By Ruchin Kumar
Small and medium enterprises (SMEs) contribute 30% of India’s GDP and are the backbone of the Indian economy. As engines of growth, SMEs play a crucial role in India’s ambition to become the world’s third-largest economy by 2028. However, many fintech SMEs remain under-protected against emerging cyber threats. With fewer than 200 employees, they face heightened cyber risks due to limited financial resources, insufficient cybersecurity skills and technology. Gaps in defences, over-reliance on third-party vendors, and a lack of business continuity plans mean that Indian SMEs often struggle to implement adequate cybersecurity measures to defend against ransomware, phishing, and DDoS attacks.
In India, SMEs must comply with regulatory guidelines that ensure customer data privacy and their own IT/OT security. These regulatory frameworks help protect sensitive customer information, secure digital payment systems, prevent fraud, and mitigate risks for all stakeholders.
The Evolution of Fintech SMEs
Fintech SMEs, experiencing rapid growth driven by increased internet penetration and digital adoption, require stronger protection against fraud, scams, and targeted attacks within the Indian digital financial services sector. Fintech SMEs must adhere to various guidelines from the Reserve Bank of India (RBI), follow IT Rules 2011, and implement Payment Card Industry Data Security Standards (PCI DSS) to maintain security and compliance. With the upcoming Personal Data Protection Bill implementation, fintech SMEs will face even stricter regulatory challenges that demand a greater focus on data security and compliance.
The recent rise in credit and debit card fraud has prompted the RBI to scrutinize fintech SMEs more closely. This vigilance is justified; non-compliance with regulations can lead to data breaches, expose sensitive Personally Identifiable Information (PII), and erode consumer trust.
This raises an important question: Why do so many fintech SMEs struggle to comply with cybersecurity regulations essential for business continuity, safeguarding their reputation, building consumer trust, and unlocking opportunities for partnerships and expansion?
Challenges Unique to SMEs
The answer is complex, with no quick fix. Rapid technological advancements and evolving cyber threats make it difficult for fintech SMEs to stay ahead of potential risks. Aligning business objectives with stringent regulatory requirements is not easy, especially when faced with limited headcount and skill sets necessary to navigate the complexities of ever-changing cyber threats.
The real challenge lies in prioritization. Many fintech SMEs tend to focus more on operational growth while underestimating the importance of robust cybersecurity measures. Many mistakenly believing they can manage with the bare minimum – until a breach occurs. This complacency, coupled with an inability to tolerate extended operational downtime, makes fintech SMEs particularly vulnerable to cyberattacks.
While financial constraints are a constant concern, fintech SMEs must recognize that merely complying with minimal security regulations does not equate robust protection. Simply checking a box for compliance is not the same as establishing adequate safeguards. The financial consequences of a cyberattack far exceed the costs of preventive measures. By investing in modern cybersecurity and reducing reliance on outdated systems, fintech SMEs can significantly mitigate data breach risks and enhance their resilience.
Currently, India lacks a cohesive cybersecurity framework specifically tailored to meet the data protection requirements of SMEs. In contrast, regions such as the USA and Europe have implemented stringent frameworks to combat cyber threats.
Evolving Security Guidance and Tactics
That said, South Asian regulators, including those in India, have made progress in recent years by formulating and enforcing policy guidelines to strengthen the cybersecurity resilience of SMEs. It is important to emphasize that cybersecurity is not a one-time solution but an ongoing process that must continuously evolve to address emerging threats within the industry.
To bolster cybersecurity among SMEs, the government could introduce a comprehensive Data Protection and Essentials (DPE) policy framework, offering standardized guidelines, actionable protocols, and affordable solutions such as encryption, backup options, access controls, incident response plans, and employee training. A centralized professional service featuring a curated panel of service providers could help SMEs effectively adopt these practices. India could take inspiration from Singapore’s DPE initiative, which aims to protect the digital ecosystem of small businesses.
Additionally, India could learn from countries like the USA, UK, and Australia by providing specific tax breaks or incentives to encourage businesses to invest in cybersecurity technologies and initiatives. These incentives would enhance resilience against evolving cyber threats.
Next Steps for SMEs
India’s SME sector faces increasing cybersecurity threats, making it crucial for businesses to prioritize cybersecurity as a core aspect of their operations. Implementing strong security measures from the outset protects sensitive data, builds customer trust, and ensures long-term business resilience.
The government plays an important role by providing clear guidance and policies, encouraging investments, and requiring risk management strategies. Additionally, SMEs should align themselves with global best practices to create a secure and resilient digital ecosystem.
By adopting a proactive approach to cybersecurity, Indian SMEs can safeguard their operations and position themselves as trustworthy players in the global digital economy, ensuring resilience and sustained growth in an increasingly connected world.
Ruchin Kumar is VP – South Asia, Futurex. Views expressed are personal. Reproducing this content without permission is prohibited.