Introduction

Cyberattacks on banks have increased in scale, persistence, and sophistication. There have been several bold violations of information security, for example, leaks of customer information, use of malicious codes, breaking passwords, all intended to penetrate a bank's information systems.

On October 21, 2020, the State Bank of Vietnam (“SBVN”) issued Circular No. 09/2020/TT-NHNN (“Circular 09”)1 which sets out minimum requirements and conditions to heighten the security of the information system used in banking operations. The minimum requirements and conditions apply to credit institutions, branches of foreign banks, intermediary payment service providers, credit information companies, the National Payment Corporation of Vietnam (“NAPAS”), Vietnam Asset Management Company (“VAMC”), National Banknote Printing Plant, and Deposit Insurance of Vietnam (collectively, “institutions”), that establish and use information systems to support their technical and professional operations.

Circular 09 replaced Circular No. 18/2018/TT-NHNN (“Circular 18”) on information systems security in banking operations which, when it was promulgated in 2018, attempted to improve security. However, it was soon determined to be inadequate.

Circular 09 has made significant changes in the existing framework. The most important is the re-classification of information systems. Re-classification was necessary in order to deal with shortcomings in the practice of information technology in credit institutions. The change in the framework has resulted in a change in the management of information systems security. It has changed awareness and has tightened compliance.

Circular 09 came into effect on January 1, 2021. However, there is a transitional period for one of the requirements for multi-factor authentication. Approval of the final step of a financial transaction which involves an interbank electronic funds transfer of VND100 million or more is only required as from January 1, 2022. The Straight Through Process for inter-systems transactions are excluded as they are automatically authenticated.

Below are four significant improvements.

1. Classification of information – Personal information

The previous Circular 18 included only 3 banking information categories: public information, internal (private) information and classified information. Stated differently, Circular 18 did not provide specific management and protection of personal information. Previously, personal information was referenced only in a regulation regarding back-up requirements (ie, institutions which owned both main and standby information systems which existed outside of Vietnam had to store personal information and transaction data belonging to their clients located in Vietnam, in accordance only with general provisions of Vietnamese law). Circular 09 now defines personal information as it relates to banking. For these purposes, personal information is defined to include:

  1. information related to a customer's identification;
  2. account information;
  3. cash deposit information;
  4. asset deposit information;
  5. transaction information; and
  6. some other relevant information.

This is a huge advance, as personal information is a large part of the banking system and it was a significant oversight to leave it out of the mix. There were historical reasons, but they are no longer relevant. Circular 09 now requires that an information system that processes personal information, must:

  • satisfy certain key technical requirements. It must (a) separate the development environment and the test environment; (b) apply information security solutions; (c) not install tools to develop applications; and (d) remove or de-activate un-used functions or software within the information system;
  • limit and control the use of an administrator's account by: (a) setting up a mechanism to monitor and control the creation of an account with administrative rights. This is important because “administrative rights” mean the rights to manage the system, by say, adding new content, restructuring the system, banning users, etc. The purpose of this limitation and control is to ensure that no personal or institutional account can access the systems without proper approval; (b) having a method to monitor and control use of the administrator's account (this is important because an administrator's account has the right to manage the system, say, to add new content, restructure the system, ban users, etc.); (c) limiting the use of the administrator's account for a sufficient period of time to perform tasks and then to revoke the right to use the administrator's account immediately after the authorized tasks have been completed [to avoid potential abuse of the administrator's account]; and (d) using intermediate servers or a centralized management system to make administrative connections;
  • require the use of secured protocols and anti-automatic-login methods;
  • comply with information security testing and assessment prior to operating;
  • compile a list of information security incidents and have an incident handling plan; the list and the plan must be updated at least once every six months; and
  • detect risks and threats of network attacks and information security incidents and send a timely warning to the system administrator.

Controls which an institution that uses a third party service to manage clients' personal information, can also be found in Circular 09. The required tasks of such an institution are to:

  1. Identify and analyze each risk, and estimate the extent of threat and damage to information security which each risk poses;
  2. Define the institution's and the system's capacity to control the institution's operations, provide continuous service for clients and provide information to regulatory authorities;
  3. Define roles and responsibilities of each party to assure service quality;
  4. Work out methods to minimize risk, prevent and address incidents which do occur; and
  5. Review and amend risk management policies.

If an institution uses cloud computing services, the institution must ensure the following four additional contents:

  1. Classify activities expected to be performed on cloud computing based on assessment of the impact of such activities on the institution's operations;
  2. Develop backup plans for components of the information systems which are level 3 or above;
  3. Establish criteria to select a third party service, which satisfy Circular 09; and
  4. Review, amend and apply its information security methods, and limit access through cloud computing to its information systems.

Circular 09 specifies minimum conditions which must appear in the service contract with a third party service provider, ie, the third party's commitments to ensure information security, specific provisions on maximum allowable service interruption and troubleshooting time limit, assurance of continuous operation (on-site backup, data backup, disaster recovery), processing requirements, calculation and storage capacity as well as actions to take when service quality fails, notification of regulatory violations (committed by staff members of the third party providing the service) on information security. The actions required may be performed by the service provider or the institution, as agreed.

Circular 09 is comprehensive and offers greater protection. It goes far to establish a proper legal framework to protect personal information.

