What ails financial institutions when it comes to tackling data security?

Financial institutions are increasingly vulnerable to data security risks due to their dependency on external service providers, limited cybersecurity budgets, and poor implementation standards

Financial institutions across the country are increasingly grappling with the perpetual risk of data leaks and security breaches.

Take for instance the recent data breach at Star Health and Allied Insurance serves as a reminder of this vulnerability. Sensitive data belonging to 31 million customers, amounting to an estimated 7.24 terabytes, was reportedly put up for sale on the messaging platform Telegram.

The threat, however, extends far beyond traditional financial institutions, raising concerns about the security of customer data across a wide range of industries.

The Reserve Bank of India (RBI) report on ‘Currency and Finance 2023-24’ cautioned against risks related to cybersecurity and frauds due to increase in digitisation along with risks to financial stability.

The report said digitisation can also bring new risks for customer protection and financial stability in the form of cybersecurity risks, financial frauds and eventually implications for macro-financial stability. 

“Amid several benefits,… digitisation also brings new challenges in terms of complex financial products, greater interconnectedness, cybersecurity risks, financial frauds, and customer protection, with implications for macro-financial stability,” the RBI report said. 

Third-party reliance risks

However, despite cutting-edge innovation in the larger financial ecosystem, factors such as dependence on third-party service providers, limited cybersecurity budgets, and poor implementation standards worry players.

“In a financial institution, there are so many people who are outside your organisation, connecting to or having access to your environment such as SaaS applications, service and infrastructure providers, among others,” said Pankit Desai, founder of Mumbai-based cybersecurity firm Sequretek. 

He said multiple stakeholders are involved in a financial institution’s operations. “When you have a very large part of your environment that is not in your control, and you give access to somebody else, something goes wrong, and eventually there is a collateral impact,” Desai added. 

Limited budgets

In December last year, RBI deputy governor Swaminathan J while referring to instances of unscheduled downtimes said that commercial banks in the country were not spending their information technology (IT) budgets.

Desai from the cybersecurity firm explains that regulated entities (REs) such as banks and non-banking financial companies (NBFCs) tend to have their IT budgets in the range of 6 to 10 per cent of their revenue. 

“Security budgets tend to be between 5-10 per cent of that all IT budget. What happens is for most organisations, security in their mind is like a sunk cost and it is difficult to convince leadership to invest enough,” he added. 

Cloud vs in-house servers

On data storage, experts believe there is a threat to both in-house servers and a dependence on third-party cloud infrastructure. The debate of what is safer; cloud or in-house servers fails the cybersecurity argument primarily because it is a function of capability and not safety. 

Desai’s firm has managed to crack more deals in the backdrop of rising cases of cyberattacks. 

“This quarter, we have closed as many customers as we closed the entire last year. There is a growing interest from non-regulated entities beyond the financial sector such as manufacturing, services companies and even those engaged in education,” he said.