An analytical and discursive debate is required as to why despite frameworks, mandates and repeat strikes most BFSI players are reluctant to define, identify and report cyber incidents. To begin with, an understanding of the types of cyber incidents is necessary. Cyber incidents could be routine and short duration, or, industry-wide and highly disruptive. For example, critical IT system outage, customer data compromise in ATM interfaces are widely discussed in media including social media. However, momentary infrastructure cessations, small DDOS attacks and recurring financial losses due to compromised cyber security could often not see the light, although they are important and leading indicators for potential threats. Data theft or loss of authentication credentials, like the one in the Hitachi Payment Systems or ATM Card gateway, have multiplier effects and could cause chain questions around security preparedness and reporting. However, a majority of incidents are either not detected or not reported.
Causes of security incidents could be many. It begins with as innocuous internal compromise of environment controls like access firewall, temperature and humidity of data centre. Lack of knowledge of SOPs, unfettered vendor access to active production region, disaster recovery system not being in sync with the main system often lead to disruptions and compromises. Deployment of hot patches and fixes directly without sufficient system integration and user acceptance testing, lack of documentation for exceptions, their patterns and learnings also cause cyber incidents.
Why the players are not reporting incidents and what could be done to improve compliance? Varying levels of maturity in security technology implementation and the lack of knowledge in the cyber security wing of banks is the main culprit. Even if the basic ecosystem exists, the first impeder for non-reporting is the multiplicity of reporting. At present, banks have to report to RBI, CERT-IN, NCIIP, IB-CART, in addition to their internal risk departments and the board. A common portal or a regulatory black box from which APIs could be exposed for use by both banks as well as crime prevention and investigation authorities will smarten the process. The second factor is the confusion around threshold levels and definitions of severity. The same incident could be defined as routine or severe by two banks. Compliance and adoption will be better if common standards are formulated. The third factor is the lack of assurance from RBI and other authorities regarding confidentiality of reported matters. Banks deal with public trust and are extremely wary of any adverse publicity of their reported cyber security breaches. More importantly, the threat of regulatory punitive action or adverse commentary often prod banks to underplay or push things under the carpet. Authorities in regulators, law enforcement and policy making are at different levels of maturity in understanding and absorbing the data and intelligence in reports. Often, this leads to confusion and non-reporting. Any adoption requires quick wins and establishing benefits of reporting. The rich data in reports already at RBI, CERT-In etc. could be subjected to advanced analytical modelling in conjunction with other big data elements to formulate concrete and bespoke action plans for individual players, both reporting and non-reporting.
Technology of cyber security shall remain the core of prevention and reporting. Internet of Things, Big Data, artificial intelligence and use of robotics for first-level threat prevention, detection and reporting are additional facilitators to bring speed, community awareness and leveraging incident learnings for greater protection of the financial sector.
The author is deputy managing director and chief information officer, SBI