In Digital Rush, Banks may Let You Down
Of late, the flow of wisdom from top central bankers to the less privileged ones has come down to a trickle. But there is an exception – the subject of cyber security. Reserve Bank of India deputy governor SS Mundra has addressed three conferences in as many months. But the message is more worrying than comforting.
His lament was that while the threats for over 1.4-billion bank accounts are on the rise, the banks are hardly doing much to protect their customers. Leave alone taking precautionary measures, they don’t even do the mandatory reporting bit to the regulator on time.
In March 2011, when hackers infiltrated RSA - one of the world’s top computer security companies - the message was loud and clear that if a security company gets broken into, it could happen to anyone. A few years later, its chief Amit Yoran shocked the security world when he announced that “the cyber-security industry was fundamentally broken and warned that it was only going to get worse.”
Acyber-attackinthesummerof 2014on theworld’slargestbank,JPMorganChase, rattledtheindustrywhenaccountsof 76 millionhouseholdsand7millionbusinesseswerecompromised.ItsCEOJamie Dimonwrote,“Itisgoingtobeacontinual andlikelyneverendingbattletostayahead of it—and,unfortunately,noteverybattle willbewon.”
JPMorganadmittedtothebreachand nowinvestsnearly$600millionayearto preventit.The$1.5-trillionIndianBanking industryinthelast6monthshasreluctantlyreportedthatadozenbankswerehitby malware,whichincludedcompromising 3.2millioncarddetails.
“The situation is very scary if banks don’t strengthen their cyber security, there is no doubt in my mind that all banks will be attacked,” says Kiran Shetty, India chief executive of SWIFT, a global financial messaging company. “I absolutely believe that cyber threat is going to evolve and it is going to become more intense than ever before.”
So far, the attacks have been few and far between and most of them were minor breaches that did not threaten the industry or even the particular institution. But it could really bring down institutions as it recently happened with the Bangladesh central bank where operations came to a grinding halt.
“Cyber-attacks in worst case situations can bring down the entire bank, it can deface their entire website, severely prohibit them from carrying on with their normal functions,” says Reshmi Khurana, managing director, global risk consultancy firm Kroll.
The state of affairs in Indian banks does not give confidence. RBI has appointed a standing committee to redraw cyber security preparedness.
“Wehaveobservedthatinmanycases,the banksreacttocyberincidentsinaknee jerkandadhocmannerwhichattimes hasapotentialtojeopardisefu- tureinvestigations,”RBIdeputygovernor SSMundrasaidrecently.“Theworldhas learntthatindealingwithcyber-attacks, awarenessandsharingof information playanimportantrole.Weoftenobserve thatthiskeypremiseisignored.”
While the regulator mandates reporting of cyber-attacks within 2-6 hours of detection, banks usually skip it. The official numbers also don’t reflect the true story. Top 51 banks in India have lost Rs 485 crore between April 2013 and Nov 2016 and 56% of the money lost is due to Net banking thefts and card cloning incidents, finmin data shows. There are at least 15 ransomware attacks per hour in and one in three Indians falls prey to it.
“Today India does not have a central repository to detect red flags early on and understand the modus operandi of cyber-attacks,” says Mukul Shrivastava, partner, fraud investigation & dispute services, EY India. “In many cases, organisations which have been previously attacked may mask it and move on, as compared to the western world where there is a reporting mechanism for cyber- attacks.”
It is a double-edged sword for banks where digital transactions have soared since high value currency were scrapped while their infrastructure remained as unsafe as before.
“As we go down the push towards digital, the counter point is security,” says Uday Kotak, executive vice-chairman, Kotak Bank. “There is risk with some digital initiatives, so be paranoid and believe that it is changing the world. It’s like belief in God. But make sure it’s the right God. Don’t say there is no God. Just in case there is one, you will be out of business. So better be paranoid.” Prevention requires investments, especially in technology. Globally, banks set aside 12-15% of the annual tech spend for cyber security, while in India, most big banks
do not even spend a couple of million dollars on IT, leave alone cyber security. “Before demonetisation, Indian banks had only 6-7% transactions happening digitally versus the US, where over 80% transactions are technologically enabled,” says Saket Modi, CEO, Lucideus Tech. “It simply means that the focus of the banks has not been on getting digitally enabled and, hence, it did not make commercial sense for the boards of large banks to sanction large budgets for cyber security.”
Gartner, a global technology consultant, has predicted that IT spends by domestic banks and securities firms are expected to grow nearly 10% to $8.9 billion in 2017. But despite the expected increase in IT spends, it’s quite possible that the adversaries will be able to outgun banks.
“The probability of you being let down by your bank (even if they spend millions of dollars on security) is very real, thanks to the known unknowns in cyberspace. To err once is human, to err twice is lazy,” says Modi of Lucideus.
The world of cyber security is like testing unchartered waters. RBI has warned banks that prevention is better than cure and banks will do well to secure themselves from a threat that has the potential to bring down a financial institution.
“A chilling statement by an IT expert is ‘we have all been hacked, the only question is whether you know it or you don’t.’ While the statement may be alarmist, it is an antidote to complacency,” said former RBI governor Raghuram Rajan. “We will be living in interesting times. Whether it is a blessing or a curse is up to us.”