Amendments to the ETA and CCA to address hacking attacks in the pipeline

The Electronic Transactions Act, No. 19 of 2006 and the Computer Crime Act, No. 24 of 2007 are to be amended in due course to address attacks and threats to the financial sector including the banking industry, such as incidents of hacking.

Most recently, the Chairman of Litro Gas Lanka, Shalila Moonesinghe who has since been sacked from the said position, was arrested and remanded in relation to an incident involving a bank in Taiwan being hacked and monies being transferred to accounts elsewhere, including to bank accounts in Sri Lanka.

The Finance Sector Computer Security Incident Response Team (FINCSIRT) added that the Central Bank of Sri Lanka was presently reviewing the current baseline security standards required in banks with the view of further regulating such. The banking sector uses Society for Worldwide Interbank Financial Telecommunication and other platforms in common. Thus, banks must have the basic security configurations and follow certain security protocols and requirements. Security measures must be in place to defend against such aforementioned attacks. If such are not in place, they must be put in place and controls in relation to such must be built and followed up on and followed through on by the banks. Even in a similar case which previously took place involving Bangladesh and Sri Lanka, it was due to the mis-configuration and the non following of security best practices that resulted in such. The FINCSIRT helps disseminate alerts pertaining to the matter to individual banks.

Sri Lanka as a party to the Budapest Convention on Cybercrime provides for mutual assistance to other countries which are signatories, in terms of the transfer of legal evidence. Manager – Information Security of FINCSIRT, Loshan Wickramasekara said that Sri Lanka must adopt a risk based model as opposed to addressing such attacks and threats in an ad-hoc manner. “Sri Lankan banks follow these aspects. However, security requirements must be updated and be up to date. This is a continuous process and must be done continuously, on a daily basis,” he added.