Episode 214 Deep Dive: Syed Ubaid Ali Jafri | Understanding the Banking Industry: Regulations, PCI DSS Compliance, and Additional Controls Against Breaches

[00:00:00] Speaker A: I accept that being an information security personnel, it's a responsibility of a guard who is sitting outside the door. It's a responsibility of a doctor who is saving a life of a patient. So it is one of our responsibility to secure the customer data, the organization data from potential data breaches. [00:00:21] Speaker B: This is KDCAT as a prime target. [00:00:25] Speaker C: For ransomware campaigns, security and testing and. [00:00:28] Speaker B: Performance risk and compliance. [00:00:30] Speaker C: We can actually automate that, take that. [00:00:32] Speaker B: Data and use it. Joining me today is Syed Ubaid Ali Jaffri, Head of Cyber Defence and Offensive Security from Habib Bank Limited, also known as HBL. And today we're discussing how to manage banking regulations across multiple occasions and countries. So, Jaffrey, thanks for joining and welcome. [00:00:53] Speaker C: Thank you, Krista. Thank you audience for giving me this opportunity to attend this podcast. [00:00:59] Speaker B: When we spoke before the show, well, weeks before the show, when we're coming up with the angle, we're talking about how many locations, countries, et cetera, are at HBL. So maybe what might be great to start with, you're headquartered in Pakistan, so maybe give a little bit of a lay of the land, so people have a bit more of an understanding of what's going on in your side of the world. [00:01:22] Speaker C: That's really a great question, Chris. You know that banking regulation across all the worlds has consistency. And banking regulations in Pakistan are primarily governed by State bank of Pakistan, formerly known as SBP, which is the Central bank of the country. The SBP sets the overall regulatory framework for banking and financial institutions in Pakistan. Some key aspects of that banking regulation in Pakistan include capital adequacy requirements, anti money laundering requirements and counter terrorism financing measures, consumer protection regulations and guidelines for risk management. Banks in Pakistan are required to adhere of these regulations to ensure the stability and integrity of the financial sector. State banks set up the guidelines and a time frame for the banks to perform an assessment, because whenever an incident happened, it's not only for the country, it's for the whole world. So recent incident, we have seen various incidents across the countries and banking and financial institution, like the Bangladesh bank, we saw that there was a massive money heist that hacker would manage to get the money. So State bank released the regulation to initiate the SWIFT and RTGS review. So in that review, State bank governed all the banks to conduct their assessment, to perform an independent assessment from third party auditors and to make sure that they are compliant. Their data is encrypted, they are protected from various controls. So time to time, a State bank gives the regulation and banks has to follow those regulations across the, because the central regulatory is overseeing all the functions that is being handled by globally across the countries. So it is not a matter of the single state bank, it's a matter of the other governing bodies like we have NISA in UAE, Monetary Authority of Singapore in Singapore. So State bank is jointly working across all the countries in order to comply with certain cybersecurity requirements. [00:03:38] Speaker B: So do you think, Jeffrey, that I've obviously previously worked in Bake myself. The regulation, though in Pakistan seems pretty full on. Would you agree with that? [00:03:50] Speaker C: Yes, 100% agree with that. [00:03:53] Speaker A: Yeah. [00:03:53] Speaker C: Because when you receive a regulatory requirements, you are intact with it and you know that when it comes to regulator, you don't have any chance. [00:04:02] Speaker A: You have a very strict timeline and. [00:04:04] Speaker C: That deadline RTD and you have to follow meet that deadline, because when the regulator says you have to comply with that requirement within a year, that means you have to complete that requirement within that year. And if you don't complete that requirement within that year, so the regulatory comes with a very heavy penalties and that is very much impacting the reputation of the bank. [00:04:27] Speaker B: Have you ever seen, in your experience of people not complying within the year? And then there's the penaltY, et cetera. Have you ever seen anything like that happen in your experience of working across. [00:04:34] Speaker A: Financial services across the country? [00:04:37] Speaker C: Yes, I have seen various banks which are not comply with the regulatory requirements due to legacy systems. They took time to implement such controls and security practice to improve their security posture. But in our bank we are managing these requirements and for the last ten years we haven't met any such