The Cybersecurity Framework for the Financial Sector has been published.

The regulatory authority for the country's banking and financial sector, the Bangladesh Bank, has introduced a cybersecurity framework aimed at enhancing the digital security of the financial sector. To address unforeseen cyber risks and threats, the framework establishes a security infrastructure comprising five key pillars: Identification, Protection, Detection, Response, and Recovery.

The framework is initially based on the ICT security guidelines for banks and non-bank financial institutions (NBFIs), drawing from standards such as ISO 27001, the National ICT Security Policy, and other recognized international standards. It sets baseline cybersecurity standards and controls to meet the necessary security requirements.

This structure applies to banks, non-bank financial institutions (NBFIs), mobile financial service providers (MFSPs), payment service providers (PSPs), payment system operators (PSOs), and other financial service entities. Collectively, these are referred to as "institutions."

Eleven fundamental principles have been outlined for the institutions, which include:

a) Safeguarding financial stability;
b) Identifying and responding to cyber threats;
c) Establishing a common approach to addressing cybersecurity challenges;
d) Achieving an appropriate and mature level of cybersecurity practices;
e) Defining the roles and responsibilities of relevant stakeholders;
f) Addressing cybersecurity practices with due diligence;
g) Ensuring security and privacy requirements are met;
h) Raising stakeholder awareness regarding information security in the cyber environment;
i) Ensuring a secure environment for data processing;
j) Ensuring the best practices (industry standards) for technology use;
k) Building a cybersecurity culture.

While reviewing the draft framework, analysts have identified both its strengths and some limitations. Cyber infrastructure analysts suggest that the draft presents a well-structured framework with a broad scope in terms of risk management, incident response, and legal aspects. It follows a clear structure based on recognized standards like the NIST Cybersecurity Framework and ISO 27001, providing a solid foundation for financial institutions. Additionally, it clarifies the roles of various stakeholders, including the Cyber Incident Response Team, increasing accountability. The emphasis on training and awareness reflects efforts to foster a security-conscious culture within institutions. The framework also highlights the need for self-assessment and regular review of cybersecurity measures, ensuring compliance with local laws and regulations.

However, the draft framework may appear complex and lengthy to general users. While it outlines processes and categories, it lacks specific examples or case studies to illustrate implementation. The limited practical guidance may leave institutions uncertain about the next steps. Furthermore, the dynamic threat landscape may not be fully addressed by the framework, as it may not sufficiently account for the rapidly evolving nature of cyber threats. The use of technical language could also hinder understanding among non-technical stakeholders, and concerns about its scalability persist.

Therefore, to enhance the effectiveness of the framework, cybersecurity professionals in the financial sector have called for simplification, the inclusion of practical examples, and a more dynamic approach to evolving cyber threats.