As India’s biggest cyber security breach unravels, with as many as 32 lakh debit cards issued by 19 banks reportedly compromised, the RBI has instructed lenders to upgrade the role of the CISO (chief information security officer) within each institution from an “operational level” to a “strategic level”.
The CISO, a senior-level executive within an organisation responsible for establishing and ensuring that information assets and technologies are adequately protected, is now being seen as a bank’s frontline defence and a key support to the bank boards on formulating strategies on fraud prevention and strengthening the protection mechanisms against threats such as the current cyber security breach.
Banks have also been specifically directed by the RBI to put into action a security policy enlisting their strategy on combating such threats and spelling out tangible “cyber hygiene” measures, duly approved by their respective boards, said banking sector officials involved in the exercise.
The financial sector’s internal operations are currently under intense scrutiny after at least 19 commercial banks were forced to block or recall an estimated 32 lakh debit cards of customers as a “precautionary” measure, after being informed of potential risks to those cards. This was in the wake of a major data breach — that took place between May and July, but was discovered only in September — attributed to a malware reportedly found in the processors of Hitachi Payment Services’ central switch, which operates most of YES Bank ATMs and a number of teller machines owned by other banks and non-bank entities.
Both YES Bank and Hitachi, however, claimed there was no breach or compromise at their end. Finance Minister Arun Jaitley on Friday said that the government has sought a detailed report from from the Indian Banks Association on the extent of data compromise and steps being taken to contain the damage.
In recent months, with the SMAC format (social, mobile, analytics and cloud) driving innovation in the banking sector, the security imperative is even more compelling with regard to preventing data theft and checking financial fraud. The recent spate of cyber attacks have been turning highly sophisticated and the missive to banks now is on using specialised analytical techniques and exploiting vulnerabilities that had hitherto gone unnoticed, officials said.
Over the past 24 months, there were two other global incidents that had turned the focus on the cybersecurity set-up at banks, including in India. One incident involved an East European cybercrime gang called Carbanak in a major advanced persistent threat (APT) attack, targeting financial institutions across Russia and Ukraine. It was reportedly discovered in 2015 by the Russian/UK cyber security company Kaspersky Lab. In February this year, an attempted $951-million Bangladesh Bank heist provided yet another warning on the potential risks to the financial sector, forcing banks to step up vigil against cyber crimes.
On the latest cyber security breach, a banker involved in the investigations said that the RBI has made its position clear that the bank boards and top management should “develop early sensitivity to the task of cyber hygiene”. For this, banks have been instructed that the CISO position needs to be upgraded from an operational level to strategic level,” a banker familiar with the RBI missive told The Sunday Express.
The National Payment Corporation of India (NPCI), which has oversight over retail payments in India, has asserted that the complaints of fraudulent withdrawal were limited to cards of 19 banks and 641 customers and the total amount involved is Rs 1.3 crore as reported by various affected banks to NPCI, according to the Corporation’s managing director A P Hota.
State Bank of India has either blocked or is in the process of replacing around 6 lakh debit cards following the detection of the malware related to the reported security breach in Yes Bank’s ATM network. Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have already replaced their debit cards. ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM pin numbers.
Earlier, in the 2015 Carbanak incident, the surprise factor was the criminals’ change in approach, whereby rather than using the usual cybercriminal method of stealing consumer credentials or compromising individual online banking sessions with malware, the Carbanak gang targeted banks’ internal systems and operations, resulting in a multichannel robbery that is estimated at $1 billion.
In the February 2016 incident, cyber thieves had issued instructions to transfer $951 million out of Bangladesh Bank’s account at the New York Federal Reserve. While most were declined, an amount of $81 million was transferred to a bank in the Philippines, never to be traced again.
The theft sent shock waves through the global banking community, both for the amount of money that was swindled and how the heist leveraged the Society for Worldwide Interbank Financial Telecommunication (Swift) system, the backbone of international finance. Gottfried Leibbrandt, chief executive of Belgium-based Swift, had termed the Bangladesh cyber attack “a watershed” for the banking industry.