failures. [00:04:58] Speaker A: So this is one of the good. [00:05:00] Speaker C: Thing, which we are actually following because of the team and the size and the support of the management, which is most important thing with respect to the perspective of compliance and assurance in terms of penalties. [00:05:13] Speaker B: How hefty are we talking here? Do you have any numbers on that or any indicators? [00:05:19] Speaker C: Yes, the indicators actually shows that banks, it depends upon the size of the bank that what will be the penalty imposed on the bank. So if that is a local bank whose presence is not across various countries, so the penalty may be less. But if the bank who has the presence across the world, so they must face a very huge penalty, maybe in million dollars. [00:05:45] Speaker B: A million US dollars, do you mean? [00:05:47] Speaker C: Yeah, exactly. [00:05:49] Speaker B: Now, I'm not across to the same level of fidelity that you are in terms of banking regulations in Pakistan. So why is it so intense though? Do you have any sort of insight? Now, I asked this because obviously HBL operates in different countries and different locations, which I want to get into in a little bit. But why are things pretty strict there? [00:06:12] Speaker C: It's a very good question for a tricky one as well. But HBL is actually bank who has achieved the compliance PCI DSS around seven years back and it's one of the bank who has achieved the swIFt compliance as well. So PCI DSS compliance, achieving that PCI DSS compliant itself is one of the big challenge for the banking and financial institution because PCI has a very strict requirement. It belongs to payment card industry Data security standard, which is an international standards and which actually check and across from various international vendors that whether you are completing the requirements or not, banks in Pakistan, in other countries, they adopt additional controls. Beyond that twelve requirements. That twelve PCI has the main twelve requirements which every banks has to follow in order to secure the customer data and in order to secure the PII data which contains credit card information, debit card information. So these controls are actually needs to ensure that banks has implemented sufficient security checks in order to protect their data from unauthentic compromise and evolving cyber threats. That needs to protect from sensitive information disclosure. As you are aware that there are cases where data got breached and customer information got leaked on dark web. So bank is very much consistent about securing their customer data in order to build their customer trust. [00:07:44] Speaker B: Okay, let's get into that now let's get into PCI DSS controls. So from my understanding, you have to comply with 30 controls. So the standard as you mentioned is twelve. So that's more than double that you have to comply with, is that what you're saying? [00:07:57] Speaker C: Yes, exactly. We have actually twelve requirements of PCI in order to secure our data. So that requirements actually itself is one. [00:08:06] Speaker A: Of the big challenge. [00:08:07] Speaker C: What PCI DSS requirement says that you have to protect your debt cardholder data. Similarly, even they also adhere that vendor supplied systems. When we receive the vendor supply system and every bank has vendor supply system that should not contain any defeat vulnerabilities and systems must be protected from default passwords. The cardholder data must be protected in order to like that is not readable by any intruder. If the card is captured by any intruder, it cannot be readable and you. [00:08:44] Speaker A: Have to maintain a vulnerability management program. [00:08:47] Speaker C: In order to comply with PCITS requirement. [00:08:50] Speaker A: So what we did, we at HBL. [00:08:53] Speaker C: Has a very segmented teams there and we have divided our teams into various segments. So the segments are governance, risk, vulnerability assessment and penetration testing teams. SoC, forensic, offensive and defensive. Security is infrastructure. [00:09:12] Speaker A: So there are various department in which. [00:09:14] Speaker C: All the teams are divided into. So if you need to have a. [00:09:18] Speaker A: Vulnerability management program so you will go. [00:09:20] Speaker C: To vulnerability management team and they can help you in terms of assurance, in terms of follow up, in terms of vulnerabilities which we are continuously assessing against across all the entities. Similarly, they also says that implement the strong access control measures. So implementing such access control measures, we. [00:09:40] Speaker A: Have a dedicated department called Lamp Logical. [00:09:43] Speaker C: Access Management Control departments so that logical access control Management department is specifically responsible for assigning the roles and responsibilities to every user ID and revoke those control after the time has lapse. So this is one of the key area where we are protecting our data. Similarly, they also ask for regulatory