Open Banking Roundtable
Banking Frontiers, in association with Fortinet, organized a web panel discussion by BFSI CISOs on the growing thrust on trust through security. Edited excerpts:
Sunder Krishnan, CRO, Reliance Nippon Life Insurance:
The ongoing pandemic and WF WFH had led to rise in th threat and risk factors, as WFH involves use of several devices for doing organizational w work. How do we know th that data has got leaked? Afte After a customer logs in with a big proposal to a bank, insurance or mutual fund company, he may receive many calls from competitors, implying that customer data is getting leaked. We have experienced this kind of business environment. These days, customers are alert and they want topmost security and privacy and business teams are giving importance to that information security.
Data is oil and wealth and data is up for grabs. Therefore, it needs to be protected. Everybody knows that the customer is the primary data owner. Then the business head becomes the owner of the data in the organization. The organization naturally does not want data leakage as it leads to among other risks reputational risk. When data leaks get media exposure, there are repercussions for the company, including in the stock markets.
In the Indian subcontinent, behaviour tracking has become important, especially after the pandemic. For example, while doing trading, there is a requirement to track the conversations of the dealers, and we need to ensure that they do not carry their mobile phones. The dealer must sign the legal undertaking that there is nobody around him and no device is around him.
From the data leakage perspective, we must capture customers’ behaviour, login, and logout. If there is any unusual pattern, then we get alerts. The new GRC software alerts us if somebody leaks the data. We also get alerts if somebody downloads important documents that contain data processes and manual documents. There are apps to monitor behavior. However, fraudsters have become smarter, they have started using artificial intelligence and machine learning.
Dr N Rajendran, CEO, IFTAS:
Financial transactions are very crucial and h hence people are n not a l l o wed to carry their mobile phones i nto the data center - we u use to follow these gui guidelines before the covid. But, after covid CISOs have opened the boundaries. They have accepted the use of the employees’ personal devices as part of their business requirements.
People have gone to their home towns just before the start of the lockdown and still they have not been able to resume normal duties at the offices. This has pushed CISOs to do a lot of innovations. CISOs have changed their behaviours and they have been able to handle this unexpected eventuality. At the same time, they are not compromising with the data. It is important to build trust in the payment system, without which no organization could have been able to survive. The first thing in fraud risk management is to arrive at a score where all the behavior patterns are examined before making the final decision on the transactions. This is done either at the payment system or at the core banking system. Risk management is not only just transaction information, it should also be for the endpoint of customer and merchants. All the behaviour patterns are co-related to their previous transactions and locations and these things need to be checked. There is an automatic decline if limits get crossed and raises an alarm for the banks. Such things are already there in the banking system - the endpoint needs to be co-related with the sec urity operating systems.
Companies depend on the customer database’s for behaviour, failure and transaction pattern evaluations and making the decisions. The transaction goes to the fraud and risk management systems; it also helps to validate whether to decline
or go ahead with the transactions. A lot of patterns will come and you need to integrate them with IoT. The remote working places are becoming more painful for the CISOs to monitor and control, as employees’ videos are not available.
In my organization, we follow processes and it takes time to arrive at decisions, while fraudsters can do things on their own. The organizations need to adopt an integrated approach and involve security devices to analyse and then take the decisions. This helps in closer decisions and removes false possibilities.
Shibu Thomas, CISO, South India Bank:
Customer is t he c ore and critical part of the b banking business a and products and we need to protect and allow him to do transactions safely a and sec urely. The mo most i mportant and critical l job of the CISO is to ensure that there is trust in the system, which banks are required to provide to their customers. We cannot keep on adding the security layers because the customer also gets frustrated as they need to get their job done as fast as possible. Within 3 clicks, customers should be able to reach the page and get their transactions done.
South Indian Bank has introduced its `Mirror +’ app, using which, our customers can l ock ATM, i nternet and mobile, channels. So, unless the customer unlocks it, no one will be able to do the transaction.
As much as 88% of the transactions in our bank are digital. We are among the top 10 banks to have digital transactions. Recently, there is a rise in digital transactions and correspondingly in the number of online frauds. Fraudsters are using innovative ways to defraud unsuspecting people. We need to provide seamless transactions to our customers and detect their mistakes and prevent frauds. This is the key challenge for us and within the regulatory directions, we must roll out facilities and features. The moment you introduce another option in the payment system, the fraudster starts moving into it. It is an irony that we need to keep pace with the fraudsters and their technological prowess.
We are already using behaviour analytics tools for analyzing user and network behaviour. We are working on in-depth analysis of user behaviour. For example, a user uses a keyboard in a particular way and if somebody else is using the same keyboard in the same way and trying to access the system, then behaviour metrics can alert it.
We can analyze the user behaviour and network to a certain extent and then it needs to coordinate with our central operating system. There are coordination engines, which try to cooperate with the fraud risk management engines. We e look at the transactions along with the behaviour transactions and putting all these together we have a good behaviour system in place. There are new applications and technologies getting developed and innovations happening but we need to go deeper.
Artificial intelligence and machine learning could provide in-depth analysis. If somebody is standing outside an ATM and trying to pull money from others’ bank account by using their debit cards, then the reaction time should be in seconds. We need a machine learning and automated system to react fast and hopefully protect the customer from this fraudulent behavior.
K Suryanarayanan, CISO, Central Bank of India:
Trust is the common thing thin for any business and a now the concept of zero trust has evolved. We are doing it for a long l time along wit w h multi- f a c t or authentication auth for the security of our product. The most important thing is the customer trust in the bank. If the customer does not have trust in the bank, then it is difficult for the bank to survive. We are taking all the security measures to ensure that customers’ money is safe with the bank. Since there is no boundary for digital transactions, it is imperative that banks should control this access facility in a very secure manner. Recently, RBI has come up with guidelines for use of debit and credit cards in domestic transactions.
Alain Sanchez, EMEA CISO, Senior Evangelist at Fortinet:
As CISOs, we are exp expected to deliver an i impression of trust to our customers. Otherwise, how will they trust us? When y you are giving money to the bank, you expect that this money is safe. On the other end, we need to challenge everything - applications vendor, data canters, etc. Companies need artificial intelligence as it helps the human brain to handle extreme burden. It is a complex task to check millions of transactions in a few seconds.
We cannot say that one technology is a panacea, so behaviour analytics needs to work in parallel with authentication passwords. There is also need for proper segmentation policy, and use of VPNs in an ecosystem. It is a holistic approach via cybersecurity. We are moving forward with these solutions. Even machine learning takes time to learn - it can take 4-8 weeks of learning, so ML is not an overnight process. You need to devote a couple of months for it. For example, we use cameras, sensors, industrial processes and these are also subjected to ML algorithms, but sometimes they talk in a different language. There can be gaps in the proprietary languages so that we need to configure and activate them.
Adoption of integrated platforms is also one of the big trends in the coming future. We always need progress and innovation to go faster in the ideal world. Artificial intelligence is not a detriment to humans. In fact, AI is helping to remove some stress in taking decisions. These are other reliable trends adjusting to the cybersecurity trends. It is collaborative thing where everyone must act. A human being takes decisions and makes strategies and AI helps in it, so correlations are required.