Designing cybersecurity for the financial sector

There is no dearth of regulatory intervention at present to secure India’s financial ecosystem, and more of the same need not necessarily lead to better outcomes

The most recent ransomware attacks, currently estimated to have locked up more than 100,000 computers across 100 countries, yet again highlights the very real peril of cyber-threats in the virtual world. The Mirai botnet’s distributed denial of service attacks last year, soon followed by BrickerBot’s permanent incapacitation of several devices forming part of the Internet of Things, exposed the vulnerabilities of a world where everything from room heaters to wearable fitness trackers is connected. Attacks of this kind have proved themselves capable of even imperilling national security, economic stability and public health.

The critical information infrastructure rules framed in 2013 under the Information Technology Act, 2000, identified banking, financial services and insurance (BFSI) as one among five critical sectors. Yet, the past years have seen an increasing number of large-scale cyber-attacks in this sector. About 3.2 million debit cards were compromised last year through a hack on Hitachi’s ATM switch server. Phishers assumed the Reserve Bank of India’s (RBI’s) identity to hoodwink a gullible staffer in the Union Bank of India and inject malware into the bank’s servers. The $171 million, transferred through unlawful access to the bank’s SWIFT codes for cross-border transactions, was fortunately rolled back due to early detection. At a lesser level of sophistication, software vulnerabilities in the Bank of Maharashtra’s Unified Payment Interface app were recently exploited to complete digital transactions even when there was insufficient balance in the sender’s account.

These attacks, coupled with the exponential growth of fintech platforms and solutions partly fuelled by the demonetisation exercise, underscore the need for strong cybersecurity initiatives. In this regard, Union finance minister Arun Jaitley’s budget speech this year, which announced the formation of a sectoral Computer Emergency Response Team for Finance (Cert-Fin), merits closer scrutiny. The design and approach of this newly proposed body is central to its success. There is no dearth of regulatory intervention at present to secure India’s financial ecosystem, and more of the same need not necessarily lead to positive outcomes.

To quickly take stock, RBI circulars have identified the key features of an optimal cybersecurity framework for banks, including network management, user access, customer authentication, and incident response and management. Similarly, the Securities and Exchange Board of India (Sebi) and the Insurance Regulatory and Development Authority of India (Irdai) have issued guidelines for strengthening the cybersecurity framework in capital markets and insurance, respectively. The Indian Computer Emergency Response Team (Icert) continues performing its statutory mandate—information sharing and management, cybersecurity alerts, emergency responses, etc.—on a non-sectoral basis. Even assuming Cert-Fin entirely replaces Icert as the cyber-warrior for the BFSI sector, can it add real value over and beyond what sectoral regulators such as RBI, Sebi and Irdai are already addressing? Or would it just be an additional layer of compliance and friction for innovators in the fast-changing fintech landscape?

We believe there are gaps in the cybersecurity framework that an appropriately designed Cert-Fin can still address better than the existing framework. Broadly these are in the areas of research, talent-building and industry-academia coordination; digital literacy; and better information flows between various actors in the security ecosystem.

Without undermining Icert’s vigilance thus far in issuing timely advisories, it is clear that the body has been unable to take leadership in knowledge creation. The white papers and other research material it has managed to put out are mostly outdated and fail to keep pace with current security trends.

A body built on the foundational principle of shared responsibility with a larger body of stakeholders, including banks, fintech start-ups, cybersecurity companies, and academic institutions, is better placed to effectively fund advanced research and even incubate cybersecurity solutions on a co-creation basis. The Biotechnology Industry Research Assistance Council serves as a good precedent.

Cert-Fin should also have a valued say in the revamping of engineering course curriculum to mitigate the existing skills and supply gap for cybersecurity professionals. The financial sector, with its growth potential highly dependent on the presence of security and trust, is a prime candidate for both skilling and hiring new talent.

Another key intervention, without which any security measure at the service provider end remains likely to fall short, is digital literacy and cybersecurity awareness for customers. Apart from taking the lead, Cert-Fin should also be vested with powers to mandate and evaluate on-the-ground initiatives by private players towards educating end users on safe and responsible access practices. Many a hack has been caused by poor password security.

Finally, Cert-Fin must serve the function of a data escrow, taking important decisions on real-time data sharing and ideally veering towards more information flows than less. A common trend today is the denial of responsibility by all actors in the security chain as soon as news of a hack breaks out. Only a well-designed Cert-Fin can prevent this attitude from regressing into a collective action problem. Suitable exceptions to the law of evidence must also be fashioned to encourage maximum information disclosure to the Cert-Fin.

If these normative goals are sought to be achieved by building them into the very design of Cert-Fin, it could hopefully serve as a healthy template for other jurisdictions too, in addition to facilitating the transition to a digital India for financial transactions.