Better cyber security reporting

As Indian banks compete to establish differentiated business models based on efficient operations, technology has assumed the pole and pivotal position in their strategies. Ecosystem disruptions like demonetisation, emergence of payment banks, fintech play, micro banks and pseudo and para banking activities of telcos and retail chains have put technology as the sine qua non and God-gifted saviour for banks. But gifts are bundled often with miseries. While technology works as manna for scale and speed, security unpreparedness could play a spoilsport.


Financial sector regulators worldwide have introduced frameworks to establish best practices and prevent disruptions to financial stability. Examples are Bank of England’s CBEST and Hong Kong Monetary Authority’s CFI (Cybersecurity Fortification Initiative). In India, RBI and GoI are also continuously working to bring in stabilisation initiatives. These include setting up of CERT-IN (Computer Emergency Response Team-India), NCIIP (National Critical Information Infrastructure Protection Centre), IB-CART (Indian Banks-Center for Analysis of Risks and Threats) and the RBI framework of June 2, 2016. Recently, Deputy Governor Mundra in his speech on “Fraud Risk Management” identified lack of proper reporting and absence of networked awareness amongst players as one of the main reasons for incidents not coming to fore.


An analytical and discursive debate is required as to why despite frameworks, mandates and repeat strikes most BFSI players are reluctant to define, identify and report cyber incidents. To begin with, an understanding of the types of cyber incidents is necessary. Cyber incidents could be routine and short duration, or, industry-wide and highly disruptive. For example, critical IT system outage, customer data compromise in ATM interfaces are widely discussed in media including social media. However, momentary infrastructure cessations, small DDOS attacks and recurring financial losses due to compromised cyber security could often not see the light, although they are important and leading indicators for potential threats. Data theft or loss of authentication credentials, like the one in the Hitachi Payment Systems or ATM Card gateway, have multiplier effects and could cause chain questions around security preparedness and reporting. However, a majority of incidents are either not detected or not reported.


Causes of security incidents could be many. It begins with as innocuous internal compromise of environment controls like access firewall, temperature and humidity of data centre. Lack of knowledge of SOPs, unfettered vendor access to active production region, disaster recovery system not being in sync with the main system often lead to disruptions and compromises. Deployment of hot patches and fixes directly without sufficient system integration and user acceptance testing, lack of documentation for exceptions, their patterns and learnings also cause cyber incidents.


Why the players are not reporting incidents and what could be done to improve compliance? Varying levels of maturity in security technology implementation and the lack of knowledge in the cyber security wing of banks is the main culprit. Even if the basic ecosystem exists, the first impeder for non-reporting is the multiplicity of reporting. At present, banks have to report to RBI, CERT-IN, NCIIP, IB-CART, in addition to their internal risk departments and the board. A common portal or a regulatory black box from which APIs could be exposed for use by both banks as well as crime prevention and investigation authorities will smarten the process. The second factor is the confusion around threshold levels and definitions of severity. The same incident could be defined as routine or severe by two banks. Compliance and adoption will be better if common standards are formulated. The third factor is the lack of assurance from RBI and other authorities regarding confidentiality of reported matters. Banks deal with public trust and are extremely wary of any adverse publicity of their reported cyber security breaches. More importantly, the threat of regulatory punitive action or adverse commentary often prod banks to underplay or push things under the carpet. Authorities in regulators, law enforcement and policy making are at different levels of maturity in understanding and absorbing the data and intelligence in reports. Often, this leads to confusion and non-reporting. Any adoption requires quick wins and establishing benefits of reporting. The rich data in reports already at RBI, CERT-In etc. could be subjected to advanced analytical modelling in conjunction with other big data elements to formulate concrete and bespoke action plans for individual players, both reporting and non-reporting.


Technology of cyber security shall remain the core of prevention and reporting. Internet of Things, Big Data, artificial intelligence and use of robotics for first-level threat prevention, detection and reporting are additional facilitators to bring speed, community awareness and leveraging incident learnings for greater protection of the financial sector.

 The author is deputy managing director and chief information officer, SBI

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel