the global financial stability

Recently, the importance of cyber protection systems multiplied against digital attacks aiming at reaching sensitive data and using them to obtain money or sabotage business transactions, especially after the International  Communication Union announced that the size of global damages from these attacks reached 6 trillions $ in 2021. The international Global Cyber (GCI) indicator emanating from the International Communication Union classified four Arab countries at a high level of cyber security, for example : Saudi Arabia, Qatar, Emirates, Bahrain and Oman who remain at the forefront of efforts in achieving cyber security. The indicator relied on major pillars: Legal, technical, and organizational measures, capacity building, cooperation, availability of cyber security strategies and policies, national plans and standards implemented on ground, and the presence of a legal and legislative structure to support cyber security.

Public oversight framework in Palestine for cyber security

The financial services sector witnesses cyber attacks surpassing other sectors with a rate of 65%. The International Monetary Fund estimates for the cost of actual cyber attacks on ground  in 50 countries, and the average of potential annual losses may be large as 9% from the banks net profits at the global  level or 100 million$ in case the attacks are similar to the previous. In worst case scenario, the cost due to cyber attacks may reach  approximately (270- 350) million $, requiring  supervisory and monitoring parties to adopt  a more  participatory approach to unify efforts for the sake of building a holistic matrix to manage cyber security, and provide a safe and credible environment to protect business information. In addition, to upgrading the level of readiness to respond to cyber attacks, and alleviate the consequences of these attacks without overlooking the importance of preparing a technological environment in advance to support digital forensic investigation when cyber attacks take place.

As a result, and acknowledging the threats emanating from cyber risks and the importance of enhancing the capacity of banking systems to endure such risks and take precautions, the Palestinian Monetary Authority took supervisory and regulatory steps which aim at avoiding the impact of cyber attacks on the sector, and guaranteeing their capacity and readiness to give service in a constant manner. Furthermore, it developed governance frameworks and policies, and implemented security control programs to evaluate the efficiency of cyber security control, and measure the level of maturity for each institution.

 The Palestinian Monetary Authority has developed several control standards:

• Confidentiality: Ensuring unavailable access to data and sensitive systems by individuals, entities and other illegal operations.
• Integrity: Ensuring not to modify or delete data and sensitive information in an unauthorized and undetectable manner.
• Availability: Ensuring access and  information use, in the right time.

Most prominent cyber attacks:

Cyber attacks has many forms, but all aim at the end to  illegal acquisition of bonds and transferred money for him or for others by impersonating incorrect entities or accessing without legal justification to credit data,  disabling access to services or sabotaging data access.  In light of accelerated digital transformation in the banking sector, the financial institutions became vulnerable to cyber attacks. Among these attacks are the following : 

Phishing attacks: Are complicated attack through social engineering which aims at tempting the victim to disclose information voluntarily about sensitive data. This method depends on showing oneself as a legal party through showing registration pages very similar to the bank’s official site. Attackers used Phishing technique in 46% of the global attacks against financial services in 2021.

• Malware attacks: Are software designed to cause damage to servers, computers, and networks without knowing the final user.
• DDos attacks, Distributed Denial of Services: They aim at making banks’ services not available through uploading servers with huge quantities of requests.
• Ransomware: Is an electronic software which comes in a form of cyber attacks. It is the most dangerous in the past few years due to their direct impact on computers in controlling and locking data in return for money, and for unlocking the constraints to allow access for users  in the usual manner.
• Theft of personal data: Includes stealing of accounts and clients’  information to use them in fraud and hacking.
• Internal attacks: Occur by previous or current employees aiming at obtaining unauthorized data or sabotaging the systems.

Management of cyber attacks and overcoming violations:

Basel Committee on Banking supervision indicated the importance of setting policies and procedures which allow managing the work risks for electronic banking through their evaluation, monitoring and follow up. This falls under the risks of operating issued in 1998 and 2001. Most central banks conduct monitoring operations on the basis of risks to test the bank’s ability in meeting the risks and challenges of cyber space security, as this is detected  throughout the procedures of identifying risks, protection and exploring threats and dealing with them, in addition to recovery plans. The following approaches could be used to promote cyber security and protect financial stability:

1. Proof of identity through internet: Most banks in Arab area rely on using the principle of double entry to investigate the identity of the client beneficiary from banking services through the internet. The Monetary Authority as a supervisory entity conducts the security and technical evaluation for banking services done through the internet. The bank could benefit from such services by specialized companies to conduct a study regarding the readiness of the equipment used to tackle any penetration or cyber piracy malware, upgrading and developing security programs.
2. Managing passwords: We must distinguish between entering passwords and submitting them to clients, and the process of activating internet banking services and enhancing the security of forming passwords to guarantee not to disclose them. They have to make sure that passwords are not sent, stored as a text or processed. Instructions should be given for users and managers of internet banking systems to change passwords issued once entered in the system for the first time, and to specify the expired date for the password. The bank has to make sure that the client should not use an expired password once again, and to use complicated ones so that they are encrypted using a strong encryption method  . 
3. Transferring money through internet services

  There are many convenient controls and regulations which help reduce risks accompanying money transfer from the clients’ accounts to other parties through internet .For example, unilateral or dual authentication for money transfer among special accounts for the client, in the scope of one country and when paying off his credit card obligations or private loans. Double monitoring principle is applied on money transfer, as the bank is required to put a daily limit for money transfer.

4. Confidentiality and  information integrity

All security measures should be taken into considerations to guarantee the confidentiality and integrity of the client’s data. The bank should assess the risks, identify potential ones and take necessary precautionary measures. The Monetary Fund should develop certain standards for protection tools to be in use. Also, the bank should guarantee not to modify clients data or conduct unauthorized changes, and make sure that banking services are available and credible through the internet to provide prompt access to the users, maintain efficacy during the operation, as well as following pro-active approach to detect any potential fraudulent transactions.

5) Securing electronic applications used in banking transactions

It is advised that banks abide by cyber security applications as fixation of protection software to protect these applications from penetration, in addition to conducting penetration testing. It is essential that banks evaluate points of weaknesses in the applications at least twice yearly,  develop a preventive plan to delimit  points of weaknesses, and share the plan with senior management. Depth in security measures should be conducted when developing such applications, achieving international standards to protect the banks from penetrations at the level of networks, operations systems, servers, databases and applications. Sound governance systems for technology management should be conducted inside the banks.

6) Securing cyber space and information systems: Among the essentials banks use for cyber space is performing Testing Stress to determine the implications of the success of any cyber attack the electronic systems at the bank are exposed to. According to the monitoring regulations issued by the Monetary Authority, any violations or cyber piracy attacks should be reported. 

Continuous training: The banks should provide continuous training for their employees regarding the latest security techniques against cyber fraud. They have to have a good understanding about potential cyber electronic attacks and how to detect them.

Safety awareness: The employees have to be encouraged to share information only through secured channels, and be cautious regarding suspicious emails and anonymous links.

 Eventually, Palestinian banks have to be aware of future challenges for cyber attacks, and to invest in modern technology and advanced solutions to protect clients’ data. It is important that they have a clear methodology to manage digital risks, and to enhance electronic governance. Furthermore, legislations should be developed to criminalize cyber attacks on banks, and not to be regarded as cybercrimes.

Researcher in economic affairs