Cyber Insecurity: Regulating the Indian Financial Sector

In recent times, cybersecurity has been among the foremost of issues that global financial regulators have sought to address. In attempting to do so, several distinct approaches have emerged. These include one or more of self, sectoral, or horizontal (cross-sectoral) regulation. While the field is too nascent and threats too diverse to draw conclusions on preferred approaches, emerging regulatory experiences hold important lessons for the way ahead. With the objective of adding to the surrounding discourse, this post attempts to critique what has emerged as the Indian approach to regulating cybersecurity for the financial sector.

In theory, cybersecurity has been a core concern of Indian financial sector regulators for several years now. As early as 2011, India’s banking and finance regulator, the Reserve Bank of India (‘RBI’), issued a series of comprehensive guidelines on ‘Information Security, Electronic Banking, Technology Risk Management, and Cyber Frauds’ to prime Indian banks for emerging risks in the internet age. This was preceded by guidance on outsourcing in 2006 and followed-up by a requirement for comprehensive internal cybersecurity frameworks in 2016.

Other financial regulators have not been left behind. The Securities and Exchanges Board of India (‘SEBI’), which regulates constituents of the securities market, issued guidelines for ‘Cybersecurity and Cyber Resilience’ to market infrastructure institutions (such as stock exchanges) in 2015. More recently, in April 2017, the Insurance Regulatory and Development Authority of India (‘IRDA’) issued guidelines on ‘Information and Cyber Security’ for insurance providers to implement.

While these and other frameworks have long existed on paper, it is only recently that they have been subject to closer scrutiny. Unsurprisingly, this has come in the wake of increasingly disruptive cyber-attacks – both targeted at India and global phenomena such as Petya/NotPetya and WannaCry. Notably, in 2016, an attack targeting Indian banks led to the breach of the details of more than 3 million debit cards. Around the same time, neighbouring Bangladesh saw a thwarted attack on its central bank resulting in the theft of USD 81 million. If successful, the attack would have siphoned off close to USD 1 billion – 0.5% of Bangladesh’s GDP at the time. These and other incidents have fuelled regulatory interventions, and stimulated demand for cybersecurity expertise worldwide.

As far as the Indian financial sector is concerned, a key component of the government’s response has been a proposal to create an independent cyber-security agency exclusively for the sector, the Computer Emergency Response Team (‘CERT-Fin’). The proposal formed part of the Government’s 2018 Budget and has recently been approved by a working-group constituted by the Ministry of Finance. According to the working group, CERT-Fin’s duties would include passive functions such as threat intelligence sharing, vulnerability assessment, and analysis, and active functions such as ‘bringing down rogue sites’ and developing standards for data protection, encryption, and access rights.

This proposal comes as the latest in a series of government moves to create specialised agencies mandated to address different aspects of the cybersecurity conundrum. However, for the reasons below, this post argues that the creation of CERT-Fin – and, more fundamentally, the regulatory approach underlying it – is not only unlikely to promote cybersecurity in the financial sector, but will add an unnecessary layer of complexity for businesses in an already highly-regulated ecosystem. CERT-Fin, as currently conceptualized, performs no duty that is not already carried out by an existing agency, and its creation (along with proposed sub-sectoral CERTs) is only likely to deplete already scant cybersecurity manpower and resources.

At the outset, the Indian approach to cybersecurity regulation and policy formulation has been characterised by a multiplicity of agencies and frameworks coupled with sparse enforcement. A typical regulated entity in the financial sector would be required to not only comply with the various instructions of the concerned sectoral regulator (eg, RBI or SEBI) but also with the horizontally-applicable framework of the Information Technology Act 2000 (as revised) and the various rules thereunder (which contain obligations relating to data protection, security and breach notification); with directions of the nodal cybersecurity agency CERT-In; with notifications of the Ministry of Electronics and Information Technology (‘MEITY’); and, where present, with directions of the National Critical Information Infrastructure Protection Centre (‘NCIIPC’). Other entities involved in the broader policy ecosystem include the National Cybersecurity Coordination Centre – a national traffic monitoring body being implemented by CERT-In –, the Ministry of Home Affairs, and various law enforcement agencies including police. This cocktail of regulatory and policy-making bodies (a more complete list of which is available here) with overlapping mandates creates a complex regulatory and compliance environment for businesses in the financial sector, driving up compliance costs and overhead that stymies innovation in rapidly emerging sectors, such as FinTech, with start-ups and SMBs bearing the brunt.

