The continuing onslaught of data breaches, coupled with a perception of high cyber-risk among financial institutions, seems to suggest that the extant regulatory framework has failed to build effective resilience paradigms that tackle cyber-attacks
By Sohini Banerjee and KS Roshan Menon
India’s financial sector has a burgeoning cybersecurity problem. Recent cyber-attacks underscore the severity of this malaise. Mobikwik, the digital credit and payments processing start-up, reportedly suffered a data breach that allegedly compromised the personal data of nearly 10 crore users. The breach saw the compromise of sensitive data, including credit and debit information, with news reports suggesting that such data was consequently posted for sale on the dark web.
The Mobikwik data breach is not an isolated incident. Recently, payments processor JusPay acknowledged the breach of 3.5 million records of masked credit card and fingerprint data, noting that the vulnerability manifested from an isolated system that stored such data for display purposes. Commentators have been quick to draw linkages between the two breaches, identifying cybersecurity as a vital priority for start-ups in the financial sector.
These breaches must be treated as evidence of a systemic cybersecurity concern that players and regulators must solve for, developing strategies for a secure financial cyberspace. Cyber-resilience should be used as a means to achieve to identify a series of interventions that help build meaningful cyber-resilience for India’s financial sector.
Cyber-resilience refers to the three pronged process of building the ability of entities to proactively prepare for, respond to and recover swiftly from disruptions. Dupont defines the concept as “the capacity to withstand, recover from and adapt to the external shocks caused by cyber-risks”, indicating that the heart of resilience does not lie in simple ‘react-and-report’ approaches to cybersecurity. Instead, resilience focuses on the concept of capacity-building, stressing the need to promote a culture within financial entities that prioritises cybersecurity at various organisational and technical levels.
It is important to note that cyber-resilience is not a novel concept among Indian regulators. Instruments such as the Reserve Bank of India’s (‘RBI’) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, 2011 placed emphasis on devising IT strategies to be ‘resilient to failure’. Further, the 2016 Circular on Cybersecurity Framework in Banks and the Master Direction on Digital Payment Security Controls, 2021 applied principles of resilience to novel financial products. These instruments focussed on securing financial data and evaluating the resilience of financial systems.
It is evident that regulators have sought to incorporate cyber-resilience into the working of financial institutions from an early stage. However, the continuing onslaught of data breaches, coupled with a perception of high cyber-risk among financial institutions, seems to suggest that the extant regulatory framework has failed to build effective resilience paradigms that tackle cyber-attacks.
We believe that the failure of such regulation lies in its inability to engage with resilience in a meaningful manner. A course-correction is in order, and for the same, we suggest three interventions.
First, regulation in India must define cyber-resilience. This has marked benefits – a broader definition can help the RBI shake off its ‘tech-first’ first approach to cybersecurity – accommodating other paradigms in securing cyber networks. This can in turn, make cybersecurity multi-disciplinary. Illustratively, security experts may collaborate with privacy scholars on design frameworks for secure processing of personal data. Frameworks for resilience that acknowledge such multi-disciplinary approaches can be further beneficial to regulated entities, who can then draw from more sources to devise risk-appropriate cybersecurity strategies.
Second, the RBI’s approach should account for robust self-assessment. Presently, despite periodic references to self-assessment in its regulations, the approach of the RBI does not attempt meaningful engagement on self-assessment. A careful look at extant regulation indicates the absence of ‘checklists’ or a comprehensive study of resilience practices across regulated entities. Designing appropriate interventions on these counts can simplify resilience for financial entities.
Third, the RBI’s approach must account for the size or interconnectedness of a regulated entity. Scaling discards a ‘one-size fits all’ approach to cybersecurity, in favour of a risk-adequate response to building resilience. Under scaling, large or systemically important entities may be subject to enhanced compliance requirements (such as external audits or a designated cybersecurity officer), while smaller enterprises may comply with norms that impose minimal burdens. Scale-sensitivity allows for resilience to penetrate markets more meaningfully, ensuring cybersecurity for all.
Sohini Banerjee and KS Roshan Menon are Research Fellow and Research Scholar at Shardul Amarchand Mangaldas & Co. Views expressed are personal.