In the past few years, numerous organizations have been hit by cyber-attacks and their networks and data have been breached. In recent years it’s not just the computing power which has increased exponentially but also the network speed and this has enabled us to get interconnected and conduct our businesses crossing the geopolitical boundaries with much ease.
Faster computing, higher data speeds, and the network availability has attributed to the growth and penetration of the digital services made available to the masses and has had a profound effect on various aspects governing our lives. The data which we speak is magnanimous and related our identity, our personal details and based on the services provided by a particular organization the information may reveal a lot about our spending habits.
Although all of this data is locked up under the watchful eyes of its custodians, however, it’s the credentials to access it are now treated as a commodity by criminals. It’s not just the credentials but also the identifiers viz. Card Details, Personal Information, Address which when collated would allow anyone with access to this information to become the digital you.
In order to safeguard the interests of all the stake-holders, Regulators / CERTs have been issuing rules and regulations pertaining to data security and privacy. Strict compliance of these is expected from the Organization; however, history proved that compliance has taken a back-seat in this fight.
The banking sector has always been a high-value target for criminals and the cyber attacks are not just limited to the Banks but all the organizations associated with Banks i.e. Payment processors, ATM management organizations etc. Earlier, when a task was outsourced to a third-party, the security concerns were also offloaded. But with changing times and the overall impact which data breaches can have on the entire process, data security should be the prime responsibility of the Banks irrespective of the third-parties involved in processing it.
Some cyber-criminal syndicates may specialize in spam, while others may concentrate more on Botnets and some would find corporate espionage to be more lucrative. Based on their area of specialization, attack campaigns are carried out targeting organizations and their customers. Based on this fact, Regulators regularly issue advisories whenever they encounter such attacks which are targeting a specific sector. Having prior knowledge of an impending attack is not related to sixth sense but is more of a collaborative effort and many a time it is the security researchers whoring the warning bells.
Security Incident Reporting (SIR) is an important aspect of Information Security and helps the CERTs / Regulators to understand the impact of such attacks on the overall security of the targeted Sector. Furthermore, there are regulations which govern the SIR including the timeframe within which it has to be reported, however time and again it has been proved that many of the organizations have been failing to report such incidents.
Recently, RBI penalized YES Bank to the tune of INR 6 Crores for failing to notify in a timely manner, about the data breach which took placed at one of its third-party data processors.
According to RBI notification rules, banks must report a breach within two to six hours of discovery even if a third party is responsible for the incident. In a statement issued by Chief General Manager, RBI –
“A cybersecurity incident involving ATMs of the bank was not reported by the bank within the prescribed time frame. Based on the inspection report and other relevant documents, a notice was issued to the bank advising it to show cause as to why the penalty should not be imposed on it for non-compliance with directions issued by RBI. After considering the bank’s replies, oral submissions made in the personal hearings, and also the additional information and documents furnished, RBI came to the conclusion that the aforesaid charges of noncompliance with RBI directions were substantiated and warranted imposition of monetary penalty.”
Regulations are for the benefit of all and not adhering to them is the biggest blunder one can ever commit. Failure to do so should be dealt with very strictly and the penalty imposed by RBI would hopefully prove to be a turning point for the Indian Banking Sector. Although the time-frame provided for the filing of SIR is between two – six hours, furthermore Organizations are allowed to file an addendum to this SIR upon completion of its investigation of the incident, which should relive the security teams of affected organizations as they need to simply state “Under Investigation / Investigation in Process”.
We hope to see Organizations moving toward strict compliance with regulations issued by the Regulators and CERT.