In Dig­i­tal Rush, Banks may Let You Down

The Economic Times - - Money & Banking - SALONI SHUKLA & PRATIK BHAKTA

Of late, the flow of wis­dom from top cen­tral bankers to the less priv­i­leged ones has come down to a trickle. But there is an ex­cep­tion – the sub­ject of cy­ber se­cu­rity. Re­serve Bank of In­dia deputy gov­er­nor SS Mun­dra has ad­dressed three con­fer­ences in as many months. But the mes­sage is more wor­ry­ing than com­fort­ing.

His lament was that while the threats for over 1.4-bil­lion bank ac­counts are on the rise, the banks are hardly do­ing much to pro­tect their cus­tomers. Leave alone tak­ing pre­cau­tion­ary mea­sures, they don’t even do the manda­tory re­port­ing bit to the reg­u­la­tor on time.

In March 2011, when hack­ers in­fil­trated RSA - one of the world’s top com­puter se­cu­rity com­pa­nies - the mes­sage was loud and clear that if a se­cu­rity com­pany gets bro­ken into, it could hap­pen to any­one. A few years later, its chief Amit Yo­ran shocked the se­cu­rity world when he an­nounced that “the cy­ber-se­cu­rity in­dus­try was fun­da­men­tally bro­ken and warned that it was only go­ing to get worse.”

Acy­ber-at­tack­inthe­sum­merof 2014on theworld’slargest­bank,JPMor­ganChase, rat­tledthein­dus­try­whenac­countsof 76 mil­lion­house­hold­sand7mil­lion­busi­ness­eswere­com­pro­mised.It­sCEOJamie Di­mon­wrote,“Itis­go­ing­to­bea­con­tin­ual an­d­like­lyn­ev­erend­ing­bat­tle­tostaya­head of it—and,un­for­tu­nately,notev­ery­bat­tle will­be­won.”

JPMor­ganad­mit­ted­tothe­breac­hand now­in­vest­snearly$600mil­lion­ayearto pre­ven­tit.The$1.5-tril­lionIn­di­anBank­ing in­dus­tryinthe­last6­monthshas­re­luc­tant­lyre­port­edthata­dozen­bankswere­hitby mal­ware,which­in­clud­ed­com­pro­mis­ing 3.2mil­lion­car­d­de­tails.

“The sit­u­a­tion is very scary if banks don’t strengthen their cy­ber se­cu­rity, there is no doubt in my mind that all banks will be at­tacked,” says Ki­ran Shetty, In­dia chief ex­ec­u­tive of SWIFT, a global fi­nan­cial mes­sag­ing com­pany. “I ab­so­lutely be­lieve that cy­ber threat is go­ing to evolve and it is go­ing to be­come more in­tense than ever be­fore.”

So far, the at­tacks have been few and far be­tween and most of them were mi­nor breaches that did not threaten the in­dus­try or even the par­tic­u­lar in­sti­tu­tion. But it could re­ally bring down in­sti­tu­tions as it re­cently hap­pened with the Bangladesh cen­tral bank where op­er­a­tions came to a grind­ing halt.

“Cy­ber-at­tacks in worst case sit­u­a­tions can bring down the en­tire bank, it can de­face their en­tire web­site, se­verely pro­hibit them from car­ry­ing on with their nor­mal func­tions,” says Reshmi Khu­rana, man­ag­ing di­rec­tor, global risk con­sul­tancy firm Kroll.

The state of af­fairs in In­dian banks does not give con­fi­dence. RBI has ap­pointed a stand­ing com­mit­tee to re­draw cy­ber se­cu­rity preparedness.

“We­haveob­servedthat­in­many­cases,the banksre­act­to­cy­ber­in­ci­dentsi­naknee jerkan­dad­hoc­man­ner­whichat­times has­apo­ten­tial­to­jeop­ar­dis­efu- turein­ves­ti­ga­tions,”RBIdeputy­gov­er­nor SSMun­dra­saidrecently.“The­world­has learnt­thatin­deal­ing­with­cy­ber-at­tacks, aware­nes­sand­sharingof in­for­ma­tion playan­im­por­tant­role.We­oftenob­serve thatthiskeypremi­seisig­nored.”

