Pavan Duggal on why Indian banks lose the security plot

In yet another egg on the face incident that left the Indian banking fraternity reeling, a bug in the Unified Payments Interface (UPI) app caused the Bank of Maharashtra to be defrauded by a sum amounting to Rs 25 crore.

In wake of this enormous monetary gaffe, we speak to the Founder & Chairman of the International Commission on Cyber Security Law, Pavan Duggal, to get a measure of what plagues cybersecurity in the Indian banking space.

While a practicing Advocate in the Supreme Court of India, Duggal has made an immense impact with an international reputation as an authority on cybersecurity and e-commerce laws.

What can Indian banks do to mitigate cybersecurity risks?

Banks have to do a lot to mitigate the risks for potential legal exposure. Banks today are only following some of the key parameters given by the RBI. 

However, banks are still not complying with the mandatory requirements as intermediaries, under the Information Technology Act, 2000.

Under the IT Act, 2000, all banks, being intermediaries, are mandated to exercise due diligence. Due diligence has been defined also to include that the banks must put reasonable security policies and procedures in place. 

Also read: The rising cost of data breaches

ISO 27001 is one such instance of mandating reasonable security policies and procedures. Now, most of the banks are not complying with the parameters of information security. 

UPI needs to demonstrate how it is complying with the IT Act and the parameters of cybersecurity. Because at the end of the day, if these are complied with, then your exposure to liability is limited, as you’re given statutory protection under the law.

However, there’s a huge gap between what the banks are professing versus what they’re actually doing. 

Why are Indian banks averse to being transparent in reporting security breaches to the public?

I was part of the G Gopalakrishna working group under the RBI, and we had come up with the parameters of information security in 2011. It took the banks quite some time to comply with the guidelines. Even RBI’s notification of June 2016, where it mandated all banks to have a cybersecurity policy, has not been complied with.

Now, banks are in the trust business – they don’t want to report. But effective from 4th Jan’, 2017, a new notification mandates all banks to report cybersecurity breaches within a stipulated time. Despite this, you see breaches occurring, but you don’t see banks reporting them. 

I think it’s time banks take a fresh look on how to deal with cybersecurity. They will always be breached, they will always be hacked. That shouldn’t come across as a surprise. The important issue is to figure out what are the cyber-resilience policies and mechanisms that banks have in place to come back to normalcy, as soon as possible.

Because, if UPI can be breached, being increasingly used in electronic transactions, there’s a huge problem at hand if we don’t address these issues now.

Ultimately, the banking sector must inculcate a culture of cybersecurity. At a time when the government of India is boosting digital transactions, if banks are not going to be secure, this entire digital push by the Prime Minister may receive a setback.

What can banks fix at their end to ensure we don’t see situations like these in the future?

First of all, banks must put their documentation in place – most of them don’t have the appropriate documentation that the law requires. Secondly, they need to have dedicated cybersecurity policies. 

Thirdly, they need to have all the policies for processing sensitive and personal data – they need to have data collection policies, data transfer policies, and data retention policies.  

These policies need to be phrased and implemented as per the parameters of the existing law. And finally, with the increased mandatory requirement for reporting cybersecurity breaches, banks must quickly come out of their huddle and report cybersecurity breaches. 

Ultimately, the banking sector must inculcate a culture of cybersecurity. At a time when the government of India is boosting digital transactions, if banks are not going to be secure, this entire digital push by the Prime Minister may receive a setback.

Banks have to realize that they’re the foot soldiers in India’s march to becoming a digital powerhouse.                                         

What should banking CSOs prioritize on when it comes to ensuring that they maintain a secure perimeter?

They must ensure that the minimum parameters for security, defined under the G Gopalakrishna working group report, must be complied with. They must have in place the adequate infrastructure, as mandated by ISO 27001 standards.

With Aadhar becoming mandatory, banks must wake up to the new requirement of being compliant with the Aadhar Act of 2016, which majority of banks haven’t yet started applying their minds to.

With so many regulations in place, why are banks not being faced with any repercussions or penalties when they flout these norms?

Banks, unfortunately, are a tribe that believes in not sharing any information pertaining to cybersecurity breaches. Unfortunately, we haven’t seen many cases where banks have been straddled with penalties or legal liability.

I think it’s time Indian courts should take the laxity of banks not having adequate security mechanisms as a stringent ground for taking action them.

Do you think India is under-prepared to see this volume of transactions coming through digital payment gateways?

India is thoroughly unprepared to deal with this new onslaught of digital payments. This is primarily so because India does not have a digital payments law in place. We also do not have a dedicated cyber security law in place. 

But, we haven’t applied our minds much on how to deal with mobile payment legalities. Furthermore, the Payments and Settlements Systems Act of 2007 requires an overhaul in these scenarios. 

So, India needs to do a lot of homework in terms of crypto-currencies and take a stand in the legality of crypto-currencies. It’s high time that India starts recognizing trends like Bitcoins. 

India is thoroughly unprepared to deal with this new onslaught of digital payments. This is primarily so because India does not have a digital payments law in place. We also do not have a dedicated cyber security law in place. 

Given our lack of digital payment laws, do you believe payment gateways are going to be the next destination for cyber-criminals?

I believe they already are the next destination for cyber-criminals. According to a recent survey by Assocham, mobile frauds in India will increase by 65 percent in 2017 alone.

And I’ve seen in the last 18 weeks, post demonetization, a whole new kind of mobile frauds have emerged. It’s high time the stakeholders must be aligned to these new challenges and walk forward in this direction.