On June 27, according to multiple media reports, the State Administration of Financial Supervision recently issued the "Notice on Strengthening Network and Data Security Management in Third-Party Cooperation" to local banking and insurance regulatory bureaus, banks, insurance companies, wealth management companies and other institutions. " (hereinafter referred to as the "Notice"). According to the "Notice", a number of security risk incidents have recently occurred in the outsourcing service providers of some banking and insurance institutions, which have a certain impact on the network and data security and business continuity of the banking and insurance institutions, exposing the existence of banking and insurance institutions in the management of outsourcing services. Highlight risk issues.
The "Notice" mainly reports two major risks
01 Enterprise WeChat service risk: require reporting on enterprise WeChat cooperation
Event: A WeChat agent provided corporate WeChat-related services for several banks, and archived the chat sessions between bank account managers and customers on the public cloud server rented by the service provider. The session archive data included some customer names, ID numbers, and mobile phones. Sensitive personal information such as mobile phone numbers and bank account numbers. Without the consent of the bank, the service provider privately used more than 6 million session archive data of several banks for the company's model training and provided it to affiliated companies.
The "Notice" pointed out: Banks have not fulfilled their responsibility to protect customers' sensitive data, which has triggered consumer rights complaints. This incident mainly exposed risks and problems in two aspects: First, banking and insurance institutions have unclear cooperation in digital ecological scenarios and lack of overall management. Second, banking and insurance institutions are unclear about the identification of data security risks and responsibilities in cooperation.
The "Notice" requires: First, carry out risk self-examination. In response to related issues, banking and insurance institutions should conduct a comprehensive self -inspection to find out the network and data security risk base in digital ecological scenario cooperation, and carry out investigation and rectification. Strengthen the data security requirements in the contract agreement. For violations or violations of the contract, the responsibility of the relevant outsourcing cooperation unit must be investigated. Before the rectification of the problem is completed, the scope of cooperation cannot be expanded .
The second is to strengthen the overall management of technological risks. Digital ecological cooperation should be included in the outsourcing risk management scope of banking and insurance institutions, and overall management should be strengthened. Technology and data management departments should strengthen network and data security management of outsourcing cooperation, and strengthen risk assessment and incident handling.
The third is to strengthen off-site outsourcing risk monitoring and supervision reports . For off-site outsourcing of centralized processing of important data and sensitive personal information of customers, as well as outsourcing cooperation involving entrusted processing of sensitive data and above, banking and insurance institutions should focus on it, strengthen risk monitoring, and follow the "Information Technology Outsourcing of Banking and Insurance Institutions" Article 37 of the Measures for Risk Supervision and Article 60 of the Measures for Data Security of Banking and Insurance Institutions require banking and insurance institutions to report risk self-examination and rectification status, corporate Report the WeChat cooperation situation to the State Administration of Financial Supervision or the China Banking and Insurance Regulatory Bureau (sub-bureau). The China Banking and Insurance Regulatory Bureau shall submit the summary to the State Administration of Financial Supervision before July 20.
02 Risk of technology outsourcing: data must be deleted after outsourcing cooperation ends
The "Notice" mainly notified five incidents involving a number of provincial associations, an insurance company, and a data center hosting service provider, including:
Incident 1: In August 2022, the online banking system hosted by 4 provincial associations at a service provider was breached by criminals due to unauthorized access vulnerabilities, and a large amount of customer information and account information were stolen.
Incident 2: An employee of a software development company responsible for the release of the program launch package was hacked to steal the password of his work mailbox because he used a foreign mail proxy tool without permission. In May 2022, hackers logged into the mailbox and downloaded part of the email content. After failing to blackmail the company, they sold the data on overseas websites in July, involving part of the program source code and design documents of 2 information systems of 34 banking financial institutions and technically sensitive information such as database configuration files.
Incident 3: There are SQL injection and file upload vulnerabilities in the customer service system of a data center hosting service provider. In September 2021, hackers invaded the system and stole the information in the database, which was sold on overseas websites in January 2023, including hundreds of personal information of employees of more than 70 banking and insurance institutions.
Incident 4: A life insurance company purchased and deployed a third-party software product "Baorong Third-Party Contracting Platform". During the network attack and defense exercise, it was found that the JS file of the front-end management page contained the administrator account and password in plain text, and the attacker could use the This account bypasses the front-end verification and directly logs in to the system, and queries all data including personal sensitive information, posing a risk of sensitive data leakage.
Event 5: In February 2023, an Internet domain name agent made a mistake in changing it privately, which caused a bank's Internet domain name resolution to fail, affecting financial transactions for 68 minutes during the peak business period.
The "Notice" pointed out that: first, banking and insurance institutions are not performing their duties properly in terms of supply chain security management ; second, the emergency management mechanism of banking and insurance institutions for outsourcing services is not perfect ; third, the security management and technical protection capabilities of outsourcing service providers are seriously insufficient .
The State Administration of Financial Supervision and Administration stated that "banking and insurance institutions should strengthen the subject awareness of 'outsourcing services and not outsourcing responsibilities' , earnestly assume the main responsibility for data security, coordinate the management of technology risks, consolidate the security responsibilities of outsourcing service providers, and improve the overall level of prevention and control .”, and put forward three regulatory requirements:
The first is to earnestly fulfill the obligations of network and data security protection. Banking and insurance institutions should strengthen risk assessment and due diligence, increase monitoring and accountability for violations, strengthen supervision and management and on-site inspections of outsourced service providers, and must go offline after the cooperation ends and delete data; strengthen contract network and The terms of data security requirements, strict implementation of security risk inspections during acceptance, and penalties for production safety incidents shall be imposed according to the contract.
