CIOs in BFSI sector are under constant pressure to live up to technology expectations, but with new deployments come new vulnerabilities. With over 130000 reported cases of cyber fraud involving an estimated Rs. 700 Crore faced by banks in India in the last decade, the sector is still far from a concrete framework and in need of a rapid security transformation.
Faster transactions, bigger ATM networks, online banking services and global collaboration in the banking sector through IT has seen services reach out to a never before number of people all around the world. In India today, there have been massive drives to open bank accounts and push to online banking and mobile banking has been on an all time high. Although IT and digital transformation has enabled banking and financial services organizations to reach out to a large customer base with improved efficiency and a greater umbrella of services, the enhanced experience comes at a cost.
Brick and mortar Bank robberies are quickly becoming a thing of the past, and in today’s heavily digitized sector, the threat comes from the cyber attackers sitting in unknown locations, breaching networks and siphoning money anonymously without leaving a trace or in some cases without even alerting the victim organization. Such is the precision of banking fraud in the cyber landscape that most breaches are not reported or even discovered for a long after they have occurred.
The BFSI sector is vital for a growing economy and more or less is synonymous with the growth trajectory of the country. Frauds and breaches in BFSI organizations have devastating effects and these spread across sectors to the account holders as well as organizations connected with the bank financially. The growing cyber threat landscape in BFSI has been an ongoing headache for security teams in such organizations.
A History of Breach in Indian BFSI
To understand the severity of the threat landscape in Indian BFSI segment, one doesn’t have to go back far in time. One of the most significant breaches in Indian BFSI history occurred in October 2016 when an estimated 3.2 million debit cards were compromised with major Indian banks like SBI, HDFC Bank, ICICI, YES Bank and Axis Bank were among the worst hit. A number of users reported unauthorized use of their cards in locations in China. This resulted in one of the India’s biggest card replacement drive in banking history.
“Businesses are so focused on deployment of multivendor solutions that they lose track of maintaining an organization-wide, integrated approach that would adequately protect the company’s data from risk,”
Head of Innovation and Security Services Happiest Minds
A malware-related security breach was reportedly detected in the non-SBI ATM network, following which the public sector lender blocked around six lakh debit cards. An audit performed by SISA Information Security reports that the breach was due to malware injected into the payment gateway network of Hitachi Payment Systems.
Another major breach occurred at City Union Bank which came under attack after cyber criminals transferred nearly $2 million through three unauthorized remittances to lenders overseas via the SWIFT financial platform. This was followed by the much publicized Cosmos Cooperative Bank breach where hackers siphoned off a whopping Rs 94.42 Crore from the Pune-headquartered second biggest cooperative bank in India to foreign and domestic bank accounts.
RBI data shows that during 2008-17, banks in India faced 130000 reported cases of cyber fraud involving an estimated Rs. 700 Crore. This is equivalent to just 0.006% of the outstanding deposits of Indian banks. By contrast, a severe cyber attack can result in bank failure even when no money is lost directly. A total of 50 incidents of cyber attacks affecting 19 financial organizations have been reported from 2016 till June, 2017, as per the government.
As examples of major global banks including the Bank of America, Citi, JP Morgan Chase, PNC, USB or Wells Fargo suggest, irrespective of the cyber investment, preparedness and management, cyber breach is a near certainty for banks. Quick breach detection and appropriate corrective actions decide the impact of such incidents on banks. Furthermore, data breaches globally at Equifax, WannaCry and Petya Cyber Attacks and many more have affected the global market, and are proof enough for the current digital vulnerabilities in the world of finance.
It is high time that Indian banks wake up to harsh cyber realities. This is a big challenge for banks, where it is no longer sufficient to protect just data centers and headquarters, rather banks today have to protect ATMs and branch offices in addition to securing incoming data even from affiliated organizations. In spite of the growing awareness to regularly update an organization’s cyber preparedness and defense mechanisms, a large number of BFSI institutions wake up to this reality only post an incident which often leads to a loss of reputation and/or financial misappropriation.
