“Shutting down the dark web is impossible. However, the Maharashtra police is well-equipped with tools, technologies and the skills to nab imposters in the world of the dark web”, announced Mr Satish Mathur, Director General of Police, Maharashtra, at the key note address he delivered at the second edition of Business Leaders’ Forum, a joint-initiative of CAFRAL and ReBIT. He invited banks to approach Maharashtra Police, and seek help in dealing with cyber fraud.
There could not have been a more reassuring message to senior bankers who were delegates to the exclusive and closed door forum, held at The Taj Lands End, Mumbai on May 23, 2018. Themed ‘Continuing the dialogue on Operational risk management’, the mid-week event witnessed ~50 participants from the Indian Banking community.
The Welcome Address
Mr Chandan Sinha, Additional Director, CAFRAL, opened the forum, highlighting the fact that cyber risk management is ‘a felt industry-need’ and that the RBI expects Bank Boards and senior management to know about the risks and threats organizations face, as well as the ways to mitigate them. Advocating an org-wide culture of security, he went on to welcome the dignitaries, Dr Gulshan Rai, National Cyber Security Coordinator and Mr Satish Mathur to the dais and the esteemed members of the Indian banking industry, present on the day.
Dr Gulshan Rai drew upon his long and rich experience of dealing with cyber security issues at the strategic level. He highlighted the tremendous innovation in banking technologies also increasing the attack surface and the possibilities of adverse incidents. With the massive spurt in digitalization, Dr Rai encouraged organizations to assess whether systems and mechanisms are in place to handle the adverse effects emanating from open risks and inherent systemic gaps. “We are not in a zero threat or 100 percent safe stature today and so it is a must to plan for resilience,” he added.
He called for a multi-stakeholder approach where the Government, Law Enforcement Agencies (LEA), financial sector regulators, banks and all the regulated entities collaborate to overcome the rampant cyber challenges of our times.
After Dr Rai’s context setting, Mr Satish Mathur mapped out the way forward, recommending the approach of ‘anticipate and plan’ in his key note address. It was heartening to hear from him about the capacity building, skilling, preparedness and efforts of the Maharashtra Government, High Court and the Mumbai Police in combating cyber-crime, investigation of cases and recovering from fraud losses through: setting up of a dedicated IT centre, State CERT, online services of court records and more. He also underscored the importance of setting up cyber courts to tackle cybercrime cases.
An interactive Q&A session ensued where a range of topics such as sharing of case studies on managing IT systems, contractual security arrangements with Cloud Service Providers, data privacy considerations including timely data demise / purging were touched upon.
SWIFT and Protection of Crown jewels
Mr.Saqib Sheikh, Head of Customer Solutions and Presales for the Asia Pacific region at SWIFT delivered a highly informative session on SWIFT. Besides specifics related to the messaging system, he drove home several salient points.
Assume you will be breached!
Cyber security is an Enterprise responsibility, not that of just IT / Operations
When banks and financial institutions have a laser focus on Credit Risk, why don’t they give IT risk its due?
Security By Design should be in the culture and DNA of organizations
Keep a cyber forensics team ready at all times!
Share and consume intelligence
Establish baseline security
Ms. Shilpa Kumar, CEO, ICICI Securities, spoke from her long experience of running a bank treasury, which is characterized by high frequency, high value transactions. She encouraged the participants to think about how well their systems are architected and whether controls span the front office, middle office and the back office. She highlighted the criticality of robust access controls, a centralized system, and well-defined processes and last but not the least, a culture of security.
Vendor Risk Management: Perspectives and ground realities
Mr Jayaraman Pazhamalai, Senior Vice President, Systems Audit, ReBIT, moderated a stimulating panel discussion on vendor risk management, which blended diverse perspectives. He explained the convergence of business and technology and set the context with the banks’ increasing reliance on vendors for their IT and Cyber Security needs.
