Cyber crime is more widespread than the drug trade.
According to recent research, financial institutions are 40% more expensive to remediate a cyberattack than any other business and are 300 times more vulnerable to assaults than any other sector.
As has been shown repeatedly, hostile attackers’ major objective for gaining access to financial networks is financial gain. Because of the increase in cyberattacks in both the financial sector and industry generally, senior executives are becoming more aware of the need for security. Our chief security officer recently remarked that he used to meet the board of directors of companies probably once a year for 20 minutes, but now the amount of interaction that we see with the board is 30 minutes every month, according to Rajsri Rengan, head of development for banking and payments in India and the Philippines at FIS.
Cybersecurity is a topic that is on everyone’s mind, according to Rengan. Partner at EY Forensic and Integrity Services Ranjeeth Bellary said: “According to statistics, cybercrime nowadays is the most costly. Illegal drug trafficking, which was formerly ranked as the top crime, has now been surpassed in terms of crime. “Hackers have access to a lot of important information on the personal information of specific users in the banking sector.” According to him, when consumers provide personal information without thinking, whether online or in person, they share some of the blame for cyber disasters.
“I believe that security in the banking sector is a highly regulated component, and as a result, the sector has developed.” Additionally, many fintechs have adopted security in a very flexible and agile manner, Bellary declared. He concurred that security is a concern that transcends organizational size.
“Who’s leading the way in financial technology?” was the session’s theme. According to Akshay Mehrotra, co-founder, and CEO of Fibe, “building for change proactively is entrenched in our culture”. “We think that technology advances every three years. And all we have created from scratch must be destroyed. In fact, as of this morning, we released Version 3, in which we destroyed all of the railway technology we had previously constructed, as explained by the author.
This indicates how much more reliable the new platform is. “It is designed to handle up to 20 times as many clients and support our expansion over the following three years,” he added. “It was also intended to be safer.” “It is built on a theoretical conversational UI (user interface), which implies that every new customer is unique and that I can change my platform to suit them whenever we speak,” explained Mehrotra.
Anuj Kacker, the co-founder of Freo, a neo bank, and member of the executive council of the Digital Lenders Association of India, claimed that every fintech business aspires to be a bank and that banks are interested in the agility of a fintech company. Why should customer security be handled differently if that is the case? Kacker questioned, citing recent Reserve Bank of India rules that were built on consumer security and data privacy. The latest RBI rules for the digital lending market were well received by the panel.
For the first time, according to Mehrotra, a guideline is proactively considering how to develop a business. It is quite early in the sector’s development. This often occurs when a sector has a few billion dollars in value… It provides a clear roadmap for how to create a corporation and, more significantly, how to correctly structure your organization.
“How must the interaction be made between risks, customers, and technology?” “We saw this with UPI (universal payment interface); once the regulator establishes clear portions, such markets develop dramatically quickly,” he added. According to Mehrotra, the players now have clarity thanks to these rules, and within three years, the loan market may be worth $1 trillion.
International IT groups criticize India’s new cyber security rule.
In a joint letter to the government, 11 international organizations, including tech behemoths like Google, Facebook, and HP, warned that India’s new directive, which requires the reporting of cyberattack incidents within six hours and the storage of users’ logs for five years, will make it difficult for businesses to operate there.
International organisations worry that the directive as it stands will weaken the security posture of India and its allies in the Quad countries, Europe, and elsewhere by harming the cyber security of organisations that operate in India and leading to a fragmented approach to cyber security across jurisdictions. “The cumbersome nature of the requirements may also make it more difficult for businesses to conduct business in India,” the letter noted.
The Information Technology Industry Council (ITI), the Asia Securities Industry & Financial Markets Association (ASIFMA), the Bank Policy Institute, BSA—The Software Alliance, the Coalition to Reduce Cyber Risk (CR2), the Cybersecurity Coalition, Digital Europe, techUK, the US Chamber of Commerce, the US-India Business Council, and the US-India Strategic Partnership Forum are among the international organizations that have all expressed concern.
It requires data centers, virtual private server (VPS) providers, cloud service providers, and virtual private network (VPN) service providers to validate the names of subscribers and customers hiring the services, the period of hiring, the subscribers’ ownership pattern, and other information, and to keep the records for 5 years or longer, as required by law.
To protect citizen cyber security in the field of payments and financial markets, the regulation requires IT businesses to save all information gathered as part of know-your-Customer (KYC) and records of financial transactions for five years. The 6-hour time limit for reporting cyber incidents has drawn criticism from international groups, who have called for it to be lifted to 72 hours.
“CERT-In has not explained why the 6-hour timeframe is essential, and it is neither reasonable nor following international norms.” The letter stated that “such a schedule is excessively brief and introduces more complexity at a time when entities are more properly focused on the challenging work of comprehending, reacting to, and remediating a cyber-event.” According to the statement, in the event of the six-hour requirement, organizations are unlikely to have access to enough data to determine with reasonable certainty if a cyber-incident has taken place that would justify the activation of the notice.
The multinational organisations asserted that their member firms operate sophisticated security infrastructures with top-notch internal incident management procedures, leading to more effective and prompt responses than a government-directed mandate addressing a mysterious third-party system. The joint letter challenged the current definition of reportable occurrences as being far too wide given the frequency of probes and scans, which includes activities like them.
It said that although the directive does not specify it, the CERT-In explanation to the directive states that logs are not required to be maintained in India. However, the letter stated, “Even if this change is implemented, we have concerns about some of the types of log data that the Indian government is requiring to be furnished upon request, as some of it is sensitive and, if accessed, could create new security risks by providing insight into an organization’s security posture.”
Although it is normal to practise for internet service providers to gather consumer information, the joint letter said that extending these requirements to VSP, CSP, and VPN providers would be cumbersome and onerous. “A supplier of a data center does not assign IP addresses.” Collecting and keeping track of every IP address that ISPs have given their clients would be a difficult chore for the data center provider. When IP addresses are allocated dynamically, this operation may be almost impossible, the letter warned.
According to international organizations, keeping the data locally for the duration of the customer’s life cycle and then for a further five years will necessitate storage and security resources, the costs of which must be borne by the customer, who, notably, has not requested that the data be kept after their service is terminated.
“We concur with the government’s desire to strengthen cyber security.” “Despite the recent release of the FAQs document intended to clarify the directive, we are still concerned about the CERT-In directive because the FAQ is not a legal document and does not provide businesses with the legal certainty necessary to conduct routine business,” Courtney Lang, senior director of policy at ITI, said. Furthermore, according to Lang, the CERT-In FAQ does not address problematic clauses like the six-hour reporting deadline. The implementation of the regulation should be suspended while a stakeholder dialogue is opened, Lang continued, to adequately address the issues raised in the letter.