monitor and test the network. So monitoring and testing the network requires the visibility that 24 7365 days. So that is being monitored by our SOC team. And even in combination with MSSP model, we are working with various vendors who are continuously working with us and our teams are dedicatedly working to monitor the network from abnormal behavior anomalies. One of the most important and twelveth area of PCI is to maintain the information security policy requirement. In order to maintain the information security policy requirement, we actually validate the requirements on a specific time period. [00:10:51] Speaker A: And one of the key area where. [00:10:53] Speaker C: We are actually seriously focusing on is not to get non compliance on certain controls. So we actually focuses on those twelve areas from firewall till security policy, regulatory monitoring, access control. And we continuously engage and try to help other stakeholder not to get non compliance because after if you get non compliance in terms of PCI, you get a heavy fines and other consequences from banking and state bank as weLl. [00:11:27] Speaker B: Okay, so let's go back just a step. So we talked about those 30 controls. So the twelve are your standard PCI DSS. So what are the other 18? What does that look like? Are these just additional controls enforced by your regulator or what do those things look like? [00:11:45] Speaker C: Yeah, there are various control which is actually enforced by the regulator. What regulators say to reduce the threat landscape. And that is very much convincing statement. Regulator actually says that you need to reduce your threat landscape, you need to reduce your attack surface. And as we have seen various instances where many organization got compromised because they did not have that visibility where the information got stolen and they had one domain subdomain hosted on the Internet and they were unaware about that. There were some dummy data hosted on the Internet, they were unaware about that after having seen such consequences and repercussion, the regulator has set up some additional requirement to reduce the threat landscape and attack surface. And banks in Pakistan are consistently working to reduce their attack surface. [00:12:40] Speaker A: In order to have their visibility on. [00:12:44] Speaker C: A specific and on a very key manner that they are actually focusing on some areas which are being targeted if. [00:12:52] Speaker A: As a bank I say that I. [00:12:53] Speaker C: Am having 500 domains so it's very difficult for me to manage and to monitor 500 domains but if I say. [00:13:01] Speaker A: That those 500 domains are being managed. [00:13:04] Speaker C: By 50 special domains so it is easy for me to reduce my attack. [00:13:10] Speaker A: Surface and dedicatedly monitor those 50 domains. [00:13:14] Speaker C: For any anomalous abnormal behavior activity which is happening against my domains so regulator has set up such areas and even. [00:13:25] Speaker A: They are also focusing on to go. [00:13:27] Speaker C: For zero trust they are more focusing on just to go from legacy system which are only working on username passwords. [00:13:37] Speaker A: Model they are not even following the. [00:13:40] Speaker C: CAPTCHA requirements two factor authentication is very far there are various systems which are legacy system that only work on username passwords model they do not support even CAPTCHA model so State bank has also create an additional responsibility to the bank that to update this legacy system you. [00:14:04] Speaker A: Tell us the time that how much. [00:14:06] Speaker C: Time would you require to update that legacy system to an updated one and. [00:14:11] Speaker A: This is because in order to secure. [00:14:14] Speaker C: Yourself your country from being hacked or. [00:14:17] Speaker A: Breached or a global forum so would. [00:14:20] Speaker B: You say because of those additional 18 controls hypothetically it's definitely reduced a lot of the breaches so in Australia obviously we've got our own banking regulation but going on back to your 30 that are enforced from the PCI DSS point of view would you say that's heavily reduced breaches in Pakistan because again the standard is the twelve right which is a lot of work on its own but there's obviously more to what you're saying but then would you also say that it has reduced any potential breach because of those additional controls that are there which yes there's a lot of more work a lot more money budget, time et cetera but then the outcome is there would you agree with that statement? [00:15:05] Speaker C: Yes I would agree with that statement. [00:15:08] Speaker B: So then what can other countries then learn from these additional 18 controls then? Like are other countries from your experience starting to adopt the additional 18 controls or what are your thoughts on that? [00:15:20] Speaker C: Yes they should adopt those additional 18 controls because implementing the complete requirement would not suffice the purpose actually you're right