How to Face E-security Challenges

1. Global Dialogue/World Bank Group How to Face E-security Challenges Xia Lingwu Division Head International Department China Banking Regulatory Commission 11 September 2003

2. Contents • Comments on e-security incidents • What we do to face e-security incidents • Our suggestions CBRC

3. Internet banking has been developing very rapidly in mainland China. CBRC

4. As of the end of June 2003, the number of banks engaged in transactional internet banking businesses has grown to 27 from 1 in 1999. All big and medium local banks can provide transactional internet banking services. • During the period of SARS, more customers used Internet to handle with banking A/Cs services. CBRC

5. Characteristics of E-security Incidents • Widened scope without time and space limitation: • attacks from both inside and outside; • attacks from both domestic and abroad. • Increased means: • high-tech attacks; • frauds without any technologies, such as stealing customer data by cheating e-mails. CBRC

6. Challenges for E-security • Not frauds and malicious attacks; • Lack of risk awareness and risk management ability of internet banking. • Dissymmetry exists between the risk management ability and complexity of e-security. • Lack of good cooperation among regulators and supervisors. CBRC

7. Risk Management Framework of Internet Banking Financial Regulation and Supervision IT Security Regulators and Supervisors Internet Banking Internal Auditing Outsourcing External Assessment Bank Management Vendors Developers CBRC

8. Contents • Comments on e-security incidents • What we do to face e-security incidents • Our suggestions CBRC

9. Measures to Maintain E-security • In terms of regulation and supervision, the supervisory authority should establish rules and criteria for running e-banking. • Risk management system on IT risks; • Qualified IT management and staff; • Business continuity and contingency plans; • IT internal auditing functions; • Information security assessment. CBRC

10. Measures to Maintain E-security • In terms of bank management, • To equip with appropriate sophisticated security technologies; • To establish adequate policies and operation procedures; • To put e-security into the overall framework of risk management of the whole bank, and give the same emphasis on IT security as on credit risk and market risk; • To train staff and managerial persons on on-going bases. CBRC

11. Security Assessment on Internet Banking • Qualified assessors; • Qualified working procedures and policies; • Adequate coverage of security assessment: • Security strategies and policies; • Physical and environmental security; • Communication security; • Operation security; • Resources security; • Security inspection; • External safety. • Qualified report. CBRC

12. Suggestions on Strengthening Internet Banking Supervision • Encourage to establish information sharing mechanism among banks both in domestic market and international market; • Develop cooperative mechanism among regulatory and supervisory agencies; • Establish internationally accepted e-security classification system. CBRC

13. Thanks! CBRC