Banks Should Look At Blockchain With Security Lens: EY

by Priyanka Pugaokar    Mar 24, 2017

kartik

There is a lot of buzz around the blockchain technology in India, particularly in the banking sector. All the major banks are testing the technology to enable secure remittances by cutting down the cost. Though blockchain as a concept is at an early stage of adoption, industry experts believe that the financial sector will adopt the technology in a big way as it promises huge cost benefits. Given its rapid emergence over the past few years, the BFSI sector needs to look at protective measures for implementing blockchain and promote an enforcement which supports innovation.

In an exclusive interaction with CXOToday, Kartik Shinde, Partner – Cyber Security, Financial Services, EY, shares his thoughts on the rising adoption of blockchain in the Indian banking sector. He  also sheds light on the cyber security landscape in the BFSI sector post demonetization and emphasizes on the need for an unified policy guideline to tackle the cybercrime menace.

CXOToday: What is the impact of demonetization on the banking and financial sector in India?

If you look at the digital payment landscape before  demonetization, there were a very few digital wallet platforms that were available in the market and people were struggling to  make payments through e-wallets such as Paytm.

The introduction of UPI integration and BHIM app by the government and banks alike has given a much needed push to online transactions. At a time when these digital wallets are growing in the country, there are many fake apps that have started popping up in the market. It is difficult for the end users to judge the authenticity of such applications which have led to a lot of fraud incidents being reported in the past. During such times, cyber criminals used many fraudulent methods and applications to siphon off the money from end-customers.

Today, the  situation has improved considerably with banks and financial institutions laying a stronger emphasis on   the security of digital and ATM transactions. RBI has come up with a focused circular around cyber security which is mandated for all the banks in the country.

CXOToday: Where does the preparedness of banks stand after the massive debit and credit card breach in 2016 and the recent discovery of flaws in the government backed digital payment apps?

The RBI has come up with a strong set of guidelines for the banks on cyber security compliance. There is a lot of action happening around the Aadhaar KVC integration. It has been mandated to all the institutions which use the Aadhaar infrastructure through mobile apps or any other digital platform, to test or validate the entire integration of their applications with Aadhaar and submit a report before March 31, 2017.

The government recently tested the flaws in the BHIM app through a third party. I think, there should be a greater focus on the security aspect before rolling out such apps to the masses. There cannot be a 100 per cent security assurance but basic checks should be validated. When organizations run the critical business application testing, they should do it with two service providers to ensure a double check on the security measures.

CXOToday: Banks are embracing blockchain for seamless and secure remittances in a big way. What is your opinion on the increasing adoption of the technology?

Blockchain has evolved into the whole Bitcoin space. As a technology, it looks very secure as there is a distributed database, distributed ledger and appropriate control around encryptions. In essence, the concept is secure and robust, but it’s the implementation that will really test the game. How the blockchain is implemented and how secure it would be, will differ from organization to organization.

Many banks are doing pilot projects around the blockchain and they are taking initiatives for its implementation. In my opinion, banks should look at this new technology implementation with a strong security lens because even when the technology seems foolproof it can fail when implemented along with other interfacing technologies.

CXOToday: The government recently announced the formation of CERT-Fin for the financial sector. Do you think sectorial CERTs will efficiently address industry specific cyber threats?

No, I don’t think so. There are already too many agencies which exist in the country such as CERT-In, NCIPC, IDRBT etc., which have come up with their individual circulars around security regulations. We have too many bodies that are mandating different things. However, we need to come up with one unified guiding document. Sectorial CERT will be successful only when it is tailored for a particular industry.

Today, if you ask banks who they report to in case of a data breach incident they would not have a clear idea! Policy makers need to structure the cybercrime reporting mechanism in the country. So in my opinion, having different CERTs may not be a good idea and CERT-In itself needs to scale up in various sectors. However, if the CERT-Fin succeeds, the government may think about the concept of sectorial CERTs.

CXOToday: The information sharing is always a challenge in India? How are regulators working on the prompt disclosure of data breach incidents?

The sharing of knowledge and information between the participants and agencies is not happening in the most optimal way in India. The RBI has come up with a mandate to report the data breach incident within a specific time window. But what constitutes an incident is not clearly defined and that needs to be detailed out.

CXOToday: According to you, how is outsourcing of the security architectures to the third party service providers viable for enterprises?

In my opinion, it is not a good idea in any way. Completely outsourcing security infrastructure to a third party is not a wrong move, but then enterprises will need to govern that model very tightly with strong SLAs in place. A lot of time and resources slips away in such processes. While a lot of organizations are outsourcing critical functions to these third parties they need to ensure that they get the best value out of that relationship.

CXOToday: What kind of consultancy and services EY offers to Corporates and financial institutions?

 

We offer a complete suite of end to end security solutions, right from doing an organization’s strategy mapping to building security operation centers for clients. We do a complete cyber security simulation as well. Most consultants focus on lateral movement, but we look at the full cycle by analyzing the human element as well as the physical security aspect.