that PCI has twelve control and implementing those twelve control would suffice the purpose. [00:15:35] Speaker A: I must say no because once you will be having an implementation of an additional controls then you will be in a position to ask yourself that yes we are in a state of security and we have implemented such controls which are prevalent and leveraging the security requirements. These actually controls are more focused on protecting the customer data. See, when we receive an attack from an intruder that can be in the form of ransomware, phishing attack, or any sort of attack which actually try to exfiltrate data from your organization, they are more interested in the data of customer, they are more interested in sensitive information, they are more interested in getting some financials out of it. So in order to protect the customer data, which I'm focusing on, that requires actually the local risk management, the risk assessment, and even those 18 controls specifically focus on what actually you are focusing on cross border coordination. How do you manage audit and monitoring how your data is secured in the database? Is your data masked? Is your controls are protected. So these are some additional list of controls which actually follows by some important requirements. These controls not specifically focus on the customer data, but they are also focusing on if the data got breached, the data must not be useful for the intruder as well. If they try to accommodate their self in exfiltrating data from your organization, they would not be in a position to breach, to publish your breach data. So this is one of the important thing that how you have managed the data at rest control. I can understand that data in transition has various aspects like you have implemented digital certificates, you have implemented network security, you have implemented various encryption protocols on the network in order to protect your data which is in transit. But the problem is when your data is at rest and is on cloud or on Prem. So it is one of the big challenge for the organization how to protect that data encryption is one of the key area. Data masking is another aspect of data security. So this is what we are actually focusing on and what we have seen in last five, six years. These five, six years, as you are already aware, that COVID has gone through these five, six years and there were massive data breaches which has gone through these five, six years. So I am just accumulating these five, six years in terms of banking and financial institution that what we have seen implementing these controls would have cost. Yes, they are actually giving us the assurance of not having our data published over the dark web. This is what I mean to inform to the various stakeholder organization. [00:18:37] Speaker B: Okay, so there's a lot of things in there. So let's go back to the data masking. Is that one of the controls of those 18? [00:18:42] Speaker A: Yes, this is one of the controls of 18. [00:18:44] Speaker B: Got you. Okay, got you. Very interesting. So I literally had a discussion yesterday with someone about data masking and the guy interviewed was like, a lot of people that I speak to don't even know about data masking, what it's for, what it is. So then that leads me to our next point. Let's just focus on the 18 because the twelve are incumbent if you're a bank anyway, because it's part of PCI DSS. So let's focus on the 18, the additional controls that HBL has to enforce because of your banking regulation. Are there any other countries out there that you know of that are enforcing the additional 18 controls that you know of? [00:19:24] Speaker A: Yes. For other countries, yes. I know that in UAE there is a requirement called NISA. This is the act which is being followed by the regulation. So that NISA regulation specifically is more like it can be referred to other organization depending on the context. Like it's called National Electronic Security Authority that is tasked for enhancing and enforcing UAE cybersecurity exposure, protecting critical information infrastructure and implementing cybersecurity standards and regulation. NISA is specifically contributing in cybersecurity area as the PCI DSS is. And they are more interested in assessing the vulnerabilities in the system, in protecting the customer data, in securing the cybersecurity posture of the organization. So they are more focuses on when you are conducting the vulnerability assessment, what is the result of those vulnerability assessment, how you are protecting your public posture from external threats, how you are protecting your critical infrastructure from prevailing cyber threats. So these are some of the requirements which NISA is actually focused on. In addition to that NISA requirements, the Monetary Authority of Singapore, we have one presence in Singapore as well. So Monetary Authority of Singapore is the Singapore Central bank and financial regulatory. It sets regulation and guidelines for the banking sector. It is also focuses on data protection, which