Vietnam Steps Up Information Security For Banks – Financial Services

Introduction

Cyberattacks on banks have increased in scale, persistence, and
sophistication. There have been several bold violations of
information security, for example, leaks of customer information,
use of malicious codes, breaking passwords, all intended to
penetrate a bank’s information systems.

On October 21, 2020, the State Bank of Vietnam
(“SBVN”) issued Circular No.
09/2020/TT-NHNN (“Circular
09”)¹ which sets out minimum
requirements and conditions to heighten the security of the
information system used in banking operations. The minimum
requirements and conditions apply to credit institutions, branches
of foreign banks, intermediary payment service providers, credit
information companies, the National Payment Corporation of Vietnam
(“NAPAS”), Vietnam Asset Management
Company (“VAMC”), National Banknote
Printing Plant, and Deposit Insurance of Vietnam (collectively,
“institutions”), that establish and
use information systems to support their technical and professional
operations.

Circular 09 replaced Circular No. 18/2018/TT-NHNN
(“Circular 18”) on information systems
security in banking operations which, when it was promulgated in
2018, attempted to improve security. However, it was soon
determined to be inadequate.

Circular 09 has made significant changes in the existing
framework. The most important is the re-classification of
information systems. Re-classification was necessary in order to
deal with shortcomings in the practice of information technology in
credit institutions. The change in the framework has resulted in a
change in the management of information systems security. It has
changed awareness and has tightened compliance.

Circular 09 came into effect on January 1, 2021. However, there
is a transitional period for one of the requirements for
multi-factor authentication. Approval of the final step of a
financial transaction which involves an interbank electronic funds
transfer of VND100 million or more is only required as from January
1, 2022. The Straight Through Process for inter-systems
transactions are excluded as they are automatically
authenticated.

Below are four significant improvements.

1. Classification of information – Personal
information

The previous Circular 18 included only 3 banking information
categories: public information, internal (private) information and
classified information. Stated differently, Circular 18 did not
provide specific management and protection of personal information.
Previously, personal information was referenced only in a
regulation regarding back-up requirements (ie, institutions which
owned both main and standby information systems which existed
outside of Vietnam had to store personal information and
transaction data belonging to their clients located
in Vietnam, in accordance only with general provisions of
Vietnamese law). Circular 09 now defines personal information as it
relates to banking. For these purposes, personal information is
defined to include:

1. information related to a customer’s identification;




2. account information;




3. cash deposit information;




4. asset deposit information;




5. transaction information; and




6. some other relevant information.

This is a huge advance, as personal information is a large part
of the banking system and it was a significant oversight to leave
it out of the mix. There were historical reasons, but they are no
longer relevant. Circular 09 now requires that an information
system that processes personal information, must:

• satisfy certain key technical requirements. It must (a)
  separate the development environment and the test environment; (b)
  apply information security solutions; (c) not install tools to
  develop applications; and (d) remove or de-activate un-used
  functions or software within the information system;

• limit and control the use of an administrator’s account
  by: (a) setting up a mechanism to monitor and control the creation
  of an account with administrative rights. This is important because
  “administrative rights” mean the rights to manage the
  system, by say, adding new content, restructuring the system,
  banning users, etc. The purpose of this limitation and control is
  to ensure that no personal or institutional account can access the
  systems without proper approval; (b) having a method to monitor and
  control use of the administrator’s account (this is important
  because an administrator’s account has the right to manage
  the system, say, to add new content, restructure the system, ban
  users, etc.); (c) limiting the use of the administrator’s
  account for a sufficient period of time to perform tasks and then
  to revoke the right to use the administrator’s account
  immediately after the authorized tasks have been completed [to
  avoid potential abuse of the administrator’s account]; and
  (d) using intermediate servers or a centralized management system
  to make administrative connections;

• require the use of secured protocols and anti-automatic-login
  methods;

• comply with information security testing and assessment prior
  to operating;

• compile a list of information security incidents and have an
  incident handling plan; the list and the plan must be updated at
  least once every six months; and

• detect risks and threats of network attacks and information
  security incidents and send a timely warning to the system
  administrator.

