Rajan's Lasting Cybersecurity ImpressionsSecurity Leaders Believe RBI Governor Set Tone and Vision for Banking Security
Reserve Bank of India Governor Dr. Raghuram Rajan's decision to step down at the end of his term in September has sent ripples across the banking sector and the security fraternity. Although India's regulatory body has witnessed many heads roll, this is the first time in the history of Indian banking that the security industry has reacted to the change at the top.
As Rajan decides to get back to his passion - teaching - security leaders say that what Rajan had started will remain exclusively his legacy. He's one of the few top executives who had a practical vision for cybersecurity in the banking space.
The legacy of his (Rajan's) contribution will be visible when we will have most of Indian banking on digital devices with adequate cybersecurity and required controls mandated by the RBI
Under his regime, RBI directed banks to address risks arising out of growing incidents of cybercrime related to financial transactions (see: RBI Plans Cybersecurity Arm for Banks).
In a note to bank chief executives, Rajan said, "Banks should immediately put in place a cybersecurity policy elucidating the strategy containing an appropriate approach to combat cyber-threats, given the level of complexity of business and acceptable levels of risk."
Rajan's Drive for Cybersecurity
What needs to be acknowledged is that Rajan realized that the Indian banking system understands too little of IT, and there are various ways of penetrating cyber defences, including through people rather than processes or networks.
He believed it's critical to judge the security preparedness of banks, as well as assess their effectiveness of technology adoption, in the wake of serious data thefts from central banks.
Some of his key accomplishments for the security industry include:
- Initiating unified payments interface service for mobile fund transfers to drive the concept of a cashless society, along with National Payments Corporations of India (see: Securing NPCI's Unified Payment Service Against Online Fraud);
- Rolling out a new cybersecurity policy for banks as distinct from the broader information security policy with emphasis on cybersecurity assessment policy with the board's involvement (see: RBI Issues New Cybersecurity Guidance);
- Setting up of RBI's IT subsidiary to address cybersecurity challenges of the banking sector and appointing a CEO to drive it; (see: Nandkumar Saravade is CEO of RBI's New IT Arm);
- Recommendation to remove two-factor authentication for small-value transactions up to Rs. 3,000 (roughly $47 USD) for simplified electronic transactions for consumers (see: RBI to Ease Transaction Security?).
Clearly, Rajan's not oblivious to the risks the new initiatives would bring in, as he cautioned: "Along the UPI payment chain, transactions can go wrong. There's a need for a system handling customer complaints, grievance redressal and protection from security breaches and fraudulent transactions."
L. S. Subramanian, cybersecurity consultant for BFSI and founder of NISE, says: "Rajan will be remembered for granting licences to payment banks which operate digitally and also to small banks. The legacy of his contribution will be visible when we will have most of Indian banking on digital devices with adequate cybersecurity and required controls mandated by the RBI."
The security fraternity to some extent is surprised over his close involvement with every security project associated with the banking industry.
For instance, Dr. A. Rajendran, CTO, National Payments Corporation of India, says, "I remember having a long discussion with the RBI governor twice during the course of product development on the UPI project to seek his insights. Security was his prime concern and he suggested ensuring and enabling customers to perform a secured transaction: such was his involvement."
Subramanian says Rajan has established the foundation for secure and trusted digital banking in India and has set the tone and vision for secure digital banking in India.
Practitioners hope that once RBI's cybersecurity policy comes into effect, the industry can see customers witnessing secure banking and CISOs breathing a sigh of relief.
To that extent, Rajan has formed a panel headed by Meena Hemachandran, executive director at RBI, to examine the cybersecurity aspects of banks in the wake of various threats and guide RBI on how to improve IT security.
Do you expect the new incoming RBI's head to carry out Rajan's legacy in establishing a cybersecure ecosystem? Are banks all set to assure their customers a cyber-safe transaction?