In its Financial Stability Report for the year, the Reserve Bank of India cautioned that there ‘is no room for complacency on cyber security’. The central bank’s warning is timely. The Indian government has revealed a significant upsurge in cybersecurity incidents reported to the Indian Computer Emergency Response Team (‘CERT-In’) in the third quarter of 2020. To provide some context, while a mere 53,117 incidents were reported to the CERT-In in all of 2017, 2020 has already seen 696,938 incidents being reported till August. In fact, according to one estimate, companies in India have reported twice as many cyberattacks per day than any other country in the world since the pandemic.
COVID-19 has heightened existing security threats by underlining our existential reliance on digital frameworks, along with the unprepared shift to remote work from systems of dubitable security. This, coupled with the rapid digitization and datafication of the financial sector, can have unforeseen complications for India’s emerging market for technology driven financial solutions. Cyberattacks may lead to disruption of payment systems, corruption of data, crippling of infrastructure and potential financial destabilisation. In this post, we analyse the adequacy of cybersecurity regulation for the financial sector in India and suggest renovation measures in light of COVID-19.
Cybersecurity regulation in India
As evidenced by the rise in incidents reported to the CERT-In, the cybersecurity landscape in India has proved to be ill-equipped to handle the stress of the pandemic. However, there is no lack of regulation on the subject, both sector-agnostic and sector-specific, with the Reserve Bank of India having prescribed regulations for electronic banking, electronic payment transactions and a richly detailed framework for urban co-operative banks. Moreover, reports indicate that the National Cyber Security Strategy 2020 will be introduced in parliament soon.
The Union Budget speech for the financial year of 2017-18 contained the proposal to set up an independent nodal body to supervise cybersecurity in the financial sector. To be named the Computer Emergency Response Team in Financial Sector (‘CERT-Fin’), the body was intended to work closely with financial sector regulators and the CERT-In. Close on the heels of the above announcement, a working group was created to recommend measures for its establishment.
The report of the working group expressed support for setting up a nodal CERT-Fin to prioritise cybersecurity in the financial sector. The CERT-Fin would complement the functions of, and duly report to, the CERT-In in a time bound manner. Its key responsibilities would be to analyse cybersecurity incidents in the financial sector, co-ordinate response activities, and study patterns. The report envisaged the setting up of smaller sub-sectoral CERTs within the financial sector (attached to regulators and major financial institutions), to inform the efforts of the nodal CERT-Fin.
However, it is unfortunate that not only has the CERT-Fin proposal not gained traction, but the Indian government has also counterintuitively diminished its budgetary spending on cybersecurity in 2019-20 vis-à-vis 2018-19. Meanwhile, the cybersecurity challenges in the financial sector continue to swell, with the pandemic compounding emerging vulnerabilities from other channels. Arising largely due to the swift digital transformation of finance, these risks include the emergence of new financial participants (fintechs, neo-banks and BigTech), centralisation of information on externally hosted cloud-based services, and the linking of private databases with public databases like Aadhaar. The CERT-In has thus increasingly been burdened with concerns specific to the financial sector, and has attempted to plug the gap.
On the whole, challenges arising from such cybersecurity risks may constitute a systemic risk to financial stability. Thus, while establishing the CERT-Fin per se may not be sufficient to address the entire gamut of emerging cybersecurity needs in the financial sector, revitalising the proposal to set it up is a necessary first step.
The admission that the CERT-Fin may not completely resolve such tech-induced systemic risk comes from an understanding of two factors considered integral to such risk—size and connectivity. As financial entities continue to grow in size and deepen business links with each other, it becomes a priority for the CERT-Fin to be appraised of any cybersecurity incidents and breaches suffered by such entities. This can ensure that security risks arising from one participant do not disrupt the working of connected or dependent participants. Similarly, another priority for the CERT-Fin shall be to create a risk-based compliance approach—solutions that affect a large number of people or involve the participation of multiple financial intermediaries may be subject to enhanced regulatory oversight.
These objectives can be better achieved by tweaking the proposed framework for the CERT-Fin as described under the report of the working group. Discussed below are three such measures that help achieve a robust and risk-ready CERT-Fin.
First, extant regulatory frameworks must make the reporting of cybersecurity incidents and breaches to the proposed CERT-Fin mandatory for all financial entities and relevant third parties. The CERT-Fin must consequently be tasked with identifying any systemic risk occasioned by the incident, issue alerts/advisories to other entities in the market and assess the operational and technological capacity of the financial entity to resume functioning within the sector. Presently, the framework for reporting incidents is disharmonious. While banks are required to report incidents to a specialized information sharing agency in addition to the Reserve Bank of India, other financial entities (such as payments system operators) are not subject to similar reporting requirements. Establishing a harmonized, cost-effective framework to mandatorily report incidents to the CERT-Fin can provide an accurate picture of cybersecurity exposure and accordingly mitigate potential risk.
Second, the CERT-Fin should offer guidance on operationalizing cybersecurity safeguards in a manner that discourages a ‘one-size fits all’ approach. Regulatory compliance may be implemented in a scaled manner. In other words, systemically important entities may be subject to enhanced compliance and audit requirements, while micro, small and medium enterprises must not be subject to excessive compliance that stifles innovation. In this context, the graded approach contained in the Personal Data Protection Bill, 2019, for regulating significant data fiduciaries vis-à-vis ordinary data fiduciaries may serve as useful precedent.
Lastly, taking cue from the Personal Data Protection Bill, it is imperative that certain measures for proportionate data processing be evaluated by CERT-Fin for their relevance to the cybersecurity framework. Provisions that share a complementary relationship with cybersecurity (such as data encryption or data erasure) must be studied by the authority with a focus on developing privacy preserving cybersecurity advisories for financial entities. Conversely, cybersecurity practices that may conflict with data protection principles must be appropriately modified to ensure privacy preserving cybersecurity.
Cybersecurity has become a source of systemic risk in the financial sector. We recommend that in the post-pandemic era the Indian government should prioritise technological risks in the financial sector and consider them on the same footing as financial risks.
In this regard, the establishment of the CERT-Fin must be expedited by the government and adapted to face financial risks arising from the large-scale adoption of digital financial utilities in India. Further, it should be ensured that the body is equipped with sufficient in-house technological expertise to assess exposures in the financial sector. The setting up of the body would nourish cybersecurity resilience in the financial sector and cement India’s position as a mature digital financial ecosystem.
The authors would like to thank Mr. Siddharth Nair and Ms. Shubhangi Garg for their input.
Sohini Banerjee is a research fellow at Shardul Amarchand Mangaldas & Co, India.
K.S. Roshan Menon is a research scholar at Shardul Amarchand Mangaldas & Co, India.