Are RBIs' Latest Cybersecurity Moves Bold Enough?Critics Call for More Aggressive Bank Audits, Monitoring of Technology Implementation
The Reserve Bank of India, the nation's central bank, is launching a number of efforts to help bolster the cybersecurity of banks. Those include encouraging banks to use access control management and install security operations centers.
But some security experts say the measures are not bold enough. They call on the central bank to, for example, launch a far more robust random audit program to help ensure banks are taking appropriate security measures.
The RBI's announcement comes in the wake of the Cosmos Bank ATM server attack that enabled attackers to siphon off US$13.4 million.
In its annual report, RBI states it want to take effective steps to further enhance banks' levels of protection against cyber risks.
"With the emerging threat landscape, where organized cybercrime and cyber warfare are gaining prominence, the department of information technology is working toward ensuring continuous protection against the changing contours of cyber security threat," the RBI states.
But some security practitioners aren't particularly impressed with RBI's proposals, saying the measures mentioned in the report are nothing new.
"All the listed measures, like access control management system, security operation center, etc., only build the confidence level of stakeholders," says the information security officer of a Chennai-based bank, who did not wish to be named. "In reality, how much these measures are implemented by banks and continuously monitored is something best known to the RBI. I have been hearing about these measures for many years now."
Some security professionals are calling on RBI to build a more robust audit system that goes far beyond routine annual audits.
"What is needed is audits where banks and other financial institutions are audited without prior notice," the Chennai-based bank CISO says. "Also, it's important for the RBI to understand that just instructing financial companies to invest in certain technologies isn't enough. It must make sure banks are able to utilize these technologies fully."
The report mentions that private sector and foreign banks accounted for 36 percent each of all cyber fraud reported in debit, credit and ATM cards, among others during 2017. As a result, the RBI plans to conduct theme-based IT examinations of Indian banks this year with targeted scrutiny for appropriate policy and supervisory intervention.
RBI has also stressed that banks need endpoint security for electronic payment systems, such as RTGS [real time gross settlement], emphasizing the need to secure every endpoint connecting to a network to block access attempts and other risky activity. To achieve this, RBI wants to identify a range of risks related to endpoint security while at the same time providing user information and tools to improve fraud prevention and detection.
"We would like to support ongoing education, awareness and information sharing and monitor evolving endpoint security risks and risk controls," the RBI says.
It also recommends that banks should:
- Have procedures and practices in place to respond to actual or suspected fraud in a timely manner;
- Monitor evolving endpoint security risks and risk controls and review and update the endpoint security requirements, procedures, practices and resources.
RBI also reiterated its April order that all digital payment companies have servers located in India for storage of Indians' data. (See: Will RBI's Local Data Storage Mandate Be Relaxed?)
Although digital payment firms vehemently opposed that requirement, RBI is holding its ground, with an aim toward having better control over data. RBI is also looking to intensify data monitoring to help detect fraud.
Practitioners say instead of localization, RBI should address better governance and management in cloud. "Some countries are in initiatives toward harmonization of cloud controls and in building synergy with the Cloud Act. Data localization has too many precursors," says Madhav Chablani, chairman, India Chapter, Cloud Security Alliance (see: Why Data Localization Proposal Needs Refinement).
"In order to further strengthen the confidence in the payment systems and minimize instances of fraud, there is a need to monitor the types of fraud that may be taking place in various payment systems," RBI states. So it plans to devise a comprehensive framework, in consultation with the industry, for collection of data on fraud in the payment systems, RBI Governor Urijit Patel says in the report.
More Need to Be Done
The RBI's proposals fall short because they are too similar to initiatives announced in previous years, says a chief risk officer who was formerly associated with a financial insurance firm, who requested anonymity.
"Though the RBI keeps itself abreast with the latest technology in the security space, what is actually needed is a continuous monitoring of implementation of these technologies," the former CRO says. "The real strength lies in understanding how these technologies are helping to thwart cyberattacks prevalent in Indian banking industry. Whether banks have the technical know - how of leveraging these technologies."
Too often, banks invest in security technology to avoid RBI fines but fail to actually utilize that technology when it's needed most, some security experts contend.
For example, a majority of banks in the country have implemented a SOC, but very few actually know how to read the logs properly, some security practitioners contend. As a result, RBI should take bolder action to ensure banks properly leverage security technologies, they say.
Rajesh Dangi, chief technology officer at NxtGen Infinite Datacenter, is among those calling on the RBI to be more aggressive about auditing banks for their security measures.
"The identification of threats and remediation planning is a continual process," he says. "With lethargic audit cycles and lack of third-party cross audits, it is becoming challenging to trust technology vendors and implementers of these solutions. Adherence to guidelines and directives cannot be done by one single audit team. Audits and monitoring must be dynamic and automated. Log management and submission should be done by an external agency, and there assessment should be 24x7 process."