Controls which an institution that uses a third party service to
manage clients’ personal information, can also be found in
Circular 09. The required tasks of such an institution are to:

1. Identify and analyze each risk, and estimate the extent of
   threat and damage to information security which each risk
   poses;




2. Define the institution’s and the system’s capacity
   to control the institution’s operations, provide continuous
   service for clients and provide information to regulatory
   authorities;




3. Define roles and responsibilities of each party to assure
   service quality;




4. Work out methods to minimize risk, prevent and address
   incidents which do occur; and




5. Review and amend risk management policies.

If an institution uses cloud computing services, the institution
must ensure the following four additional contents:

1. Classify activities expected to be performed on cloud computing
   based on assessment of the impact of such activities on the
   institution’s operations;




2. Develop backup plans for components of the information systems
   which are level 3 or above;




3. Establish criteria to select a third party service, which
   satisfy Circular 09; and




4. Review, amend and apply its information security methods, and
   limit access through cloud computing to its information
   systems.

Circular 09 specifies minimum conditions which must appear in
the service contract with a third party service provider, ie, the
third party’s commitments to ensure information security,
specific provisions on maximum allowable service interruption and
troubleshooting time limit, assurance of continuous operation
(on-site backup, data backup, disaster recovery), processing
requirements, calculation and storage capacity as well as actions
to take when service quality fails, notification of regulatory
violations (committed by staff members of the third party providing
the service) on information security. The actions required may be
performed by the service provider or the institution, as
agreed.

Circular 09 is comprehensive and offers greater protection. It
goes far to establish a proper legal framework to protect personal
information.

2. Classification of information systems

Information systems have classifications under Circular 09:

• Information systems which provide online services to customers
  have special classifications under Government Decree No.
  85/2016/ND-CP dated July 1, 2016.




• Other information systems are classified into five
  levels (instead of the previous three-levels) according to the
  type of processed information involved and technical particulars.
  The five levels are divided by function, by the type of information
  it processes and by the complexity of the work it is expected to
  do. The five levels are:
  

  • Level 1: an information system that services
    the internal operation of the institution and only processes public
    information. By “public information”, we mean
    information that is publicly disclosed to any entity without the
    need to identify or locate the entity;

  
  

  • Level 3: an information system that satisfies
    one of the following criteria: (i) it processes Vietnamese State
    classified information at the Confidential level; (ii) it serves
    the daily internal operations of an institution; an interruption in
    service if it occurs, may not last more than four business hours;
    (iii) it serves customers which require 24/7 operation without an
    unplanned stop; (iv) it is a third party payment system to make
    payments outside the institution’s system; or (v) it is a
    shared information infrastructure system which serves the operation
    of the particular institution and the banking system;

  
  

  • Level 4: an information system that satisfies
    one of the following requirements: (i) it processes Vietnamese
    State classified information at the Secret level; (ii) it processes
    and stores the data of more than 10 million customers; (iii) it
    operates in the banking sector and requires 24/7 operation without
    an unplanned stop; (iv) it is an important payment system in the
    banking sector as defined by SBVN; and (v) it is a shared
    information infrastructure system which services parts of the
    banking sector and which requires 24/7 operation without an
    unplanned stop; and

  
  

  • Level 5: an information system that satisfies one of the
    following three criteria: (i) processes Vietnamese State classified
    information at the Top Secret level; (ii) operates in the banking
    sector and serves the connection between Vietnam and the world; and
    (iii) is a national banking information infrastructure system which
    serves the connection between Vietnam and the world.