While the reg­u­la­tor man­dates re­port­ing of cy­ber-at­tacks within 2-6 hours of de­tec­tion, banks usu­ally skip it. The of­fi­cial num­bers also don’t re­flect the true story. Top 51 banks in In­dia have lost Rs 485 crore be­tween April 2013 and Nov 2016 and 56% of the money lost is due to Net banking thefts and card cloning in­ci­dents, fin­min data shows. There are at least 15 ran­somware at­tacks per hour in and one in three In­di­ans falls prey to it.

“To­day In­dia does not have a cen­tral repos­i­tory to de­tect red flags early on and un­der­stand the modus operandi of cy­ber-at­tacks,” says Mukul Shri­vas­tava, part­ner, fraud in­ves­ti­ga­tion & dis­pute ser­vices, EY In­dia. “In many cases, or­gan­i­sa­tions which have been pre­vi­ously at­tacked may mask it and move on, as com­pared to the western world where there is a re­port­ing mech­a­nism for cy­ber- at­tacks.”

It is a dou­ble-edged sword for banks where dig­i­tal trans­ac­tions have soared since high value cur­rency were scrapped while their in­fra­struc­ture re­mained as un­safe as be­fore.

“As we go down the push to­wards dig­i­tal, the counter point is se­cu­rity,” says Uday Ko­tak, ex­ec­u­tive vice-chair­man, Ko­tak Bank. “There is risk with some dig­i­tal ini­tia­tives, so be para­noid and be­lieve that it is chang­ing the world. It’s like be­lief in God. But make sure it’s the right God. Don’t say there is no God. Just in case there is one, you will be out of busi­ness. So bet­ter be para­noid.” Preven­tion re­quires in­vest­ments, es­pe­cially in tech­nol­ogy. Glob­ally, banks set aside 12-15% of the an­nual tech spend for cy­ber se­cu­rity, while in In­dia, most big banks

do not even spend a cou­ple of mil­lion dol­lars on IT, leave alone cy­ber se­cu­rity. “Be­fore de­mon­eti­sa­tion, In­dian banks had only 6-7% trans­ac­tions hap­pen­ing dig­i­tally ver­sus the US, where over 80% trans­ac­tions are tech­no­log­i­cally en­abled,” says Saket Modi, CEO, Lu­cideus Tech. “It sim­ply means that the fo­cus of the banks has not been on get­ting dig­i­tally en­abled and, hence, it did not make com­mer­cial sense for the boards of large banks to sanc­tion large bud­gets for cy­ber se­cu­rity.”

Gart­ner, a global tech­nol­ogy con­sul­tant, has pre­dicted that IT spends by do­mes­tic banks and se­cu­ri­ties firms are ex­pected to grow nearly 10% to $8.9 bil­lion in 2017. But de­spite the ex­pected in­crease in IT spends, it’s quite pos­si­ble that the ad­ver­saries will be able to out­gun banks.

“The prob­a­bil­ity of you be­ing let down by your bank (even if they spend mil­lions of dol­lars on se­cu­rity) is very real, thanks to the known un­knowns in cy­berspace. To err once is hu­man, to err twice is lazy,” says Modi of Lu­cideus.

The world of cy­ber se­cu­rity is like test­ing un­char­tered wa­ters. RBI has warned banks that preven­tion is bet­ter than cure and banks will do well to se­cure them­selves from a threat that has the po­ten­tial to bring down a fi­nan­cial in­sti­tu­tion.

“A chill­ing state­ment by an IT ex­pert is ‘we have all been hacked, the only ques­tion is whether you know it or you don’t.’ While the state­ment may be alarmist, it is an an­ti­dote to com­pla­cency,” said for­mer RBI gov­er­nor Raghu­ram Ra­jan. “We will be living in in­ter­est­ing times. Whether it is a bless­ing or a curse is up to us.”

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.