Cyber Shield: Cyber Resilience Strategy for SBP Regulated Entities (2025-2030)

Chapter 1: Context

1.1 Introduction

In today’s hyper-connected global economy, digital transformation presents both unprecedented opportunities and complex risks. Across the financial system, advanced technologies—artificial intelligence, cloud computing, blockchain, and real-time payments—are redefining how economies operate and how people interact with money. This evolution is unfolding rapidly in both emerging and advanced markets, driven by customer demand for faster, more secure, and more inclusive financial services. Pakistan’s banking sector, as a cornerstone of economic growth and financial stability, is engaged in this global transformation. The policy and infrastructure advancements, including instant payment systems, digital onboarding, and branchless banking have enabled strong digital adoption in recent years. The COVID-19 pandemic acted as a catalyst, accelerating technology-led operations that have since become embedded as the new normal, positioning Pakistan’s banking ecosystem firmly within the interconnected, technology-dependent global economy. This transformation, however, has amplified systemic risks. The sector’s growing reliance on technology means that a single major disruption—whether from operational failure or a coordinated cyber-attack—could trigger cascading effects, eroding stability and public trust. The expanding digital footprint has also made banks a more attractive target for sophisticated cyber threat actors, many operating across borders. Yet, the speed of digitalization has outpaced the maturity of cybersecurity controls. The ready availability of cyber-attack tools and capabilities has lowered the barrier for malicious actors, contributing to a marked increase in both the volume and sophistication of cyber-attacks against financial institutions. Safeguarding resilience in this environment demands that cybersecurity and operational risk management evolve in tandem with the digital growth. This requires coordinated regulatory frameworks, participation in threat intelligence sharing, and sustained investment in cybersecurity capabilities—priorities emphasized by leading international standard-setting bodies as essential to protecting financial stability while enabling innovation. Accordingly, the purpose of this cyber resilience strategy is to ensure a comprehensive, holistic, and integrated approach that enables regulated entities to continuously adapt and respond to the constantly evolving cyber threat landscape, and to enhance the ability to protect systems from cyber-attacks, and to resume business operations quickly in case of a successful cyber-attack.

1.1 Threat Landscape

The complexity of cyber threat landscape has been constantly evolving during the last couple of years. The changes in the cyber threat landscape entail enhancement in capability of the threat actors or interest of new threat actors in the regulated entities. In addition to the traditional website defacement and Denial of Service (DoS) attacks, there has been an increase in the number of Advance Persistent Threat (APT) and ransomware attacks which require some degree of technical capabilities. The use of zero-day malwares to institute cyber-attacks has also intensified. Further, the propensity of exploiting digital banking applications and services for reaping financial rewards has also seen a growth. Data security is another vital concern for regulated entities as there have been threat intelligence reports regarding availability of payment card data and user credentials of various regulated entities on the dark web. Another important shift noted globally and domestically is the inclination of the threat actors to target the suppliers/vendors of the financial institutions, as an easy means to achieve their objectives, i.e. cause harm to the financial institutions. Notable global and domestic software and other technology providers have been successfully targeted by the threat actors, which highlights the importance of cybersecurity posture of the third parties providing services to the regulated entities. There has been increase in state sponsored cyber offensive activities, where nation state backed threat actors have been the source of aggressive cyber attacks around the globe, using cyber operations for financial gain or to promote their own national interest. Considering the geopolitical circumstances, the cyber threats from nation states and state sponsored groups remain critical. With some of the adversary nations increasing their cyber offensive capabilities, there is potential for an increase in sophisticated cyber-attacks targeting systemic components of key national infrastructure. Globally, financial institutions and governments are also seeing a rise in the number and complexity of ransomware attacks. Trends include larger ransom payment demands and multifaceted attack tactics.

1.2 Challenges

The cyber risks have significantly increased with rapid digitalization in the banking sector; however, the understanding of the said risks along with maturity of the cyber defense capabilities have not enhanced with the same pace, which has created a vulnerable cybersecurity posture. Considering the rapidly evolving threat landscape, it is vital for the regulated entities to improve their cyber defense capabilities. Several challenges need to be addressed to considerably improve the cybersecurity posture of regulated entities. Cybersecurity governance needs to be improved at all levels. The boards and senior management of the regulated entities must have a clear understanding of their cyber risk posture, to take measures including investment in cyber defense, to enhance the cyber defense capabilities. Timely replacement/upgrade of systems and technologies is also challenging for some of the regulated entities which significantly increases the attack surface of these entities. The trend and response to the cyber-attacks in recent past have revealed the need for improvement in cyber incident detection and response capabilities of the regulated entities. Hence, there is a need to significantly enhance incident detection and response capabilities on a priority basis. Further, collaboration among all the stakeholders is a prerequisite for quality cyber defense of any sector; however, the regulated entities need to improve collaboration on the subject including sharing of threat information, collaborative response, cyber workforce development, etc. The cyber workforce is the most sought-after globally. The situation is more grave domestically. Not only is there scarcity of cyber workforce but also the quality and required skills are not available. The regulated entities heavily rely on the third-party service providers for a wide range of technology related functions including cybersecurity related responsibilities. These encompass not only the procurement of software and hardware solutions but also the outsourcing and insourcing of critical services such as security operations, incident response, and digital forensics. Given that these entities fall outside the direct regulatory purview of SBP, ensuring their adherence to robust cybersecurity standards present a persistent challenge. This risk is further heightened in case of the international vendors, where oversight complexities and jurisdictional limitations can further impede effective governance and risk management. Owing to the limited domestic capacity of Information Technology (IT) firms capable of delivering the specialized products and services demanded by the regulated entities, a substantial portion of these third-party providers operate from foreign jurisdictions—amplifying both the dependency risk and the need for enhanced due diligence mechanisms.

Chapter 2: Strategic Direction

2.1 Vision

To ensure safe, reliable, and resilient financial services by strengthening cyber resilience of regulated entities against evolving cyber threats.

2.2 Mission

To enhance the safety, efficiency, and stability of regulated entities through strong cybersecurity capabilities, shared knowledge, and comprehensive supervision.

2.3 Approach

1. Awareness: Identifying system wide cyber resilience concerns.
2. Improve & Collaborate: Improve cyber defenses; Collaborate to resolve identified concerns.
3. Resilient: Regulated entities become more Cyber Resilient.

2.4 Strategic Principles

This strategy defines four principles of action to deliver the vision: Unified Defense, Holistic, Agile and Adaptive, and People Centric.

Chapter 3: Strategic Priorities

3.1 Strengthen

Objective: Develop and implement measures to strengthen cyber resilience of regulated entities.

• Actions: Develop cyber-testing framework; update cybersecurity regulations with tiered rigor; develop maturity assessment; enhance disaster recovery for cyber scenarios; roadmap for Zero Trust Architecture.

3.2 Mature

Objective: Mature Cybersecurity Governance of the Regulated Entities.

• Actions: Strengthen governance expectations regarding CISO and CIO/CTO roles; enhance board-level cyber risk understanding.

3.3 Enhance

Objective: Enhance Collaborations and Partnerships.

• Actions: Implement threat intelligence and information sharing platform; standardized IT/cyber incident reporting; multi-year cyber exercising program; establish FinCERT.

3.4 Develop

Objective: Develop Cyber Workforce.

• Actions: Survey to quantify cyber skills gap; develop competency roadmap and training program.

3.5 Evolve

Objective: Evolve the Cybersecurity Strategy and Programs.

• Actions: Establish regular strategy reviews; assess futureproofing for emerging tech; strengthen third-party risk management; develop annual cyber threat landscape report.