By A K Viswanathan
There is a massive re-positioning of the financial services market from a fundamentally labor-based model to an automated process-driven business model. We see an emergence of new, agile, and hitherto largely unregulated players who are dis-intermediating the traditional incumbents. Regulation is making it harder to innovate and to grow, while legacy strategy, infrastructure, and thinking are preventing the existing players from responding aggressively to these threats.
Rising cyber risks
There are many business and technology innovations that financial services companies are adopting in their quest for growth, innovation, and cost optimization. These in turn result in heightened levels of cyber risks as innovations are likely to introduce new vulnerabilities and complexities. For example, the continued adoption of alternate channels such as ATMs, kiosks, internet, mobile, cloud, and social media technologies have increased opportunities for attackers.
Similarly, the waves of outsourcing, offshoring, and third-party contracting, driven by a cost reduction objective, may have further diluted institutional control over IT systems and access points. These trends have resulted in the development of an increasingly boundary-less ecosystems from which financial services companies operate, and thus has offered a much broader “attack surface” to the threat actors to exploit.
One, there are risks of account takeovers. Cyber criminals have demonstrated their ability to exploit online financial and market systems that interface with Internet, such as the Automated Clearing House (ACH) systems, card payments, and market trades.
Two, in payment systems there are chances of exploits against financial institutions, payment processors, and merchants. It results in fraudulent monetary transfers and counterfeiting of stored value cards.
Three, ATM skimming is also a prevalent global cyber-crime. A criminal affixes a skimmer to the outside or inside of an ATM to collect card numbers and personal identification number (PIN) codes.
Four, Point of Sale (PoS) terminals have been a primary target for cyber criminals engaging in credit card fraud and have resulted in the compromise of millions of credit and debit cards the US.
Five, as more mobile devices have been introduced into personal, business, or government networks, they have been increasingly targeted for stealing PII. Cyber criminals have successfully demonstrated man-in-the-middle attacks against mobile phones using malwares.
Regulator’s role
So, regulators have an important role to play in ensuring security for its users. RBI Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, issued in April 2011, define the fundamental information security requirements which all Banks need to follow. RBI guidelines on Cyber Security Framework highlight the urgent need to put in place a robust cyber security/resilience framework to ensure adequate cyber-security preparedness among banks on a continuous basis.
In addition to the above guidelines, there are multiple regulatory requirements related to Internet Banking, Payment Systems, Mobile Banking, IT Outsourcing, etc., which may be applicable to a particular bank depending on the context of the organization and the nature of its operations in India.
Managing Cyber Risks
Financial services firms face of a landscape of rapidly changing threats. They must therefore consider building cyber risk management programs to achieve three essential capabilities: the ability to be secure, vigilant and resilient.
To start with, they must understand known threats and controls, industry standards and regulations. For instance, a number of mutually-reinforcing security layers provide redundancy and potentially slow down the progression of attacks-in-progress, if not prevent them. Such slowing down can work in the defendant’s favor by providing adequate time to secure their digital assets and mount effective counter-strategies.
They must also enhance vigilance through effective early detection and signaling systems to contain and mitigate losses. Incident detection that incorporates sophisticated and adaptive signaling and reporting systems, can automate the correlation and analysis of large amounts of IT and business data, as well as various threat indicators, on an enterprise-wide basis.
Resilience must be enhanced through simulated testing and crisis management processes. This is particularly critical as destructive attack capabilities gain steam. Financial services firms have traditionally planned for resilience against physical attacks and natural disasters; cyber resilience can be treated in much the same way.
(The author is Partner, Deloitte Touche Tohmatsu India LLP)
The post De-risking India’s Banking Industry appeared first on BWCIO.