In retrospect, Indian banks do not have much choice concerning a major revamp of cyber security. Cyber attacks are global in nature and with better cyber-risk preparedness in OECD countries; hackers are increasingly focusing on vulnerabilities in emerging-market countries. This is like an existential problem for Indian banks.
The Gaps exploited traditionally
The main threats that a bank faces from cyber attacks are namely breach of customer data privacy, loss of reputation, business discontinuity, loss of assets/business information, post-breach information security revamping cost, third-party claims and penal actions from regulators.
The sensitivity of banks to cyber attacks and investments for cyber risk management have gone up sharply only in recent times. For a large part of this period, Indian banks, especially those in the public sector, were faced with serious asset quality deterioration, restricting their capacity to invest in cyber security. Over the last couple of years, Indian BFSI organizations have made efforts to put in place solutions that could help them with their Cyber Security challenges. But banks have quickly recognized that cyber security requirements change often and it is important to have continuous engagement on that front. As per Anshuman Singh, Senior Director Product Management at Barracuda Networks, “Any organization is only as secure as its weakest link and thus organizations need to look at all aspects of their system to evaluate where the vulnerabilities could lie and then take appropriate measures.”
In BFSI attacks, the aim is to steal money and customer information, and for this traditional vulnerabilities exploited are malware, zero day attacks or direct attacks against web front ends. In an increasingly digital marketplace, consumers today demand better and faster access to data and transactions, while an exponentially growing number of connected devices are generating data at an unprecedented rate. As a result, information volumes are exploding and limited IT resources are struggling to keep up. At the same time, however, lines of business are under increasing pressure to process transactions, manage workflows, and store content in the most efficient way possible.
As per Rajesh Maurya of Fortinet, this results in an unplanned return to technology and information silos. “You can’t protect what you can’t see or control, which are the exact problems that a siloed network creates. Given the growth and severity of targeted attacks, and the potential impact of any disruption to your digital business model, it is critical that you get out ahead of this challenge.” Rajesh continues, “Network silos are the enemy of effective security. Unfortunately, having confronted that problem nearly two decades ago, we are now on the verge of having to fight that same battle once again in the cloud. Ironically, the root of the problem is almost identical to the first time — unstructured and unplanned network development and the creeping growth of an accidental network and security architecture. Only this time, cybercriminals are armed with more sophisticated tools designed to take better advantage of the gaps this approach creates, and to cause more damage than ever before. At the same time, with the growth of the new digital economy, more is at stake.”
“Usage of data science capabilities to mine information for fraud detection and prevention augmented with newer security tools that rely on AI to figure out complex threats like phishing attacks are security elements that CIOs should evaluate.”
Senior Director Product Management
An important aspect is that BFSI organizations need to look at their partner eco system and see if they are interacting with the organization in a secure manner. A partner system that is compromised could be used to infiltrate into the BFSI’s infrastructure. The challenge here is that most organizations have deployed many different solutions from different providers that do not natively communicate, share threat information or even digest threat intelligence and convert it into actionable protections. “Financial organizations usually fail to identify or classify their organizational data based on sensitivity and criticality. This information can be both – structured and unstructured. These organizations are so focused on the deployment of these multivendor solutions that they lose track of maintaining an organization-wide, integrated approach that would adequately protect the company’s data from risk,” opines Priya Kanduri, Vice President, Head of Innovation and Security Services, Happiest Minds.
Growing Compliance and Governance Landscape
Addressing the larger cause of ensuring a secure BFSI infrastructure, the role of the Government has two major components: Policy making and facilitation. The Indian Data Privacy Regulation is a step in the right direction in terms of policy. On the facilitation front, the Government can facilitate information sharing between the organizations and creation of best practices that organizations can use.
