Page 52 - CMA Journal (July-August 2025)
P. 52
Focus Section
Table 4: Major Cybersecurity Incidents in Pakistan’s Financial & Fintech Sector
n
o
# Institution / Sector Date Incident Details & Immpact
o
1 Multiple Banks / Oct Coordinated Information of ~20000 debiit/credit cards oof 22 banks (HBL, UBL
L
T
Paymment Cards 2018 ATM & payment and BankIslaami) was exposeed to the dark web. There were
e
network breach fraudulent AATM withdrawals to the value of ~PKR 26 million
b
which resulted in the temporary blocking of international
10
transactionss.
2 Natioonal Bank of Oct Malware attack ATM and online banking sysstems went offline due to boott-
s
Pakistan (NBP) 2021 disrupting sequence corruption. No confirmed data loss but critical
11
seervices disruption accross national bbanking operatioons was reporteed.
3 Securities & Aug Regulatory Personal sennsitive informatiion of directors of the companies
e
a
Exchange 2022 database breach (CNICs address emails) were leaked. Claims of an internal cover-
e
12
Commmission of up led to thee demand of an independent innvestigation.
Pakistan (SECP)
s
4 Natioonal Jun Cyyber breach of Data centerss in Karachi and Islamabad weree compromisedd
h
Institutional 2023 cheque clearing forcing a switch to manual ccheque clearing. This caused
t
13
y
Facilitation system significant n nationwide delayys and disruptioons across all baanks.
Technologies (NIFTT)
5 BankkIslami Pakistann 2022 Frraudulent Hackers stolee USD 6 million through frauduulent SWIFT
W
& Meezan Bank -23 SWIFT transfer & transactions at BankIslami and Meezan Bank customers
e
phishing scams targeted by SMS phishing c campaigns leading to widespreaad
h
14
credential thheft.
6 PKCEERT / National May Global credential Around 184 million credentials (emails logins passwords) were
l
s
Advisory 2025 breach exposed gloobally including Pakistani banking governmentt and
r
technology u users PKCERT is ssued urgent advisories for passsword
.15
resets and sttronger securityy practices
Source: Author
Case Studies: Where the System Broke institutions highly attractive targets for hackers.9 The
tension between financial technology and security in
A study conducted by Kaspersky reported a 114%
Pakistan is increasingly evident in several reported cases.
increase in banking and financial malware attacks over
the previous year, targeting digital financial activity and Regulatory Readiness: Is Policy Catching Up?
compromising both personal and organizational
With the advent of the fintech industry in Pakistan,
security. One of the trends that appears particularly
characterized by high levels of digitization, the regulatory
threatening is the increased rate of cyberattacks on
environment has struggled to keep pace with dynamic
smartphones, which is likely to remain the focus of
threats. Despite the numerous cybersecurity guidelines
financial crimes through 2025.8 The PwC survey also
issued over the past few years, workarounds are still
confirmed the susceptibility of the Pakistani financial
necessary for implementation, inter-agency cooperation,
industry.
and readiness for new risks, such as AI-based fraud,
Ransomware, phishing, and Distributed Denial of Service deepfakes, and cross-border internet crime.
(DDoS) attacks have become primary threats to many
Cybersecurity oversight continues to be organically
banks, which are often challenged by conventional
dispersed across various organizations, including the
defenses. The rapid increase in mobile banking and
State Bank of Pakistan (SBP), Securities and Exchange
online payments has significantly increased the amount
Commission of Pakistan (SECP), Pakistan
of sensitive data circulating online, making financial
Telecommunication Authority (PTA), and the Ministry of
IT & Telecommunication (MoITT).
Table 5: Regulatory Landscape
Even though these regulators have
Regulator Regula on/Framework Key Focus
announced frameworks specific to
SBP EFT Regula ons, Cybersecurity Guidelines Payments, Banks, DFSPs
their industrial environments, such
SBP Digital Banks Framework (2022) Digital-only banks
as the Cybersecurity Framework for
SECP Cybersecurity Framework for NBFCs Fintechs, E-wallets
Banks (2020) or the SECP Guidelines
SECP Cloud Guidelines (2023) Data sovereignty, Cloud risk
for NBFCs (2021), the absence of a
MoITT Personal Data Protec on Bill Data privacy, User rights
uniform cybersecurity regulation
PTA Telecom Cybersecurity Framework Mobile wallets/infra
nonetheless leaves fintechs
GoP Na onal Cybersecurity Policy (2021) Cri cal financial infrastructure
operating in regulatory gray zones.
Source: Author
50 ICMA’s Chartered Management Accountant, Jul-Aug 2025
