NBFC CISO Forum
On the advice of the Reserve Bank of India, IDRBT constituted a CISO Forum exclusively for Non-Banking Financial Companies (NBFCs). The inaugural meeting of this Forum was held at IDRBT on May 27, 2024. The Forum is envisaged as a platform for CISOs of NBFCs to exchange views, share best practices and foster community learning in the area of Information Security.
Inaugurating the meeting, Dr. Deepak Kumar, Director, IDRBT, spoke on cyber security’s critical role in the NBFC sector and the evolving responsibilities of CISOs amidst technological advancements to ensure Cyber Hygiene. He dwelt upon the concept of a virtual CISO, highlighting its potential benefits for smaller entities alongside the implementation challenges. Stressing the importance of robust whitelisting policies for enhanced security measures, he also laid out strategies for effective policy management and enforcement, as well as the necessity of clear accountability frameworks within cyber security teams. He proposed the creation of a cyber-security playbook to standardise procedures and responses for an organization, outlining key components and best practices.
Shri Natarajan Suganandh, General Manager, Department of Supervision, Reserve Bank of India, in his keynote address, elaborated the cyber security challenges being confronted by the banks and NBFCs. He referred to the Master Direction on Information Technology Governance, Risk, Control and Assurance Practices. He cited various points in the Master Direction such as controlling of technology devices, implementation of WAF/IPS, enhanced monitoring, stressing the importance of monitoring SIEM, updating signatures, and managing patches to counter cyber-attacks. He emphasised the necessity of implementing essential policies and SOPs, significance of cyber security fundamentals and cyber hygiene management, addressing API-related attacks and critical vulnerabilities.
Shri V. V. Visakh, Asst. General Manager, Department of Information Technology, Reserve Bank of India, emphasised the pivotal role of Non-Banking Financial Companies (NBFCs) in the Indian economy, highlighting cybersecurity as a collaborative effort rather than a competitive pursuit among industry players. He stressed the significance of sharing best practices and collaborating to fortify cyber defenses across the financial sector, thus ensuring a resilient and secure environment for all stakeholders.
Dr. Rajarshi Pal, Faculty, IDRBT, spoke about the role of the CISO in a Financial Institution. He cited points from the Master Direction on Information Technology Governance, Risk, Control and Assurance Practices, highlighting the security challenges prevalent in the cyber space, and the necessity for CISOs to possess comprehensive knowledge of the cyber-attack surface. He provided insights into the Information Security Committee (ISC) and its core responsibilities, and the appointment of CISOs as per the Master Direction and her/his responsibilities.
Shri Kartik Shinde, Cyber Security Consulting Partner, Ernst & Young, provided insights into cyber attacks targeting critical banking infrastructure through case studies and real-life examples. He delved into emerging technologies such as deep fake and AI applications, highlighting the risks posed by deep fake videos and the utilization of video KYC. Additionally, he dwelt on recent data breaches, ransomware incidents, and email based phishing attacks, elucidating their operational intricacies and organizational ramifications. He discussed the significance of threat intelligence feeds, focusing on Indicators of Compromise (IOCs) and the MITRE ATT&CK framework and explained the critical MOVEit web application vulnerabilities and key points.
Dr. Dipanjan Roy, Faculty, IDRBT provided an overview of IB-CART, a cyber-threat intelligence sharing platform designed for the banking and financial sector. He discussed its significance and how financial institutions can leverage it to enhance their cyber defenses through community-driven threat intelligence. This platform supports STIX-TAXII based integration with existing cyber security tools, such as SIEM and SOAR. Additionally, he presented an overview of a cyber-security drill conducted by IDRBT, outlining the processes followed and the expectations for participating organizations. He highlighted the benefits of these drills in improving the cyber security posture of the organizations.
Thereafter, Dr. Rajarshi Pal discussed various cases of cyber-attacks exploiting the supply chain, citing several examples. He emphasised that these attacks can target not only the software supply chain but also those related to hardware and services. To mitigate these risks, he outlined principles of supply chain security, such as including a “right to audit” clause and cyber security requirements in contracts, as well as fostering collaboration with the supply chain to enhance the overall ecosystem.
Prof. Babu M. Mehtre, Faculty, IDRBT, delivered the valedictory remarks. 43 CISOs from various NBFCs participated in the meeting.