Such a segmented approach is also likely to ultimately result in weak cybersecurity policy. The dispersal of policy-making authority over numerous agencies dilutes the relevance of each, and promotes lack of uniformity in regulating the financial sector. Those arguing that ultimate policy-making authority will remain centralised with the regulator or MEITY risk reducing the role of newly created bodies like CERT-Fin to mere clearinghouses.

Secondly, experience shows that the government enthusiasm in creating new agencies is unmatched by the enforcement appetite of these bodies. Despite the presence of numerous agencies tasked with ensuring the cybersecurity of India, extant enforcement mechanisms are, at best, opaque and, at worst, non-functional. To date, no sectoral regulator (financial or otherwise) has publicly announced enforcement action in relation to cybersecurity obligations while the nodal appellate body for causes of action originating under the IT Act – the Cyber Appellate Tribunal – has been defunct since 2011. Even where enforcement may have occurred, the Indian approach privileges confidentiality over transparency. For instance, data breach reports to CERT-In are confidential and may not be released to the public at large. Similarly, the NCIIPC functions in secret under the supervision of the Indian intelligence community. Without transparency in decision-making and enforcement, or third-party audit it is impossible to judge the efficacy of these bodies. Within such a context, creating additional agencies without serious enforcement of existing frameworks is counterintuitive.

These issues aside, the proposed CERT-Fin itself is unlikely to add value to the already complex regulatory environment. In many verticals, sophisticated policy, research, monitoring, and enforcement mechanisms are already in place. To take the example of the banking sector: as discussed above, not only does the RBI have various instruments in place to ensure cybersecurity compliance, other bodies like the RBI’s recently created IT subsidiary (ReBIT), the Institute for Development and Research in Banking Technology (IDRBT), and IDRBT’s Center for Analysis of Risks and Threats (IB-CART) complement the bank’s enforcement mechanisms on technical, capacity-building, intelligence sharing, and policy levels. In addition, banks – like other entities – remain subject to the authority of cross-sectoral agencies like CERT-In, the NCIIPC, and relevant authorities under the IT Act. Within such a dense regulatory web, it is difficult to imagine the value a body like CERT-Fin – with conceivably no independent enforcement mandate – could add to the ecosystem.

This is especially the case as the Indian approach to cybersecurity has suffered not for the lack of agencies but due to gaps in institutional capacity and talent. CERT-Fin will fail not only for the reasons above, but also because the proposal does not address broader structural problems that plague Indian cybersecurity regulation. For instance, leadership positions in many regulatory bodies are closed to those from outside government and remain the domain of career civil servants who often lack the expertise and exposure that comes from experience in the private sector. Lateral moves are rare and, to truly develop robust cybersecurity policy for the financial sector, this must change. In similar contexts, authors on this blog have noted the benefits that work experience with regulators can have for career progression in the private sector, and there is no reason this would not be the case in India. However, in its current form, CERT-Fin is only likely to exacerbate existing talent shortages by stretching existing resources and dispersing them across different agencies and sub-sectoral CERTs.

These factors and others, when taken together, present a perfect storm of uncoordinated regulatory bodies functioning with overlapping jurisdictions, talent shortages, no appetite for enforcement, and no mandates for transparency. Till this status quo changes, businesses in the financial sector and the public at large should prepare for more of the same with CERT-Fin. For a robust cybersecurity framework, the government should abandon its current approach and instead seek to amalgamate existing agencies by consolidating duties and enforcement powers within an existing agency like CERT-In. This would ensure that there is a single body that has not just the legal authority but also the capability, and resources to effectively protect Indian cyberspace.

As much of the world grapples with cybersecurity regulation, the Indian approach presents an interesting case study of a highly-segmented sectoral approach with overlapping authorities and weak enforcement. However, in its current form, it is doomed to fail.

Tarun Krishnakumar is a New Delhi based lawyer specialising on regulatory and public policy issues concerning emerging technology.