Central bank strengthens cyber resilience guidelines amid rising cybercrime concerns

KATHMANDU: In response to the escalating risks associated with online transactions, the Nepal Rastra Bank (NRB) has enforced the ‘Cyber Resilience Guidelines’ since August 2023, with a focus on enhancing security measures implemented by banks and financial institutions (BFIs) to protect clients.

The guidelines, covering five key risk management categories—Governance, Identification, Protection, Detection, and Response & Recovery—include three overarching components: Testing, Situational Awareness, and Learning & Evolving. BFIs are required to address these components throughout their cyber resilience framework.

Key aspects of the guidelines involve developing a cyber resilience strategy and framework approved by the central bank, conducting risk assessments to identify critical operations, assets, and threats, implementing strong security controls aligned with standards like ISO 27001, establishing capabilities for continuous monitoring and early detection of cyber incidents, and having comprehensive incident response, resumption, and recovery plans.

Government records indicate that 13,330 cybercrime cases were registered, with 40 percent related to financial scams. With over 150,000 households on fixed broadband, 24 million on 3G and 4G mobile connectivity, and 21.6 million subscribed to mobile banking, the need for robust cybersecurity measures is paramount.

Cybersecurity expert highlighted the evolving nature of cyber threats, emphasizing that hackers now operate domestically, turning cybercrime into organized local activities. They stressed the importance of user awareness and caution, particularly when using free public Wi-Fi, which poses a heightened risk of hacking.

Gunakar Bhatta, executive director of the NRB, emphasized governance in digital transactions, enforcing rules such as multiple authentications, two-factor authentication, provision of disaster recovery sites, and mandatory system audits every two years for payment service providers (PSPs) and payment service operators (PSOs).

Limbu further called for the enactment of the Cyber Security Act and Bridge Notification Act to address the growing challenges of cybersecurity in digital transactions.

Meanwhile, members of parliament criticized a bill amending the Banking Offenses and Punishment Act 2008, citing its limitation to traditional transactions and failure to address digital system issues, including financial offenses related to bitcoin and cryptocurrency. Lawmakers advocated for increased financial literacy to minimize digital transaction platform theft cases.