Banks will now have to take Cyber Security to a New Orbit:

- Shri R. Gandhi, Former Deputy Governor, RBI

Given the current constraints and the continuing need to prepare the bankers for the evolving situation and ensure uninterrupted banking services, the Institute recently introduced an e-Learning Channel for its training programmes.

A key segment of this e-Programmes initiative is focused on Board Members of Banks, especially since the Covid crisis calls for close monitoring and interventions by the Board. The Institute started off this segment of the e-Programmes initiative for Board Members with Shri H.R. Khan’s address on “Covid-19 Pandemics & BCCP in Banks: People Perspectives” for Board Members on May 15, 2020.

Taking this initiative forward, the Institute organised the second Webinar for Board Members of Banks.

Cyber Threats Increased during Lockdown

Shri R. Gandhi, former Deputy Governor, Reserve Bank of India, addressed the Board Members of various Banks on “Cyber Security: During Pandemic and Beyond” on June 12, 2020.

Initiating the proceedings, Dr. A. S. Ramasastri, Director, IDRBT, made the following key points:

  • Zero Trust Architectures: Going beyond VPN, there is a need to move towards Identity Aware Proxies and incorporate innovations like Zero Trust Architectures, to continuously validate customers’ identity as well as employees’ identity in the context of Work From Home.
  • Social Engineering Attacks: Humans are the weakest link in security, and in the present scenario they are vulnerable (psychologically) than ever before to social engineering attacks, particularly emanating in the form of Covid-related malware. To limit the exposure due to this weakness, organisations must train their employees on cyber-awareness.
  • CISOs: The Chief Information Security Officers (CISOs) have a delicate task of balancing business goals and security. They must be considered enablers for business and need to be encouraged to go beyond mere compliance.
  • Agile People, Processes & Systems: In order to manage business continuity with only limited staff availability, employees need to be re-skilled to multi-task, when necessary. Processes and systems may have to be re-engineered to be agile and highly dynamic.
  • Innovate Continuously: While many organisations, particularly banks, have done well to ensure business continuity in these testing times, they have to quickly adapt to the “new normal” and innovate continuously to maintain competitiveness. The challenge would be to innovate while balancing time-to-market and highest levels of security.

Thereafter, Shri R. Gandhi, former Deputy Governor, Reserve Bank of India, addressed the Board Members of Banks on “Cyber Security: During Pandemic and Beyond” and the key points he made are as under:

  • Known risks became “acceptable”: Because of COVID, there has been and will be fundamental shifts in beliefs, attitudes and behaviours. Technology is one such sector where profound changes are happening. Several adhoc decisions and measures had to be resorted to. The need for speed and expediency dictated such decisions and measures. Organisations had to consciously admit that several known risks became “acceptable”, which during normal times were clearly “not acceptable”.
  • What We Did: Banks went the whole hog on “Work From Home (WFH)”. However, it was not easy to undertake WFH on such a massive scale. Quite a lot of Ad hoc fixes for security cordon like Secure VPN, Endpoint security and mobile device security, had to be provided for. Concurrent remote access licenses, bandwidth enhancements, gateway capacities, etc., were to be arranged urgently. While offering desktops/laptops/tablets, organisations had to ensure that they are all stripped down, plain vanilla systems, preloaded only with required applications, with no USB port, and blocking download and installing any s/w, no printer connectivity, etc. Organisations had to compromise on several safety protocols. For example, the control concept of “no paper, pen, smartphone, recording devices, etc.” was not feasible to implement or monitor. They also had to knowingly leave open some risks, for eg. copying data while working at home, poorly secured home networks, shared by several devices including IoTs.
  • Threats Increased: During this lockdown period, technology systems were put to test at unprecedented levels. Cyber security was the prime target of attack. Phishing attacks increased; also sophisticated ones like malware, trojan attacks, ransomewares, etc. Remote working tools / software like video conferencing software were target of attacks to take advantage of vulnerabilities. Sensitive data travelled along with game, music, TV content, Alexa, etc. Malicious COVID-based emails increased. The International Criminal Police Organisation (Interpol) warned countries about marked increase of cyber threats connected with malicious domains, malware and ransomware. The Financial Action Task Force (FATF) pointed to an increase in money laundering (ML) and terrorist financing (TF) risks, stemming from Covid-19-related crimes. Remote onboarding and remote identity verification in times of social distancing and office closure came along with embedded risk.
  • Beyond COVID: As we move towards resuming normal socio, economic and other activities, organisations, including banks and financial institutions will have to make major changes to their structure, operations and approach:
    • First of all, they have to pay greater attention to crisis preparedness, systems resilience, and access to healthcare.
    • Secondly, banks will have to make structural changes in terms of being:
      • Flexible – COVID dispelled the myth that banking being customer-oriented industry is not suitable for WFH. Banks will now have to let staff work from home. Rules, procedures, infrastructure, compensation, etc., will need review and reassessment
      • Redesigning Office Layouts – Banks have been forced to consider employee wellbeing more holistically – in terms of not only the physical, but also mental and emotional wellbeing. Redesigning the office layout to take care of social distancing (between staff and also between staff and customers), commitment to hygiene, cleanliness and safety, provisions for temperature checks, re-modelling conference rooms, video rooms, etc., will be needed to be completed on an urgent basis.
      • Ready to help staff redesign their homes and make them “Work Ready” – As many homes are not equipped for WFH, employees will need to be assisted in helping them build “office pods” at home with enduring cyber connectivity and security features.
    • Thirdly, the new mantra will be “Working securely, while working remotely”. Banks will have to pay special attention for cyber security while enabling their staff to work remotely from home or on mobile spots.
    • Fourthly, banks will have to revisit their Business Continuity Plans (BCP). COVID has compelled us to revisit certain BCP assumptions, like, “people can reach / air-dash backup centres”. In such events of pandemic proportions, organisation will not be able to reach its staff to the Data Centres. Hence, WFH will be an integral part of BCP. Banks will have to quickly reorganise their data centres from “Active-Passive” centres to “Active-Active” centres. Banks will have to identify succession planning in much greater granularity – second, third lines for every function have to be ready. Revamping Backup Centre will have to include not just its infrastructure, capacity, and licenses; employee safety, which was never on BCP radar will now become an important element of BCP. Another area for special attention will be the third party services and providers availability; banks need to get a high degree of assurance in this regard, including system audit certification. Further, the current BCP locations have not been designed for extended period of operations; typically the recovery time objectives are within a day and if at all, a couple of days. COVID Pandemic has taught us that alternate locations may have to be on full function basis for even three to six months. This has enormous implications for the BCP infrastructure redesigning.
    • Fifthly, banks will now have to take cyber security to a new orbit. With increasing reliance on digitalisation, banking has already been a fertile ground for hackers and cyber fraudsters, both organised and unorganised genre. With the virtual certainty of remote working and WFH being the new normal, the relevance and continued vigil on cyber security cannot be overemphasised. Academia, researchers and cyber security technology firms will have their hands full. End-to-end communication safety standards will need continuous enhancements. Lastly, a strong element of cyber security will be to imbibe the security culture and security by design in the minds of every staff member.
    • The COVID pandemic has taught several lessons for all organisations, including banks and financial institutions. It has compelled them to revisit certain assumptions based on which their IT Infrastructure, Business Continuity Plans, Cyber Security Framework, etc., have evolved in the past. Redesigning these in the quickest possible time is the need of the hour.

Over 100 Board Members of various public and private banks participated.