January 3, 2013: New Delhi
In case of cyber space, the defence has to concentrate on resilience – preventive measures plus detailed contingency plans to enable rapid recovery
The risks of security of the internet and integrity of information and processes in the cyber world have become critical in ensuring a smooth functioning of financial systems, as for other aspects of economic, social and political life. Although, as concluded by some reports, very few isolated cyber-related events have the capacity to cause a global crisis, there is a need to make detailed assessments of risks and preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. The Research Department of the International Organisation of Securities Commission (IOSCO), jointly with the World Federation of Exchanges Office, has conducted a cyber-crime survey to bring attention towards the threats from cyber-crimes to some of the most critical financial market infrastructures – the world’s exchanges, from the perspective of securities market.
Cyber-crimes can be understood as an attack on the confidentiality, integrity and accessibility of an entity’s online/computer presence or networks – and information contained within. The catastrophic single cyber-related events could include successful attack on one of the underlying technical protocols upon which the Internet depends and a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches. The risks from other types of breaches of cyber security such as malware, distributed denial of service, espionage, and the actions of criminals and hackers are expected to be both relatively localised and short-term in impact. The cyber attacks by ‘attack vectors’ which are not reflected in available preventative and detective technologies, with the ability to produce new attack, pose the biggest challenge in this regard.
Although, computer systems which are stand-alone or communicate only over proprietary networks are safe from malware, they are still vulnerable to management carelessness and insider threats.
In case of cyber space, the defence has to concentrate on resilience – preventive measures plus detailed contingency plans to enable rapid recovery when an attack succeeds as it is often very difficult to identify the actual perpetrator because the computers from which the attack appears to originate will themselves have been taken over and used to relay and magnify the attack commands.
It is important to carry out a detailed threat assessment of any specific potential cyber threat based on possible triggering events, likelihood of occurrence, ease of implementation, immediate impact, likely duration, recovery factors etc. As large sections of critical national infrastructure may not be under full and direct government control, there is a need for a clear policy for overall public security and safety from cyber crimes.
Apart from the need for action by the government towards having a comprehensive policy framework for national cyber security, spreading awareness, developing forensic resources and research and international cooperation; the respective financial sector regulators and standard setting bodies also need to design, update and implement regulations and standards for security of operations from cyber crimes / attacks, with special emphasis on promoting information sharing.
Securing electronic transactions through the medium of cards is necessary to ensure confidence and faith in such payments. The Reserve Bank has issued directions to the banks to ensure security of such transactions by mandating an additional factor of authentication for all Card not present transactions (Ecommerce/IVR/Mail Order Telephone Order (MOTO)) and Card present (ATM & POS). The Reserve Bank has also advised the banks to move to EMV Chip & PIN technology for customers who have used their cards at international locations and for issuance of new cards wherein the customer has demanded a card for international usage. Directions have also been given to banks to secure the internet banking transactions and also to provide online alerts to the customers irrespective of the value of transaction for usage of cards at any delivery channel.
Cyber Security of India’s FMIs under SEBI
In the previous FSR it was mentioned that systems and processes instituted at the FMIs have stood them in good stead in the past. However, given the dynamic nature and novelty in data thefts and frauds, FMIs need to constantly upgrade and review their processes and systems to prevent any data theft or security failure. Pursuant to IOSCO Report, the FMIs have reported that they broadly carried out necessary upgradation of their systems and processes.
In light of the findings of the survey report on “Cyber-Crime, Systemic Risk and Global Securities Markets”, SEBI registered FMIs (exchanges and depositories) acted proactively and already built in reactive and proactive defences along with detection control and disaster recovery to strengthen cyber security in their systems.
(Source: http://rbi.org.in)