In our first article, we examined the current state of digital transactions, accounts and potential cyber-threats for companies in the BFSI sector. In this second part, we present the need for a cybersecurity framework to prepare and address threats.
A comprehensive cybersecurity framework, like the RBI‘s, enables banks and financial institutions to create strong foundations and a baseline in terms of policies, governance, infrastructure and controls implementation to deal with the PPDMRR (Prepare, Prevent, Detect, Mitigate, Respond and Recover) cycle. There are about 24 detailed requirements called out in the framework.
We have summarised a few areas that can be effectively addressed in a continuous manner, using the guidelines laid down in the framework.
- Customer and customer data protection Protecting customers against financial crime by building awareness through periodic messages, alerting customers about inactive accounts that can be used for cyber crimes and providing solid authentication is a good starting point. Actively monitoring high-risk, high-value transactions and observing movement of customer data both within and outside the bank, and through other vendor networks as well, is key to ensuring that customer data is adequately protected.
- Building cyber-resilience Organisations can do this by developing the ability to handle critical incidents, establishing protocols to return to business-as-usual asap and repair any damage to the business, and learning from attacks all over the globe on how to protect themselves in the future. This calls for strong cyber-crisis management with supporting forensics analysis, along with disaster recovery plans with simulations and cyber war-gaming.
- Developing a cyber-aware board and strong governance As per the RBI framework, boards of banks need to be continuously educated about the latest cyber-threat landscape at all times. This sets the right precedent for the org to follow, starting at the top. Led by a cyber-aware board, institutions can consistently provide programmes, interventions, the right guidance and insights to employees and customers.
- Proactive reporting and collaboration Across financial systems, the framework calls for sharing of data and incidences to help improve cyber-resilience. This not only helps smaller banks learn and adopt cybersecurity practices but also strengthens the overall financial infrastructure’s ability to withstand threats, given the ever-increasing volume of international transactions.
- Include the extended ecosystem Establishing digital circles of trust with vendors, like payments partners, wallet service providers and investment advisories, is imperative to tracking, monitoring, and preventing loss of data and reputation. Institutions must hold partners accountable for building cyber-resiliency as well. Embedding vendors into cyber-audits regularly helps vendors also stay abreast with mechanisms to deal with cyber-threats. No one wants to be known as the weakest link in the chain.
- Establish continuous surveillance Proactive monitoring calls for real-time data capture and in-line analysis. It helps banks focus on cyber-threats on a real-time basis, rather than passively examining logs of transactions post-facto. Setting up next-generation security operations centres (SOCs) using AI and ML will enable capabilities around response to attacks, rather than reactions and hasty actions. The continuous surveillance can be a means of creating regular cyber-attack simulations, much like disaster readiness drills, to measure and put in place the bank’s ability to respond and recover quickly.
- Building a cybersecurity-aware culture Such a culture is vital to institutions. It can be built through continuous learning for all employees across the BFSI sector. The learning programs may be delivered as a combination of classroom-training sessions by experts, self-paced e-learning, regular cyber-threat updates and reinforcement-learning using small bites of information. Among employees, this inculcates a habit of learning, becoming mindful about cyber-threats in daily activities and ensures that the “person” link, which is typically the most vulnerable in a cyber-attack, is continuously strengthened.
Additionally, Urban Cooperative Banks have been mandated to implement control based on their levels from 1 through 4. This makes it easier for smaller banks to begin putting in place at least a set of baseline security controls to ensure that they are at some level of safety.
Pause for a moment now and examine the areas of the cybersecurity framework summarised here. Did you notice that there are several assurances and benefits to customers, partners and the overall BFSI sector?
We highlight 4 benefits from the cybersecurity framework here.
- Building trust RBI’s framework provides a sense of trust amongst consumers. Banks can now assure customers, based on the RBI directives, that their policies and practices will ensure that customers’ data is safe. The guidelines are comprehensive and clear, making it simpler for financial service institutions to frame responses to customer queries on data safety and security.
- Consistent standards and guidelines There is clarity on the areas for all financial institutions on cybersecurity standards and guidelines. This helps everyone have a level playing field, create transparency and fair terms for all players, while passing on these benefits to customers. This also creates a space for innovation around cybersecurity products and solutions.
- Build a strong and resilient cybersecurity foundation There is a call to institutions to share data with the RBI for analysis and information-sharing on cyber-threats. With a fast-evolving threat landscape, smaller institutions stand to benefit while large ones, with deep pockets, can implement strong infrastructure that can support real-time data analysis with continuous monitoring, AI and ML. Such a framework promotes overall resilience of the financial sector against cyber-attacks.
- Partnership and collaboration The framework serves the BFSI sector institutions—much like a country defending itself from enemies—by continuously involving all its people, at various levels, by encouraging sharing and reporting of suspicious activity. When financial institutions follow these guidelines, it only promotes the growth, innovation and development of the overall sector.
There are challenges with the framework in terms of lack of expertise, financial ability and awareness around how to implement the guidelines. Despite these, the framework lays down a good set of guidelines around which the BFSI sector can start working towards building a foundation to be prepared against cyber-attacks. With the principle of continuous movement on cybersecurity and cybersecurity not being a one-time activity, the RBI has frequently released circulars updating the guidelines in the framework on various aspects on digital security.
The world we operate in is rife with threats. Cybersecurity frameworks have been established and constantly updated to ensure that the guidelines help organisations effectively counter these threats. With the help of these frameworks, critical businesses and services in the BFSI sector can deliver the right assurances, guarantees and build trust with the entire digital ecosystem of consumers, partners and vendors of digital solutions.