Business Leaders' Forum (BLF), a joint initiative by the Centre for Advanced Financial Research and Learning (CAFRAL) and Reserve Bank Information Technology (ReBIT), began its journey on February 9, 2018, at the Harvard-style ‘Classroom’ at the Taj Land’s End, Mumbai. It had more than 40 participants – CEOs, Board members, business leaders, and senior management representatives of various banks across the country.
Shri N. S. Vishwanathan – Deputy Governor, RBI emphasised that there cannot be a better time for the Forum to focus more closely on cyber security, given that global policy makers and decision makers are doing the same, and appreciated the initiative of formation of BLF. Shri Alok Joshi, Chairman NTRO, Shri Chandan Sinha, Additional Director, CAFRAL, Shri Krishna Sastry, ED, PwC, Shri N.S. Kannan, ED, ICICI Bank discussed need for better cyber resilience, case studies and best practices to help build a more cyber resilient financial sector. Shri Nandkumar Saravade, CEO ReBIT hosted an interactive session on means and ways forward and Shri Ravikumar, CGM RBI summarized the proceedings.
The welcome remarks
“The board of directors and the top management are responsible for setting the tone from the top on cybersecurity, and building resilience in the system,” remarked Mr Chandan Sinha, Addl Director, CAFRAL during his inaugural address. Mr Sinha also remarked that there is a felt need for this forum at the management and board level from the point of view of preparedness, experience-sharing and industry benchmarking
In an erudite address, Shri N. S. Vishwanathan – Deputy Governor, RBI emphasised that there cannot be a better time for the Forum to focus more closely on cyber security, given that global policy makers and decision makers are doing the same, and appreciated the initiative of formation of BLF. He went on to highlight excerpts, outcomes and frameworks from various international forums like the G20, World Economic Forum (WEF), the IMF and G7. He cited the Financial Stability Board’s stock-taking report on cybersecurity, to call out the need for information sharing, and the demand for creating a standard ‘cyber security lexicon.’ He touched upon the government’s commitment to set up Computer Emergency Response Team (CERT) - specifically for financial institutions. Mr Vishwanathan also stressed on the need for banking leadership to take the issue of cyber security seriously, and more specifically, for monitoring gaps in outsourcing arrangements with vendors and associated people risks.
Shri Alok Joshi, Chairman, National Technical Research Organisation (NTRO), and former chief of Research and Analysis Wing (RAW), Government of India, started his engaging talk with how nature of threats can be classified into three areas, namely cybercrime, cyber espionage and cyber disruption, with bankers overly preoccupied with the first category. He pointed out the acute demand for skilled cybersecurity professionals and asked the HR heads of banks to devise the right policies, benefits to retain and train their employees, who are typically hired on contractual arrangements. He advised collaboration of organizations across sectors and enlightened the audience on the work of National Critical Information Infrastructure Protection Centre (NCIIPC) in this regard. He offered help in carrying out cyber resiliency exercises.
An interactive session with case studies
Mr Krishna Sastry, Executive Director, PwC, took the audience through real life examples and thought-provoking cases. He expressed concerns over the recent developments in cybercrimes, the novel modus operandi and how ‘Crime-as-a-service’ has matured in the past few years. He added that ‘nation-state actors’ play a major disruptive role in the current threat landscape. He opined that there is lack of effective threat monitoring mechanism and forensic readiness in some banks. He advised banks to do away with the practice of publishing confidential information about their infrastructure and network in public domain during the process of inviting RFPs.
On good governance and more
Mr N.S. Kannan, Executive Director, ICICI Bank, gave a comprehensive presentation, where he outlined an effective governance and controls framework for cybersecurity in banks – one that covered the people, process and technology triad. His illustrations from his own experience clearly resonated with the audience.
Mr Vivek Srivastav, SVP and Head of Research and Innovation, ReBIT, gave an overview of the various industry initiatives run by ReBIT, viz. the Operational Excellence Webinar series, the DMARC anti-phishing campaign, the monthly newsletter ‘Cyber Pulse’ and the community-led Cybersecurity maturity model for maturity assessment and benchmarking. Attendees of the forum commended the efforts taken by ReBIT towards building cyber resilience in the Indian banking sector.
Mr Nandkumar Saravade, CEO, ReBIT, moderated this session and the audience responded with questions, comments and insights. He sought their feedback: on the desired frequency of such a forum, topics they would like to deliberate on in the sessions and the commitment to actively participate in the future editions of the BLF. The attendees agreed that such sessions would be beneficial to the individual banks and the industry at large, and a quarterly congregation was decided as ideal.
The need for the Board members and CEOs of banks to prioritize cybersecurity
The right governance structures
An understanding of technology risks and capabilities by the business
Vendor management and risks from outsourcing (including the right RFP processes, concentration risk)
Strengthening the supply chain
The need for collaboration across banks, sectors
Active information exchange on cyber frauds and cyber incidents
Response, Recovery and Communication - the role of the Boards and senior leadership, and ensuring a concerted approach where IT, customer services and media/communications come together (table top exercises / cyber drills to be conducted)
Sharing of stories and lessons so that banks can learn from each other
THE WEAKEST LINK
People: The HR aspects - policies, the right skills, benefits, employee as well as customer awareness, building a culture of security
Use if analytics, AI and ML for proactive cyber risk management
ECONOMICS OF SECURITY
The right investment in cybersecurity
RFPs provide a lot of details which could be misused by hackers. Hence, steps should be taken to initiate discussions with Central Vigilance commission on RFP masking.
Servers of banks (IP addresses) should be chosen to keep the hackers guessing.
Prepare inventory of vendors and IT assets to review Cyber Security mapping (at desktop and devices, network and application levels).
Creation of a dedicated Cyber Security Management Committee (independent of the bank’s IT Committee). This committee should review and monitor the cyber security policy and preparedness plan of the bank. Reviewing and equipping the team’s strength and qualifications to enhance cyber security in the banks.
Communicating the observations of Cyber Security and Information Technology Examination (CSITE) Cell to the Boards
Ensuring and insisting on examining new applications and APIs from cyber security aspect before launch.
Shri Ravikumar Rangachary, Chief General Manager, Department of Banking Supervision, Reserve Bank of India, succinctly summed up the day’s proceedings, thoughts and key points.
Right from welcoming the invitees and introducing the distinguished speakers of the day to making dessert recommendations before a sumptuous lunch, Mr Ravindra Sangvai, Program Director, CAFRAL, ensured that the event went smoothly, as planned.
All in all, the inaugural BLF meet was a resounding success. Watch out for the next edition, in the coming quarter!
Write to us with your feedback/expectations at email@example.com