RBI Gets Tough On Cybercrime; Will Other Sectors Act Too?

by Priyanka Pugaokar    Mar 02, 2017

rbi

In the wake of the exponential rise in the financial frauds post demonetization, the Reserve Bank of India (RBI) has now flexed its muscles to curb the rising cyber-attacks on financial institutions. The apex body has laid down several crucial policy initiatives to create a robust mechanism that aims at facilitating prompt reporting and a speedy redressal of data breach incidents. RBI has also announced the setting up of an inter-disciplinary standing committee on cyber security.

RBI’s efforts are certainly aimed at ensuring all banks strictly adhere to the guidelines in order to mitigate the potential damage cause due to cyber-attacks. While RBI has acknowledged the seriousness of cyber security and started acting upon it, it is a high time for other industrial sectors to treat cyber security as their top most business priority and not just an IT issue.

BFSI: Always A Soft Target

The BFSI sector is always a soft target of cyber criminals and since the government has given a push to the ‘less cash economy’ there is a spike in the online financial frauds. What could be termed as the biggest financial fraud, over 3 million debit cards of prominent banks were compromised putting the customers’ data at stake last year. A recent survey on fraud in the financial sector by Assocham and PwC revealed that the recent cyber-attacks on major banks including SBI, Axis and HDFC and bodies such as BSE caused around $20 billion in direct losses annually.

Despite of rising cyber-attacks on banking and financial institutions, the financial crimes management is still in a poor state in India. Unlike the developed economies, cybercrime reporting is not a compliance issue in the country and hence, financial institutions mostly avoid reporting the data breach incidents in the public domain. Goodwill and reputation are the other major factors due to with financial institutes hesitate to reveal the cyber-attacks to the investigation agencies. Scarcity of skilled manpower is another challenge faced by small banks, especially, in the upcountry markets, which do not have an advanced machinery to tackle the cybercrime incidents.

“Demonetization has driven massive amounts of Indians to shift to digital banking transactions. The amount of endpoints in online transactions – point-of-sale terminals, ATMS and customer devices – greatly complicates the attack surface of financial institutions and retailers. In India particularly, these endpoints are notoriously running outdated software or have unpatched vulnerabilities, making them key targets to malware. These kinds of lax security practices indicate many organisations are not prepared to take on the increased cyber threats”, said Sridhar Namachivayan, Regional Director - India & SAARC, Skybox Security.

RBI Takes Proactive Steps

RBI has taken proactive steps in order to change the mind set and approach of bankers towards security and ensure their greater transparency with consumers. The apex has laid down strict regulations about data breach incidents, where it is compulsory for every bank to report such incidents within 2 to 6 hours invariably to the regulator. “We have always known banking to be a relationship built on trust. However, when we talk about cyber security I tend to believe that ‘zero trust’ is the way to address it”, S. S. Mundra, deputy governor at the RBI recently made a remark at a public gathering.

Similarly, the inter-disciplinary standing committee on cyber security, chaired by Meena Hemchandra, Executive Director, RBI, is chartered to review the threats inherent in the existing and emerging technology, study adoption of various security standard and protocols, interface with stakeholders, and suggest appropriate policy interventions to strengthen cyber security and resilience. Industry experts feel the need for similar kind of actions from regulators of other industry verticals.

Time To Think Cyber Security

Like BFSI, the industry domains such as manufacturing, critical infrastructure, Aviation, healthcare and hospitality, PSUs etc. are increasingly becoming a target of state sponsored cyber-crime syndicates. The critical infrastructure industries especially, have seen breakdown due to system failure caused by ransomware and other form of targeted attacks. The government recently announced formation of CERT-Fin to keep a track on cybercrime incidents in the financial sector. The security experts strongly feel the need for sectorial CERTs for the all industry verticals.

“CERT-Fin is definitely a welcome move, but the similar kinds of efforts are needed for other industry verticals as well. We require industry specific specialised team to study malware, anomaly, program designed by adversaries and hacker groups. Industry specific body is in a better position to understand and analyse different aspects of that sector”, said Balsing Rajput, SP, Cyber, Maharashtra, Mumbai.

Endorsing similar thoughts, Namachivayan said, “The more insight we can gain on cybercrime behaviour related to specific industries, the more we can understand how to respond to and even be proactive against such attacks.”

While majority of industries still consider cyber security is an IT issue, security experts say it is the business issue which needs special attention to ensure seamless business continuity. Cyber criminals do not have boundaries to execute crimes and every unpatched machine and every unsecured network is enough for cyber crooks to penetrate into the system and cause disaster. Hence, it is high time for regulators across the industry verticals to come up with strong cyber security guidelines on the side lines of RBI to ensure higher level of security and transparency in their business operations.