Putting the Finance Industry's Security Practices under the Microscope

GB Shaikh, AVP- SOC, CtrlS Datacenters

Prior to Digital Revaluation BFSI(Banking & Financial Sector Industry) vertical security  confined to traditional security mechanism like physical security, Fire protection, Cash Transport security so on so forth. Post digital revolution, besides physical security of banks & financial institutions, Digital Security has occupied a prominent role and yet  till early 90’s banks & financial institutions did not embrace Core Banking Automation in a big way, however with advent of World Wide Web and Brand band revolution, banks & financial institutions have exposed their  customer facing applications like Internet Banking, which made banks & financial institutions at greater risk for below threats:

1. Financial Frauds

2. Phishing Attacks

3. DDOS threats for Applications

4. Malware Threats

BFSI sector neither had the best matured security practices nor a comprehensive Regulatory Security compliance frame work was in place. As the Digital revolution has hit every aspect of Human civilization, massive adoption of digital technologies by Banks and financial institutions in India and regulators like SEBI, RBI have drafted banks & financial Institutions Cyber security Frame work, Policies and guidelines inline with IT ACT 2000 enacted by Indian Parliament.

RBI infact took the lead role in putting an enforceable Cyber security policy as part of their Audit Compliance and New Financial institutions Licensing regime which resulted in mandatory adoption of cyber security practices in Banks and Allied financial institutions at a rapid pace.  As technology innovation led to the paradigm shift from Internet Banking to Mobile banking which resulted in exponential risks to banks & financial institutions digital assets such as core banking applications etc, Mobile Banking brought its own set of threats as below:

• Mobile malware

• OTP Frauds

• Mobile Impersonation

• Mobile Application frauds

In view of the above technology disruptions led to opening up of unlimited threat vectors for hackers to create havoc in banking eco system, early 2000, RBI heavily adopted the security practices from ISO, ISACA etc standards and went on to audit the adherence to the same bi-annually. However Those Standards could not cope up with rapid changes in threat landscape and resulted in huge security Gaps in Banking financial industry.

In order to atone the Security GAPS in banking industry brought the entire security practices under microscopic preview of Regulator in India. As a result of this, RBI appointed G. Gopalakrishna Committee in 2011 to come up with pragmatic Cyber security Guidelines for Banking and financial Industry which later become the cyber security Bible for Indian Banking & Financial industry. GopalaKrishna Committee recommendations have brought stringent Technology, IT Security Governance, Security compliance regime which brought about a sea-change the way regulator used to look at Banks & financial institutions security compliances. Infract Empowered with GopalaKrishna Committee Cyber security guidelines, RBI started examining the Banks & financial institutions Cyber security practices & measures with microscope.

Indian Banks & financial institutions will have to follow below mentioned broader security practices:

1. Banks should have Board approved cyber security Policy and communicated to RBI’s Cyber Security and Information Technology Examination (CSITE) Cell.

2. Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank.

3. Arrangement for continuous surveillance & Banks should proactively initiate the process of setting up of and operationalizing a Security Operations Centre (SOC) to monitor and manage cyber risks in real time.

4. IT architecture should be conducive to security.

5. Comprehensively address network and database security.

6.  Ensuring Protection of customer information particularly personally Identifiable information.

7. Develop & Operationalize Cyber Crisis Management Plan to effectively handle Incident response.

8. Development Cyber security preparedness indicators to measure the cyber security preparedness progress periodically.

9. Sharing of information on cyber-security incidents with RBI.

10. An immediate assessment of gaps in preparedness to be reported to RBI.

11. Cyber-security awareness among stakeholders / Top Management / Board.

Besides these, there are practical Technology controls that have been suggested which need to be implemented:

1. Inventory Management of Business IT Assets

2. Preventing execution of unauthorized software

3. Environmental Controls

4. Network Management and Security

5. Secure Configuration

6. Application Security Life Cycle

7. Patch/Vulnerability &Change Management

8. User Access Control / Management

9. Authentication Framework for Customers

10. Secure mail and messaging systems

11. Vendor Risk Management

12. Removable Media protection

13. Advanced Real-time Threat Defense and Management

14. Anti-Phishing & Mobile Rogue Application protection

15. Data Leak prevention strategy

16. Maintenance, Monitoring, and Analysis of Audit Logs

17. Vulnerability assessment and Penetration Test and Red Team Exercises

18. Incident Response & Management

19. Risk based transaction monitoring

20. User / Employee/ Management Awareness

21. Risk Metrics & Digital forensics

22. Customer Education and Awareness

As the Banks and Financial Institutions security practices have been under microscopic scrutiny by the regulator, it is critical to adopt the GopalaKrishna committee guidelines in right spirit rather than making it as compliance check mark ritual. Threat landscape is evolving at a thought speed and in order to keep pace with it, Banks have no other option but to work towards putting in place Cyber Security Governance & resiliency framework in order to survive if unexpected cyber security incident happens and threatens to wipe out customer's confidence in Banks & Financial institutions.