The Indian financial services space is digitising at speed. In May 2024, digital transactions through the Unified Payments Interface (UPI) crossed 14 billion, 5 per cent more than the 13.3 billion figure of April. Fuelled by increasing smartphone and high-speed internet penetration as well as the burgeoning population, India is estimated to have the highest number of digital banking users at close to 30 crore—7 crore more than the US, ranked second as of 2022.
But with greater digitisation comes greater cybersecurity risks.
As per disclosed government data, there were 248 successful data breaches in the Indian banking sector between June 2018 and March 2022. Another RBI report revealed that between January and October 2023, the Indian financial industry encountered over 13 lakh cyber-attacks—a number that would mean around 4,400 cyber-attacks daily in 2023 alone.
The Evolving Cyber Regulatory Landscape
From India's first cybersecurity laws enacted under the Information Technology Act 2000 to the Reserve Bank of India Act 2018 stipulating cybersecurity guidelines and frameworks for urban cooperative banks and payment operators and the Digital Personal Data Protection Act of 2023 (DPDP), the country's regulatory landscape has evolved significantly, strengthening cybersecurity and resilience in the banking sector.
But threats don't just originate from the outside: cyber risks also arise within organisations from employees misusing their access rights and privileges to perpetrate fraud, unwittingly exposing the bank's systems to risk through negligence, vulnerable third-party contractor systems getting breached, and so on.
Banks with workloads in the public cloud would understandably focus on external threats to the organisation. Research and market intelligence firm IDC estimates that 80 per cent of the nation's corporate banks will run their treasury and trade finance workloads on the cloud this year. However, it is equally important to take an inside-out view of cybersecurity.
A Framework Approach To Comply
For the banking industry, relevant global cybersecurity standards include ISO 27001/2 for validating an organisation's implementation of its cybersecurity program and the way it manages risks; SOC 2, which prescribes a trust-based model to safeguard client data; the GDPR from the EU on data privacy; and DORA, also an EU regulation, which mandates that apart from managing operational risks, financial institutions must manage all components of resilience, including that of information and communication technology (ICT).
For Indian financial institutions with operations worldwide, complying with extensive cybersecurity standards and regulations is a huge challenge. Banking and investment services providers, which spent USD 11.3 billion on technology last year, are planning to increase it to bridge technology-related deficiencies that have recently invited regulatory scrutiny and even caused sanctions to be imposed against one institution.
From our experience implementing technology solutions for over a hundred financial institutions worldwide, we know that cybersecurity standards cannot be implemented through infrastructure and its associated configurations like a firewall alone. In most cases, invasive changes to applications are also required. For example, when customers exercise their right to be forgotten under GDPR, the financial institution holding the personal data should ensure that customers' personal identification information (PII) should also be deleted. This action requires an application's intervention to comply with the regulation.
It may not be viable to burden applications with continuously supporting all these cybersecurity frameworks as programmable artefacts contained within. A framework-driven approach that separates application and information security concerns will help banks accelerate the adoption of current and emerging cybersecurity frameworks worldwide with greater agility.
The Safe Way To The Cloud
Indian banks, which are taking to the public cloud, would also need to comply with ISO standards 27017 and 27018, respectively, providing further guidance on implementing ISO 27002 information security controls on the cloud and on protecting personally identifiable information on public cloud, as well as the relevant provisions of the Digital Personal Data Protection Act, 2023. The IDRBT Cloud Security Framework published by the Institute for Development and Research in Banking Technology offers guidelines and best practices to help the Indian banking industry address its cloud security concerns. By following these regulations and standards, banks can confidently deploy mission-critical and data-sensitive workloads on the public cloud.
But the industry already has an excellent role model in the various digital platforms for public goods—Aadhaar for unique identification, CoWIN for Covid vaccination certification, and UPI for instant digital payments—successfully running at a massive scale on the cloud. Aadhar for example has completed over 100 billion identity verifications till date. Financial institutions can imbibe best practices from these platforms, including cybersecurity, to successfully transition.
Disclaimer: The views expressed in this article are those of the author and do not necessarily reflect the views of the publication.