Azerbaijan's Central Bank to boost action against cyber threats Digital shield for banks

In recent years, the banking sector of Azerbaijan has made great efforts to expand the infrastructure of non-cash payments, develop e-banking services, and today it is preparing for the mass application of FinTech solutions. Localisation of various global trends contributes to the maximum digitalisation of the operating environment in the country, which is certainly a positive goal, but at the same time poses certain risks for the financial sector due to tangibly increased cyber threats.

In order to ensure the stable operation of financial structures, implementation of effective mechanisms of control over the digital space, and prevention of network threats, the Central Bank of Azerbaijan (CBA) has approved the "Strategy of cybersecurity in financial markets for 2023-2026".

In most countries around the globe, the increase in the share of cashless payments during the coronavirus pandemic sparked cyber fraud activity and many sectors of the economy were subjected to cyber attacks. And this global backlash has only intensified over the next three years with the digitalisation of the banking sector, the expansion of remote working, and the growth of online payments, primarily in e-commerce portals.

According to the international agency S&P Global Ratings, banks, payment systems, other financial structures and their customers are the most attractive targets for cybercriminals seeking access to valuable personal data and transaction mechanisms, and therefore institutions with weak risk management systems are particularly vulnerable to cyber attacks.

Financial institutions and their customers constantly face DDoS attacks and phishing emails. For example, cyber attacks on outdated two-factor authentication such as SMS have increased recently, and threats against push notification-based multi-factor authentication systems have increased.

At the same time, attacks to hijack authentication tokens are also on the rise, making it necessary to accelerate the migration of financial services users and organisations to passwordless and hardware-based identification tokens. The use of Open Source libraries - software whose source code is freely distributed and available for modification - also remains a serious problem for financial market structures - up to 78% of the code in hardware and software bases is stored in publicly available information repositories, and the use of such software poses a serious threat to the corporate sector.

As cyber incidents in the financial and corporate sectors become more frequent and complex, improving the quality of real-time cyber risk management systems, as well as mitigating their consequences due to the rapidly changing malware, attack methods, and nature of threats, is becoming imperative for banks. Along with the use of more advanced tools, banks and financial regulators are increasing their coordination to form unified regulatory mechanisms, and standards to strengthen the overall protection of the financial market network space.

Azerbaijan is moving in the same direction, where digital payments are gradually growing and electronic banking services are rapidly developing. For example, the volume of card transactions within the country by the end of 2022 was $33 billion, an increase of 56%, including a 2.1-fold growth of non-cash transactions via bank cards.

Most of the non-cash transactions with payment cards came from e-commerce, which increased by 261 million transactions, 2.4 times. At the beginning of this year, about 85% of the country's banks already provided services through mobile applications, and just under four-fifths of customers' digital transactions are done through e-banking. Transactions via mobile banking have also tripled.

But along with the benefits of digitalisation of the financial market, the banking and corporate sectors have felt the increasing pressure of cybercrime in recent years.

"This year, the Central Bank, together with international organisations, plans to start preparing a new strategy aimed at enhancing the digital transformation of the CBA and the entire financial sector," CBA chairman Taleh Kazimov said earlier this year.

He also stressed that in order to respond to various challenges and risks it is necessary to develop information technology in the banking sector and payment systems, and in this regard, together with the International Finance Corporation (IFC) a strategy for cyber security in the financial sector is being developed.

The result of this work was the development of the Strategy for Cybersecurity in Financial Markets for 2023-2026, which the CBA approved on May 12.

As noted in the document's preamble, the risks associated with information and cybersecurity of financial institutions have increased against the background of innovations introduced in the modern world in the digitalisation of financial markets and the expansion of the range and availability of financial services provided through online resources.

This is also observed in our country, and therefore the Central Bank is making every effort to increase cyber resistance and information security in the financial markets of the country, in particular, since April 1, 2022, "Rules of information security management in banks", which established the minimum requirements for information security of Azerbaijani banks entered into force.

The next step in this direction was the adoption of a new four-year strategy aimed at creating a sustainable cybersecurity environment in the financial markets and providing practical steps in five priority areas. For example, regulatory and supervisory structures for information and cybersecurity will be strengthened and the legal and regulatory framework will be modernised.

Priorities include strengthening cyber risk management culture; establishing appropriate industry structures to manage IT technologies and strengthen cyber security; and implementing measures to boost cyber resilience and build a culture of info- and cyber security in the financial market.

It should be noted that prompt resolution of cybersecurity tasks has become an urgent necessity today given the new strategy for the development of cashless payments that is being drafted. As part of this strategy, special attention will be paid to the introduction of blockchain technologies in the banking sector, the formation of new packages of legal acts, and the implementation of a new concept of payment systems.

In particular, in the near future the banking sector, payment systems, and other participants of the Azerbaijani financial market will start large-scale application of fintech solutions for the introduction of the OpenBanking platform in the country. The initiator of the draft law "On payment services and payment systems" is the Central Bank. The project is being developed with the support of specialists of the Association of Financial Technologies (AzFina) and is designed to ensure greater openness of the market for the participation of international vendors and financial and technical organizations (FinTech).

At the same time, specialists of the Central Bank and British TheCityUK are preparing a draft of the road map of OpenBanking till 2026 envisaging implementation of plans to standardize banks' infrastructure and strengthen the legal framework. The process of forming the legal framework for OpenBanking is expected to start in 2023. Standards will be developed in accordance with the requirements of AISP and PISP and mechanisms for their implementation will be formed.

The OpenBanking platform represents a catalogue of API solutions for the banking sector and will enable to develop mobile applications of the country's banks based on user preferences, and will help attract new financial players and new start-up projects and services to the domestic market, which should contribute to accelerated development of the financial services market in the short term.

At the same time, the CBA will boost action to strengthen the level of protection of the country's financial market from cyber threats, and therefore the implementation of FinTech solutions and strengthening of banks' network security will be promoted in parallel courses.