The Indian government has realized its important position in ensuring a standard cybersecurity framework in public and private organizations. Few steps have already been taken in this regard. CERT-In, the Indian Cyber Security Emergency Response Team has issued 21 advisories for security safeguards covering Point of Sale, Micro ATMs, electronic wallets, online banking, smartphones, unified payment interface, unstructured supplementary service data, RuPay, SIM cards, wireless access points/routers, mobile banking, cloud, Aadhar Enabled Payment Systems etc. A separate research and development fund for cyber security worth Rs. 1,000 Crore has been created, to be spent over a period of five years for upgrading technological capacity.
The government can learn from European counterparts. Strong customer data privacy protection norms and stringent penalties for infringement have been the main drivers of robust cyber security arrangements by banks in most OECD countries. The General Data Protection Regulations (GDPR) in the EU imposes a penalty of up to €20 million, or up to 4% of the annual worldwide turnover, for violation of norms.
The extent of data privacy norms in India is far less stringent versus those of the GDPR. The predominance of public-sector banks creates the impression of an implicit sovereign guarantee against the failure of such banks which reduces the threat of reputation loss of public-sector banks due to cyber attacks. Ripu Bajwa, Director and General Manager – Data Protection Solutions, India, Dell EMC understands, “Now that India is closer to having its own data protection law, it has led most BFSI companies to rethink on their data protection and data privacy strategy. Companies need to reassess their data protection applications and need innovative new approaches to address their protection and recovery challenges because the traditional approaches aren’t equipped to handle the digital disruptions of today. They need systems that can quickly take decisive action as well as protect their data against any breach. CIOs need to focus on how data is being stored and accessed and most importantly they need to rethink the security element.”
The severe implications of a cyber breach seem to be lost on a large number of bank managements creating a relaxed attitude among banks to cyber-risk management. The Indian DPR is expected to address this issue. As per Anshuman Singh, Barracuda Networks, “The Indian Data Privacy Regulation is a welcome step as the regulation lays down in detail how personal data has to be handled. This would require BFSI organizations to categorize the type of data that flows through their systems and how it is logged and managed. It is a big effort and would require concerted efforts by organizations to put compliance in place.”
Although India Data Protection Bill is mandating specific security requirements to protect consumer data and to strengthen cybersecurity, many organizations are doing only the bare minimum required to achieve compliance, with little consideration of the potential advantages that going above and beyond might provide. As Rajesh Maurya, Fortinet explains, “The truth is, organizations that go beyond compliance to offer robust data-security controls deliver greater value to consumers and build their level of trust, resulting in a distinct competitive edge. High-profile and high-impact breaches have caught the attention of companies and consumers alike. As a result, users are looking at organizations that store and analyze their personal data with increased scrutiny — and holding them accountable for security slip-ups that result in breaches.”
Machine Learning and Analytics, a game changer
As per Priya of Happiest Minds, “The landscape gets rockier with the need to keep up with the ever-growing customers’ expectation, and their technological capabilities coupled with increasingly sophisticated cybercriminal tactics have bolstered the demand for Cyber Security in the BFSI sector.” A recent report observed that the cybersecurity market size is expected to grow by 12% CAGR over the year 2017-2022 and would reach USD 125 billion by 2025. Out of which, financial sector services revenue contribution is also expected to grow by 9.8%, which is a growth from USD 24.08 billion in 2017 to USD 38.81 billion in 2022.
As mobile payments become more wide spread, cybercriminals are aggressively targeting the process with increasingly sophisticated attacks. Criminals are already adding automation to attacks, such as smart botnets and polymorphic malware. To protect against these attacks and keep consumers, fintech companies and financial services firms from compromise, they must incorporate integrated and automated defenses and threat intelligence. In an effort to prevent and detect such attacks, new solutions are arising to protect financial service providers.
“One tactic is to use machine learning to stop cybercrime,” suggests Rajesh Maurya, “An automated threat detection system, for instance, would use machine learning to analyze threats at machine speed. This ensures that as new threats are developed to target mobile payments, security defenses are aware of them and can work in real time to detect and mitigate them. Another recent entrant into the security armory is behavior analytics, which leverages machine learning to recognize regular user habits and behavior, such as common times of use and location.”