The second is to take targeted security protection measures. Bancassurance institutions should provide data externally in accordance with the principle of "business necessity, least authority," and systems and data should be prioritized for localized deployment in bancassurance institutions. Strengthen border protection and transmission protection, establish an isolation firewall with outsourcing service providers, and do not transmit data through insecure channels such as instant messaging, network disks, and Internet mailboxes. Sort out the data of banking and insurance institutions obtained and retained by outsourcing service providers, check personal information, program source code, system documents and other internal technical materials, check default account passwords, weak passwords, passwords that are not regularly updated, and passwords stored in plain text, etc., and check the system and external product loopholes, and rectify hidden problems.
The third is to establish and improve the emergency response mechanism. Banking and insurance institutions should incorporate emergency response to incidents in outsourcing cooperation scenarios into emergency plan management, incorporate complaints involving outsourcing service providers into complaint management measures, and require outsourcing service providers to report their own safety production incidents and complaints as soon as possible, and report their products or For security flaws and loopholes discovered in the service , banking and insurance institutions should report relevant risk events to the regulatory authorities in a timely manner, and investigate and deal with relevant issues in a timely manner.
Origin Safety Advice
01 Practical thoughts
Implement full-link sensitive data access auditing
When banking and insurance institutions purchase third-party technology services outsourced, they should pay attention to selecting products and service providers that can fully record sensitive data access audit functions, such as fully recording data access paths and sensitive data context information, and dynamically constructing a system consisting of business users, business applications, The flow trajectory composed of nodes such as API path, origin user, database account, access point, data location, sensitive data type, etc., can also present related information such as location, time, and frequency. Customize the supervision board for sensitive data access based on link nodes and context information to improve the efficiency of in-process supervision and post-event traceability.
Establish a flexible least-privilege control mechanism
When banking and insurance institutions provide data externally and sort out the data of banking and insurance institutions obtained and retained by outsourcing service providers, they should choose to support many functions such as data access control, data self-service authorization, data dynamic desensitization, data flow track, and data security audit. Integrated products and services. For example, it is possible to customize the configuration and implement access control policies, to allow, deny or warn specific users of access to specific data sets; to automate the configuration of access rights, and to realize approval as authorization and commitment as authorization. In addition, the desensitization algorithm and desensitization rule combination can be configured according to the application scenario, and the data delivery strategy can be configured according to different conditions; the sensitive data displayed on the front end of the application can be dynamically desensitized without business transformation.
Adopt data security strategy integrated architecture
Traditional data security products are often single-point capabilities, and the data security policies provided by multiple product portfolio solutions are often split into multiple different policies configured on different data security products, such as access control policies in database firewalls, data masking products Desensitization strategies in etc. Banking and insurance institutions should pay attention to selecting products that can integrate these security policies into a unified data security policy, and achieve unified security management and control of different data sources by configuring unified data collection, data delivery policies, and data access policies to reduce the scope of data security risks .
02 Key measures
Improve data security management capabilities in multi-tenant mode
It is recommended that financial institutions empower outsourcing service providers through multi-tenant mode data security management capabilities. Outsourcing service providers seldom have professional security capabilities to ensure that the cooperation process continues to meet security compliance requirements. Self-built methods not only increase outsourcing cooperation costs, but also At the same time, the expected security compliance effect cannot be achieved in the short term. By adopting the cloud-native framework and supporting multi-tenant integrated data security platform, the tenant environment is opened for different outsourcing service providers, thereby lowering the threshold for outsourcing service providers to have security product capabilities. Coupled with the cloud hosting services provided by security vendors, it further reduces the threshold for outsourcing service providers to have security operation and maintenance capabilities. Most importantly, while the tenant environment naturally satisfies the isolation of security management responsibilities, cloud hosting services enable outsourcing to quickly reach the level of data security assurance necessary for security compliance.
Adopt a more holistic data security management platform
It is recommended that financial institutions use an integrated data security management platform to fulfill the regulatory obligations of outsourced service providers. Through the summary of audit data from outsourced service providers, the integrated data security platform can integrate and coordinate technological protection measures from sensitive data discovery, identification, protection, supervision to identification, and can uniformly analyze potential sensitive data leakage risks and data theft and abuse risks .
Improve outsourcing cooperation framework agreement
The State Administration of Financial Supervision has put forward clear responsibility requirements for banking and insurance institutions, requiring financial institutions to assume the main responsibility for data security, coordinate the management of technological risks, and tighten the security responsibilities of outsourcing service providers to ensure that the entrusted data is encrypted or desensitized. The party's data collection and processing behavior was audited, but no clear responsibility requirements were put forward for outsourced service providers. It is necessary for financial institutions and outsourced technology service providers to clarify the boundaries of rights and responsibilities in the cooperation framework. For example, the outsourcing service provider is responsible for reporting the complete data assets entrusted to the financial institution, and the outsourcing service provider is responsible for ensuring the correct deployment and stable operation of monitoring probes and security controllers, etc.