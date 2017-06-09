Pavan Duggal on why Indian banks lose the security plot

Indian banks just can't seem to get their act together when it comes to enforcing cybersecurity protocols.

In yet another egg on the face incident that left the Indian banking fraternity reeling, a bug in the Unified Payments Interface (UPI) app caused the Bank of Maharashtra to be defrauded by a sum amounting to Rs 25 crore.

In wake of this enormous monetary gaffe, we speak to the Founder & Chairman of the International Commission on Cyber Security Law, Pavan Duggal, to get a measure of what plagues cybersecurity in the Indian banking space.

While a practicing Advocate in the Supreme Court of India, Duggal has made an immense impact with an international reputation as an authority on cybersecurity and e-commerce laws.

What can Indian banks do to mitigate cybersecurity risks?

Banks have to do a lot to mitigate the risks for potential legal exposure. Banks today are only following some of the key parameters given by the RBI.

However, banks are still not complying with the mandatory requirements as intermediaries, under the Information Technology Act, 2000.

Under the IT Act, 2000, all banks, being intermediaries, are mandated to exercise due diligence. Due diligence has been defined also to include that the banks must put reasonable security policies and procedures in place.

ISO 27001 is one such instance of mandating reasonable security policies and procedures. Now, most of the banks are not complying with the parameters of information security.

UPI needs to demonstrate how it is complying with the IT Act and the parameters of cybersecurity. Because at the end of the day, if these are complied with, then your exposure to liability is limited, as you're given statutory protection under the law.

However, there's a huge gap between what the banks are professing versus what they're actually doing.

Why are Indian banks averse to being transparent in reporting security breaches to the public?

I was part of the G Gopalakrishna working group under the RBI, and we had come up with the parameters of information security in 2011. It took the banks quite some time to comply with the guidelines. Even RBI's notification of June 2016, where it mandated all banks to have a cybersecurity policy, has not been complied with.

Now, banks are in the trust business - they don't want to report. But effective from 4th Jan', 2017, a new notification mandates all banks to report cybersecurity breaches within a stipulated time. Despite this, you see breaches occurring, but you don't see banks reporting them.

I think it's time banks take a fresh look on how to deal with cybersecurity. They will always be breached, they will always be hacked. That shouldn't come across as a surprise. The important issue is to figure out what are the cyber-resilience policies and mechanisms that banks have in place to come back to normalcy, as soon as possible.