I already informed you. And it is more focused on technology risk management. So the regulation focus on managing the technology risk management in order to ensure that cybersecurity in the financial industry is implemented properly. And they have set up the protocols when protecting your digital system, your alternate delivery systems and including your cryptocurrency. It is one of the important area which Monetary Authority of Singapore is actually focusing on. And by enforcing these areas, they have also implemented the AML and KYC. If you know your client and your customer regulation, it is the integrity which impacts the financial system. So they have the very strict AML and KYC regulations to maintain the integrity of the system. So that's why we need to focus on various requirements from Mass, NISA and other regulatory bodies. [00:21:53] Speaker B: Okay, so what are these 18 controls actually called because I guess the twelve of the PCI DSS, I just sort of just bonded them up as additional requirements. But is there anything specific that those additional 18 are referred to other than me calling them the 18 controls? [00:22:08] Speaker A: So those 18 controls specifically comes under the compliance check requirements that at 18 controls, if you want. So I can just one by one, I can tell you quickly. So one of the control is the cyber threat landscape reduction. [00:22:24] Speaker B: How would someone come through and say you're compliant or not? That's such a sweeping statement. [00:22:29] Speaker A: So this is one of the challenge. Yes, you are absolutely right about that. It's a very generic statement. That is why we have hired a lot of team members in various teams in order to comply with such requirements. We have dedicated POCs who are actually fulfilling those requirements of the regulator. Yes, we read the statement that the trust and verification, but on trust and verification, on which areas they have mentioned some of the requirements in terms of trust and verification, it's not about the statement, it's about what we have implemented in our area. So if I tell you the statement like cyber threat landscape, it's really a generic term, but in order to, if I go deep down and understand what the cyber threat landscape is, so I can come up with various aspects that I am covering my cyber threat landscape from this solution. I am covering my cyber security threat landscape from SOC. I'm also reducing my cyber attack surface from various threat actors by enforcing various controls like EDR, DLP, sock lamp, PAM. So there are various solutions in which we give answer and the answer is being reviewed and thoroughly evaluated by the regulator. [00:23:52] Speaker B: And this is still on the one, this is just the one of the 18, okay? [00:23:56] Speaker A: Yes, exactly. [00:23:57] Speaker B: Okay. All right, let's keep going down the list. What's not the second one? [00:24:01] Speaker A: The second one is the trust and verification. The trust and verification factor is specifically focused on the zero trust model. They says that there should be a mechanism whenever a user logs in in the system, either an employee or a customer, they need to sign in and give the proper verification. So honestly speaking, this is one of the fine control. And I must say that in order if your data got breached and if you have a second factor or third factor implemented in your system, like a message on your phone and OTP on your email, so you would be saving from various data breaches. So trust and verification on all the application like mobile banking, SMS banking, internet banking, web banking and other various banking like Swift RTGS systems. So trust and verification factor must be implemented in all the published applications and the area is why the trust and verification sector is in order to reduce from data breaches. So implementing two factor and three factor may help in protecting the customer and employees data from theft. The third and the most important area, third party vendors that you know that and you are aware that there are various system of third party implemented on the premises. So when we need to conduct a troubleshooting. So third party vendors actually connect with our system and they troubleshoot our system. So again, that trust and verification system must comes under that verification area. That how your third party vendors are. [00:25:41] Speaker C: Connecting with that system. [00:25:42] Speaker A: You have mentioned that these are the legitimate user, these are the trusted user. But how you are actually managing that trust? You have given them one ID and password and one VPN connection. No, you have to make sure that these sessions are being monitored. The incoming sessions which are being monitored, they are also controlled by certain accesses like multifactor authentication requirements. So this is the second area which we are focusing on. So the LaMP team logical access team is focusing on the second area, trust and the verification. [00:26:17] Speaker B: So can I just ask how many people are in