Mr Kunal Pande, Partner, KPMG brought out a good point on accountability, stating that risks cannot be outsourced! He stated the importance of an overall Third party Risk Management (TPRM) program that encompasses a robust due diligence process for risk management, having minimum standards for critical areas and leveraging technology to effectively implement controls against vendor risks.
Mr Sameer Ratolikar, CISO, HDFC bank, reiterated that we are living in an era of data-oriented businesses and it becomes inevitable for organisations to rely on third parties to serve customers better. In that context, organization perimeters get blurred; vendors access banks’ data and applications. Therefore, how banking applications interface with the vendor network must be scrutinized. With the accelerated speeds at which banks are outsourcing their activities today, visibility into the work that vendors do comes into question.
Mr Vittal Raj, Partner, M/s. Kumar and Raj, added more perspectives to the topic from the audit and assurance angle. “Nobody is questioned until something goes wrong,” he said. He also brought out an important point on how a vendor is really a partner and the issue is truly a Human Resources concern. He also added that since multi tenancy models of vendor engagements are commonplace, audit limits are automatically imposed and assurance becomes all the more complex. He also felt that the board’s direction and involvement will go a long way in ensuring robust governance in banks.
Mr Jayaraman Pazhamalai, the moderator, summed up the panelist comments with the key message that the vendor eco-system is part of the extended enterprise. However, accountability cannot be outsourced by banks; effective governance and assurance mechanisms are necessary for effective vendor management.
Data Privacy – The Gathering Clouds: What Business Leaders Need To Know
Mr Vinayak Godse, Senior Director - Data Protection, Data Security Council of India enlightened the audience on one of the most topical issues faced by cyber security professionals and bankers alike. He was optimistic about the upcoming Indian Data Privacy legislation and opined that it will incorporate some of the provisions of the European Union regulation. He succinctly distinguished security (your organization and your data) vis-à-vis privacy (your customers’ /citizens’ data). With the enormous scope for data-driven activities across business lines to improve user experience and serve customers, it has become imperative to define, examine and investigate how data will be used.
He sensitized the forum to digitization and privacy liabilities (procedural, legal, contractual and harm-based) that organizations should be aware of. He gave a 360-degree view on Data Privacy by enumerating all kinds of privacy challenges and the appropriate organizational response including creating a sense of privacy, ethics and moral questioning and the right governance.
Mr Vivek Srivastav, Senior Vice President, Research and Innovation, ReBIT spoke about key industry initiatives:
With emails being the biggest attack vector, the implementation rate of Domain Message Authentication Reporting & Conformance (DMARC, an effective email authentication technology / policy) has risen to 59 % in Indian banks, as compared to 17 % in 2017, thanks to ReBIT’s sustained anti-phishing campaign. ReBIT’s DMARC tool launch is planned for Q3 2018.
He also briefed the Forum regarding the ‘Open Banking’ Account Aggregator (AA) initiative which will spur innovation in the industry by taking an API-driven approach to aggregating financial information per defined technical specifications and thereby, empower end consumers. A hackathon involving all the ecosystem stakeholders is planned for Q3 2018 in order to promote adoption of the AA architecture. He also covered ReBIT’s other industry initiatives such as the Cybersecurity maturity model, Cyber Pulse (the monthly newsletter for cybersecurity awareness) and the Operational Excellence webinar series.
Open House Session
Mr Nandkumar Saravade, CEO, ReBIT spoke about expanding the scope of the forum discussions beyond cybersecurity to ‘Operational Risk’ management – given that fraud and cyber are variants of OpRisk and all kinds of people and process failures, BCP, disaster recovery, crisis management, IT obsolescence – are all topics that are pertinent to the banking leadership. He reiterated the need for banks and Law Enforcement agencies to collaborate, share information real-time and leverage tools and technology to do so.
Mr M P Baliga, Senior Program Director, CAFRAL, thanked the participants of the second edition of BLF for their interest in this initiative, which is an opportunity for both ReBIT and CAFRAL to serve the Indian banking community - to grow safer, stay prepared and be resilient.