• In case an information system includes several components,
  which are classified at different levels, the information system
  will be classified as being in the highest level

To repeat, this change from a 3 to a 5-level information system
is designed to solve shortcomings in the treatment of information
technology in credit institutions. The 3-level information system
under Circular 18 was quite general and very broad. The 3-level
information system classification only provided 3 levels as
follows: Normal information system (Level 1), which serviced
internal information of the institution but could not process State
classified information; the Specially important information system
(Level 3), which, among other things, serviced e-Government,
required 24/7 operation and could not be stopped longer than 4
working hours; and the so-called Important information system
(Level 2). A large number of information systems focused on level 2
which was the largest. This created challenges in investing
resources to secure the management of information
systems.² The five-level information system is
expected to be more effective and more tailored to specific needs.
The new arrangement is also expected to use resources more
effectively by decentralizing the classification of information
systems.

In short, the 5-level system is more specific and it is now
easier to classify the parts of the information system and to treat
them each appropriately.

3. Multi-factor authentication

In addition to creating a mechanism to ensure greater security,
there are now, new requirements for authentication of data. It is a
multi-factor authentication method which requires a user to provide
at least two forms of authentication to prove identity. From a
security standpoint, this is a significant step forward.

Authentication factors include:

1. information known only to the user (PIN, password, etc.),




2. items in the user’s possession (smart card, token, mobile
   phones, etc.), and




3. user’s biometric characteristics.

Multi-factor authentication is now required in the following
circumstances:

• To approve the final step of a financial transaction which
  involves an interbank electronic funds transfer of VND100 million
  or more (the Straight Through Process³  for
  inter-systems transactions is excluded as it is automatically
  authenticated);




• To access the internal network of an institution in order to do
  work; and




• To access servers, applications, and important networks and
  network security equipment for information systems which are at
  level 4 and above.

Multi-factor authentication has long been discussed but it was
not clearly prescribed. With an increase in the frequency and
seriousness of violations of information security, provisions
regarding multi-factor authentication have become mandatory.
Multi-factor authentication creates a strong layer of protection
and makes it difficult for an unauthorized person to penetrate a
target. If an authentication element is compromised, attackers
still have to overcome at least one more barrier to successfully
enter the target. Among other objectives, multi-factor
authentication will reduce the leakage for log-in information
performed by an institution’s professional staff.

4. Enhancing the management of information security
incidents

Circular 09 carries over and upgrades certain regulations on the
management of information security incidents from Circular 18.
Requirements have been added as follows:

• requires an annual rehearsal of responses to an information
  security incident for at least one of the information systems which
  is at level 3 or above. The annual rehearsal must be performed
  alternatively if there is more than one information system which is
  at level 3 or above;




• establishes a specialized body (by each relevant institution)
  to manage the operation of the Network Security Operation Center,
  applicable to institutions which manage information systems from
  level 3 and above. There are certain exceptions which are foreign
  bank branches, intermediary payment service providers, non-bank
  credit institutions, microfinance entity, people’s credit
  funds at the grassroots level, credit information companies, asset
  management companies of Vietnamese credit institutions, and the
  National Banknote Printing Plant; and




• A new principle to cooperate with and to respond in the event
  of information security incidents. For example: the network
  management board (established by the SBVN’s Governor) is
  responsible to: (i) approve annual operation strategies for the
  network; (ii) operate the network; (iii) evaluate results, report
  to the Director General of the SBVN.

Footnotes

1. Circular 09 came into effect on January 1, 2021.
However, there is a transitional period for one of the requirements
for multi-factor authentication. Approval of the final step of a
financial transaction which involves an interbank electronic funds
transfer of VND100 million or more is only required as from January
1, 2022. The Straight Through Process for inter-systems
transactions are excluded as they are automatically
authenticated.

2. Ngo Hai (2020), “Phan loai he thong thong
tin trong hoat dong ngan hang theo 5 cap do”, Financial and
Monetary Market Review,
https://thitruongtaichinhtiente.vn/phan-loai-he-thong-thong-tin-trong-hoat-dong-ngan-hang-theo-5-cap-do-27846.html,
access May 7, 2021.

3. Straight Through Process is an automated process
done purely through electronic transfers with no manual
intervention involved.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.