your security team at HBL? [00:26:21] Speaker A: So at HBL in head office, we have 100 people of team who are actively working on various departments. [00:26:27] Speaker B: It's not that many for all this stuff you got to do. [00:26:31] Speaker A: Yes, Chris. And even after understanding that, you can understand that getting the cybersecurity resource, onboarding that resource is another challenge. You know that there are very less resources in cybersecurity. And out of 100, if two, three, five resources left the organization, it is very difficult for us to hire a good resource who has that much of knowledge. [00:26:53] Speaker B: Oh, absolutely. Like all these additional things like, oh my God, this must take us like a full year just to get all this documentation ready for the audit. [00:27:05] Speaker A: Yes, we engage whole the year that once we receive an audit from EY KPMG Deloitte, the next auditor is waiting like we have completed the internal audit. Statutory audit is started. [00:27:19] Speaker B: So you got auditors there daily in your office, by the sounds of it, yes. [00:27:24] Speaker A: It's a very tough job and complex job. But interestingly, I love my job and I'm very much consistent on what I am doing. [00:27:34] Speaker B: Look, there's a lot of stuff going on. I'd love to go down that list. I'm obviously cognizant of your time, but I want to circle back now on the 19 countries I believe that HBL operates in. You've just eliminated to me the compliance check requirements. So again, for people listening, the additional 18 on top of the PCI, DSS Twelve. But then you've got other regulations for other differing countries. How do you handle all of this? I mean, look, you've got auditors in your office every day, just in your own head office, let alone the other 19 places that are operating. So how do you wrap your head around that? [00:28:12] Speaker A: Yes, what we have done, we have a well structured approach to ensure compliance and operational efficacy. So what we did, we created the local compliance team, which is dedicated compliance team in each country where we are operating. So these countries are actually, they are expert and the local banking regulation, they are responsible of monitoring, interpreting and implementing local regulation requirements. We have one team which is actually centralized oversight team that is looking to all the local compliance team of 19 countries and handling day to day compliance activity. They ask, they do conduct weekly meetings with all the 19 stakeholders. So weekly means on one day I am conducting with, meeting with UAE, on second day I'm conducting meeting with Singapore, third day I'm conducting with Maldives. So centralized compliance and risk department is actually coordinating with different teams that they are providing the oversight, guidance, coordination across all the regions where we are operating. The important area is regulatory intelligence, like changes in regulatory in each country that may come and definitely in a year or biannually, the regulatory requirements, ad hoc requirements also comes. Our stakeholders, local teams inform us. So when they inform us, we had made a very good tracker and automated system and that system actually prompt us that this requirements is about to come, this requirements is about to lapse. So the team is more focusing on ensuring that whether that information is disseminated to local teams proper promptly or not. [00:29:59] Speaker B: And then, so each of those local teams then roll up to your compliance team in Pakistan. But then would you say that your compliance team locally have to be somewhat across what the other 19 countries are doing? I know they don't have to know all of the specific details, perhaps, but they still got to have a bit of an oversight. So when there is a change, your local team need to be across that. Is that correct? [00:30:24] Speaker C: Exactly. [00:30:25] Speaker B: That's a lot of things to be across, don't you think? [00:30:28] Speaker A: Yes, actually there are a lot of things which we are conducting. And in 19 countries, if you imagine that if you are having either one or two resource, if you accommodate, so you are having around 38 people who are continuously working on 19 countries. So 38 people are consistently, they are just sending you the requirements that we need, that policy, how we are compliance with vulnerability Assessment program. Please share this document. Please share that document. Please share data protection Document for how we are managing. So even we are also updating our documents every year as per the requirement of PCI, we are also updating our policies, so we need to give them the updated policies. [00:31:10] Speaker B: Oh, my gosh. So is it a fair assumption, and would you say that Pakistan and probably the UAE, now going along the NISA side of things, is the strictest in the world for banking regulations? [00:31:23] Speaker A: Yes. It actually focuses on the area of customer data protection. They also ask to conduct a risk assessment, critical assets