“Irrespective of which risk management strategy or security control is implemented, the key is to use integrated and automated security architecture with deep visibility and control that can also operate at speed and scale.”
Regional Vice President, India & SAARC
New generations of network incursions must be detected and dealt with quickly, before they can do damage and before their trail fades away. An integrated system with orchestrated security solutions enables organizations to fight automation with automation, using cybercriminals’ own tactics to turn the tables on them and shorten the time to detection so that forensic analysis can begin immediately and the security lifecycle can be strengthened.
As per Rajesh, base lining these sorts of activities are integral to detecting anomalous behavior that may be indicative of malicious activity or a breach. BFSI CISOs need to integrate artificial intelligence, machine learning with security fabrics that facilitate deep visibility and control at speed and scale. “This is critical as security needs to operate at the same accelerated machine speed of financial transactions,” Rajesh Maurya sums up. Anshuman Singh, Barracuda Networks adds, “Usage of data science capabilities to mine information for fraud detection and prevention is gaining traction the world over. This augmented with newer security tools that rely on Artificial Intelligence to figure out complex threats like phishing attacks are security elements that CIOs should evaluate.”
The approach of a CISO moving forward
In today’s growing security landscape, the first task for CISOs is to ramp up their security framework with new investments into latest tools. While bigger and sophisticated banks spend about 4 per cent of their total IT budget on cybersecurity and information, smaller banks, cooperatives and other smaller financial institutions are not spending much. This can be attributed to breaches like the one at Cosmos Bank. But even the larger Indian banks still fall short of the investments being made by the banks in North America and Europe which are spending about 6-10 per cent of their IT budget to thwart rising incidents of financial crime involving hackers.
As per Anshuman Singh, Barracuda Networks, “Tools are only as good as the person using them. Organizations need to invest in both sides of security field – the Blue and Red teams. The blue teams defend and Red teams attack. Building great capabilities for both Blue and Red teams which appropriate type of personnel suited for that type of jobs will help the CIOs secure their organizations in a better manner.”
“CIOs need to reassess their data protection applications and need innovative new approaches to address protection and recovery challenges as traditional approaches aren’t equipped to handle the digital disruptions of today.”
Director and General Manager
Data Protection Solutions, India
“Irrespective of which risk management strategy or security control is implemented, the key is to use integrated and automated security architecture with deep visibility and control that can also operate at speed and scale. Current network ecosystems stretching from the IoT edge, across enterprise networks, and out to multiple cloud service providers are far too distributed for traditional manual prevention, detection, and response solutions,” says Rajesh of Fortinet, “It’s increasingly clear that the velocity, variety, and complexity of cyber attacks requires organizations to implement integrated and interactive security fabrics that can adapt to rapid network change, keep pace with today’s threat actors, and also demonstrate compliance with industry and legal requirements. Security fabrics designed around integrated devices that collect and share data in conjunction with best-in-class intelligence to enable automated detection and response is a practical approach for today’s most challenging cyber threats.”
As per Priya Kanduri of Happiest Minds, “CIOs have the keep the following aspects of cybersecurity and threat prevention as top priorities for 2019 IT planning to refresh their Cyber Security & Cyber Risk management strategies. The focus areas for BFSI CIOs for 2019 are Adherence to the new RBI cybersecurity compliance and Personal Data Protection Bill 2018; API, IOT, and Mobile security enhancements and building next-gen security operations with predictive analytics, improved incident analysis capabilities, and automated incident response capabilities.”
Compliance and Regulations are a step in the right direction; but CIOs and CISOs must think beyond compliance by taking a proactive approach to security to effectively protect consumer data and earn customers’ long term trust. The must leverage proactive solutions and look at ways to create interoperability between different security systems so that information on an event identified on one device is automatically shared across the entire distributed security architecture. Fincos should strive to reduce that complexity by further integrating solutions, focusing on interoperability as devices are purchased or replaced and consolidating existing security devices so that they can leverage a common operating system or management interface.