Don’t miss the latest developments in business and finance.

RBI's new cybersecurity framework giving a tough time to all banks

While top banks can afford to purchase high-end deception technologies and build strong security operations centres but the smaller rural or cooperative banks may stand to lose

Chart
Advait Rao Palepu Mumbai
Last Updated : Dec 21 2018 | 2:31 AM IST
Nearly two and a half years after the Reserve Bank of India (RBI) published a cybersecurity framework for all commercial banks, banks are having a tough time finding the people needed to give them the necessary protection. While top banks outsource a significant cyber-security exercises and operations to consultancies and security firms, many smaller banks stand to lose out because they lack the same deep pockets. 

For the past three months, Business Standard had requested several meetings with Chief Information Security Officers (CISOs) at the top public and private sector banks, seeking information on the status of implem­entation of the RBI’s circular. However, the banks declined to comment. 

There are two essential core security exercises that banks have to conduct on their network, periodically, as opposed to day-to-day security checks. The first is Vulnerability Assessment and Penetration Testing (VAPT) and the second is Comprehensive Security Testing (CST). 

A senior public sector bank official told Business Standard, “About 90-95 per cent of VAPT and CST exercises are done by tools and generally today 75 per cent of these tests are done by the Big 4 (consultancies), because they have the tools and overseas experience.” 

Mrutyunjay Mahapatra, Chief Executive Officer at Syndicate Bank said, “For day-to-day activities, banks are trying to build a team of people who are certified with cyber-security skills and have risk management experience. However, there are very specific areas such as audits that are outsourced because they are process and technology intensive.”  Since these “significant” aspects of cyber-security operations are outsourced, the attrition/retention risks are passed on to the vendor, whether to one of the Big 4 firms or a security services company, he said. 

Experts said since the RBI’s initial circular in 2016, almost all commercial banks have implemented the technical aspects related to cyber-security, including routine network upgrades and vulnerability testing, but governance and a talent shortage remain key pitfalls. 

“While there is an improved symbiotic threat, intelligence sharing amongst the CISO community in India and proactive measures are taken to avoid similar incidents, but there’s definitely a huge need for advancements in current security incident logging and monitoring practices,” said Kartik Shi­nde, partner on Cyber Security at EY India. 

“Around 90 per cent of the cyber-attacks investigated by us have shown low maturity in the way logging of incidents and events is implemented, which leaves little or no room for doing a thorough investigation. Forget thinking about the next generation security operations centres,” he said. 

In an era of hacking and growing cyber-threats emanating from state or non-state actors, banks have to improve “trust” with their customers and there­fore depend entirely on their cyber-security technology, internal governance frameworks and the people running these operations. 

As banks rapidly embark on their digital journey, the attack at surface levels will continue to increase and the attack vectors will get sophisticated. As regulations become stringent and cost of compliance continues to rise, organ­isa­ti­ons need to invest significantly on analy­tics, automation and security platforms that will ease the burden, Shree Partha­sarathy, partner at Deloitte India, said. 

Unfortunately, the deployment of technology — by roping in consultancies or buying enterprise security software — and finding the “right” talent, are both a function of the banks’ investment and spending capacity.  

This leaves the top commercial banks with the “latest” technology and “best” talent, while smaller rural or cooperative banks may stand to lose. 

Sanjay Katkar, chief technology officer at Quick Heal Technologies, said the top public and private banks spend around 5 per cent of their budget for cyber-security, whereas the global standard is around 9-10 per cent. 

“Many banks and institutions believe that if they spend large amounts of money on technology, cyber-security problems will be solved. But security products are only tools and companies need to find the right manpower to handle these issues… I find that many of the CISOs at cooperative banks are not knowledgeable about these threats and technologies” he said.

A lawyer helping banks develop their cyber-security policies said, “Banks are taking cyber security very seriously, but are finding ways to avoid certain tough decisions. For instance, in some banks the CISO’s role has been clubbed under the Chief Technology Officers’ ambit, which is not ideal.” 

Barring in-house employees, banks and other organisations routinely contract freelance cyber experts or “white-hat”/ethical hackers, but they lack experience in dealing with different network systems. 

“Most such security experts have managed small-scale systems or have worked on one or two application systems, whereas the entire banking system or even a single PSB may have multiple types of systems which could run into the hundreds,” said Mahapatra. 

Given the shortage of cyber security talent available for banks to hire as full-time employees, there is a high attrition rate. The strength of a banks’ network security and the ability of their staff to respond to cyber threats depends entirely on the governance framework and training given to their entire staff, across departments. 

While top banks can afford to purchase high-end deception technologies and build strong security operations centre(s), they also have ‘purchasing power’ in terms of attracting the right talent. This means that the security of smaller banks and of their customers’ deposits/information will be left behind, as was witnessed in the recent Cosmos Bank hack.