for country like financial stability, consumer data protection, and adhere to local laws as well. So NISA is also more focused on these areas. [00:31:43] Speaker B: So would you say then, from your experience, again with operating in Pakistan, but also across the other 19 countries, you've got insight to how they are operating? So should more countries like Australia, for example, be looking to Pakistan in the UAE to say, hey, we've got to get a standard to that level, or do you have any sort of insight on that front? [00:32:05] Speaker A: I don't know. Then Pakistan, because Pakistan regulatory is not only focusing on the cybersecurity area, they are also focusing on various areas like cross border transactions, they are also focusing on anti money laundering. They are also focusing on Foreign account tax compliance, FaCTA Act. They are also focusing on Islamic banking regulations. So there are various aspects where the Pakistan regulation is working on. Australia is not specifically focusing on. So if they see that how we are actually commencing that requirements of various, like foreign account tax compliance, anti money laundering requirement, data leakage prevention requirements, Islamic banking requirements, so they would come to understand that how we are actually commencing that requirement in an accumulated time period. [00:33:01] Speaker B: So if you had to pick, though, one country that has the strictest banking regulations, would you say it's Pakistan? Across the world? [00:33:07] Speaker A: Not across the world, across various countries, I must say, because you know that I am handling the 19 requirements, 19 country requirements. And I have seen that in 19 countries, we see that we are compliant with the requirements. We receive the requirements from a stakeholder. But managing those requirements in Pakistan, with respect to State bank regulatory requirements, it is one of the challenging tasks for us. And I must say that when I receive the requirement from monetary authority, when I receive the requirement from Maldives Monetary Authority, NISA, like Monetary Authority of Singapore people, Banks of China, so I am 100% assured that I am fulfilling their requirements. But in terms of a State bank, the State bank auditors, when they come and conduct a surprise audit, their audit is very much difficult and they ask very deep questions that why are you using this solution? Why you are not using that solution? What is the justification you are providing that is not a generic audit like, okay, you are using this solution. No issue. They have just marked the tick. They are also deep drill down that. Why are you using this solution? What is the justification? Have you evaluated other solution which are potential in market which are at Gartner's top ten, Forrester Top ten. And why you have chosen this solution? What is the reason behind that? So this is one of the requirement which we need to answer them. We need to justify our things which we have implemented. [00:34:38] Speaker B: So hang on. You said surprise audits. How often are these surprise audits happening. [00:34:44] Speaker A: Biannually and annually by the regulator. They have the right to audit any bank. This just give us the time that we are just auditing information security area. We are now coming to audit it. We are coming to audit finance. So they have right to audit to conduct a surprise audit for the banking and financial institution. That surprise audit would actually they inform a day or two before the team is coming. [00:35:11] Speaker B: Oh my gosh. So how do people respond when we're like, okay, we got a surprise audit happening, everyone. We got one or two days to make stuff compliant. Do people start scrambling or what? What's going on here? What's happening inside the office? [00:35:25] Speaker A: People are more rude because they have more stress. They are working in very pressure environment. So when you go there and ask their requirement, the first answer is, I don't have that. Go to that person. [00:35:39] Speaker C: He will give you the answer. [00:35:40] Speaker B: And what does that person say? I don't have it either. [00:35:43] Speaker A: Yeah, they have. And they actually support. But even Krisa, if we wear the shoes that they are wearing, so we can understand that how much pressure and how much stress they are actually facing to compete the requirement of the regulation. [00:35:57] Speaker B: You're not wrong. I mean, look, we could have gone on for hours and hours and hours on this stuff because it's quite detailed, it's quite specific. So then would you say that Pakistan is then more strict in terms of Australian banking regulation? [00:36:12] Speaker A: Because I have the justification as well. [00:36:14] Speaker B: Why so many banks? [00:36:16] Speaker A: There are small banks who gives loans and facilities to the consumer. So that's why there are a lot of banks like Habib bank is very big bank. It has very much products like credit card, debit cards and various other products of Habib Bank. So there are many other