2. Classification of information systems

Information systems have classifications under Circular 09:

  • Information systems which provide online services to customers have special classifications under Government Decree No. 85/2016/ND-CP dated July 1, 2016.
  • Other information systems are classified into five levels (instead of the previous three-levels) according to the type of processed information involved and technical particulars. The five levels are divided by function, by the type of information it processes and by the complexity of the work it is expected to do. The five levels are:
    • Level 1: an information system that services the internal operation of the institution and only processes public information. By “public information”, we mean information that is publicly disclosed to any entity without the need to identify or locate the entity;
    • Level 3: an information system that satisfies one of the following criteria: (i) it processes Vietnamese State classified information at the Confidential level; (ii) it serves the daily internal operations of an institution; an interruption in service if it occurs, may not last more than four business hours; (iii) it serves customers which require 24/7 operation without an unplanned stop; (iv) it is a third party payment system to make payments outside the institution's system; or (v) it is a shared information infrastructure system which serves the operation of the particular institution and the banking system;
    • Level 4: an information system that satisfies one of the following requirements: (i) it processes Vietnamese State classified information at the Secret level; (ii) it processes and stores the data of more than 10 million customers; (iii) it operates in the banking sector and requires 24/7 operation without an unplanned stop; (iv) it is an important payment system in the banking sector as defined by SBVN; and (v) it is a shared information infrastructure system which services parts of the banking sector and which requires 24/7 operation without an unplanned stop; and
    • Level 5: an information system that satisfies one of the following three criteria: (i) processes Vietnamese State classified information at the Top Secret level; (ii) operates in the banking sector and serves the connection between Vietnam and the world; and (iii) is a national banking information infrastructure system which serves the connection between Vietnam and the world.
  • In case an information system includes several components, which are classified at different levels, the information system will be classified as being in the highest level

To repeat, this change from a 3 to a 5-level information system is designed to solve shortcomings in the treatment of information technology in credit institutions. The 3-level information system under Circular 18 was quite general and very broad. The 3-level information system classification only provided 3 levels as follows: Normal information system (Level 1), which serviced internal information of the institution but could not process State classified information; the Specially important information system (Level 3), which, among other things, serviced e-Government, required 24/7 operation and could not be stopped longer than 4 working hours; and the so-called Important information system (Level 2). A large number of information systems focused on level 2 which was the largest. This created challenges in investing resources to secure the management of information systems.2 The five-level information system is expected to be more effective and more tailored to specific needs. The new arrangement is also expected to use resources more effectively by decentralizing the classification of information systems.

In short, the 5-level system is more specific and it is now easier to classify the parts of the information system and to treat them each appropriately.

3. Multi-factor authentication

In addition to creating a mechanism to ensure greater security, there are now, new requirements for authentication of data. It is a multi-factor authentication method which requires a user to provide at least two forms of authentication to prove identity. From a security standpoint, this is a significant step forward.

Authentication factors include:

  1. information known only to the user (PIN, password, etc.),
  2. items in the user's possession (smart card, token, mobile phones, etc.), and
  3. user's biometric characteristics.

Multi-factor authentication is now required in the following circumstances:

  • To approve the final step of a financial transaction which involves an interbank electronic funds transfer of VND100 million or more (the Straight Through Process for inter-systems transactions is excluded as it is automatically authenticated);
  • To access the internal network of an institution in order to do work; and
  • To access servers, applications, and important networks and network security equipment for information systems which are at level 4 and above.

Multi-factor authentication has long been discussed but it was not clearly prescribed. With an increase in the frequency and seriousness of violations of information security, provisions regarding multi-factor authentication have become mandatory. Multi-factor authentication creates a strong layer of protection and makes it difficult for an unauthorized person to penetrate a target. If an authentication element is compromised, attackers still have to overcome at least one more barrier to successfully enter the target. Among other objectives, multi-factor authentication will reduce the leakage for log-in information performed by an institution's professional staff.

4. Enhancing the management of information security incidents

Circular 09 carries over and upgrades certain regulations on the management of information security incidents from Circular 18. Requirements have been added as follows:

  • requires an annual rehearsal of responses to an information security incident for at least one of the information systems which is at level 3 or above. The annual rehearsal must be performed alternatively if there is more than one information system which is at level 3 or above;
  • establishes a specialized body (by each relevant institution) to manage the operation of the Network Security Operation Center, applicable to institutions which manage information systems from level 3 and above. There are certain exceptions which are foreign bank branches, intermediary payment service providers, non-bank credit institutions, microfinance entity, people's credit funds at the grassroots level, credit information companies, asset management companies of Vietnamese credit institutions, and the National Banknote Printing Plant; and
  • A new principle to cooperate with and to respond in the event of information security incidents. For example: the network management board (established by the SBVN's Governor) is responsible to: (i) approve annual operation strategies for the network; (ii) operate the network; (iii) evaluate results, report to the Director General of the SBVN.

Footnotes

1. Circular 09 came into effect on January 1, 2021. However, there is a transitional period for one of the requirements for multi-factor authentication. Approval of the final step of a financial transaction which involves an interbank electronic funds transfer of VND100 million or more is only required as from January 1, 2022. The Straight Through Process for inter-systems transactions are excluded as they are automatically authenticated.

2. Ngo Hai (2020), “Phan loai he thong thong tin trong hoat dong ngan hang theo 5 cap do”, Financial and Monetary Market Review, https://thitruongtaichinhtiente.vn/phan-loai-he-thong-thong-tin-trong-hoat-dong-ngan-hang-theo-5-cap-do-27846.html, access May 7, 2021.

3. Straight Through Process is an automated process done purely through electronic transfers with no manual intervention involved.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.