banks like Microfinance Bank. That is why the number is huge. [00:36:36] Speaker B: Wow, that's crazy. So I think it's fair assumption to say Pakistan has the strictest banking regulations in the world. [00:36:43] Speaker A: Yeah. And even you can imagine that 46 banks are operating in Pakistan. Having said that, even though after commencing the requirement of the regulator, the incident in Pakistan, comparatively with the global region was seen far away. You can see that in a year you will see that one or two or three incidents happen. But if you see the global landscape, the incident happened on daily, weekly, monthly basis. So this is one of the reason, if you can imagine that services in Pakistan, they also got interrupted, hacked, but the frequency is very low. [00:37:20] Speaker B: So what you're saying is, yes, it's strict. Yes, it's stressful. Yes, we got random auditors rolling up to our offices, these surprise audits that happen, but as a result you're getting less breaches, et cetera. Is that what you're saying? [00:37:33] Speaker A: Yes, because being an information security personnel, we are actually engaging ourselves to consistently working with, completing the requirements and protecting the data of the bank and the customer. What I have seen in last few years that this actually works, this model actually works. Even I can understand that we are facing stress, we are facing disparities. We know that we are not giving times to our families, our families are not happy. Like we don't have weekends, if an alert come, if an incident come. So we need to go back to the bank, handle that incident. So we are facing such requirements, but in a result we are actually protecting the bank and the country. [00:38:22] Speaker B: Gosh, that sounds really full on. Well, this is why I wanted to bring you on, to give people listening to the show a bit of insight. Right? Like you are the first person that interviewed on the show that works for a bank in Pakistan. So we want to get awareness about what you guys are doing over there. People don't know these things and it's about getting insights, sharing what you know. There's a lot of stuff that you've gone, like I said, it could have gone for hours that other people aren't aware of. [00:38:50] Speaker C: This is what I would like to say. [00:38:52] Speaker A: Thank you to you because you have selected that topic. And mostly I have talked with various anchors and stakeholders. They usually don't talk about certain topics. This topic actually comes in the reality, what we are actually facing and more or less what I have discussed in various conferences and seminars about the prevailing topics like artificial intelligence and there are various topics, but you are actually talking about what I am having, what pain which I am facing right now. This is something which you have just set up the things. So there are people who specifically focus on these areas. [00:39:31] Speaker B: Why do you think that is? [00:39:32] Speaker A: Maybe people usually don't like to discuss the country regulatory and their internal processes requirements with others. Don't you think that's fair, but I. [00:39:42] Speaker B: Think you're speaking more broadly and a bit more generally about things. Again, it's about maybe there's something that other people can learn at a high level that you're doing, perhaps. So to me it's more about the show is to give other industry specialists insight as well as executives insights on, yes, what's happening in their own country, but also what's happening right around the world. Maybe there's something you said today that someone's like, okay, well, maybe that's something I got to look into for what I'm doing with my job, and that's really what I'm trying to do with the show. [00:40:08] Speaker A: I really appreciate that. [00:40:10] Speaker B: So, Jeffrey, is there any sort of closing comments or final thoughts you'd like to leave our audience with today? [00:40:16] Speaker A: I must say that that organization that handles card data and required to adhere to PCI requirement, they need to reduce their attack surface, which I discussed in the earlier. If they reduce their attack surface, even when I see any incident information security field is just like a doctor and a patient. When we lost our data, we thought that we have lost our patient life. So this is something which I must say, and I accept that being an information security personnel, it's a responsibility of a guard who is sitting outside the door. It's a responsibility of a doctor who is saving a life of a patient. So it is one of our responsibility. [00:40:54] Speaker C: To secure the customer data, the organization. [00:40:57] Speaker A: Data from potential data breaches. So I must say that once we reduce our attack landscape and threat landscape, we must be actually securing our data, our privacy, from massive data breaches. [00:41:14] Speaker B: Thanks for tuning. For more industry leading news and thought provoking articles, visit KBI Media to get access today. This is KBCAT, the voice of cyber.