The government’s move to set up a Computer Emergency Response Team for Finance (CERT-Fin) comes at a time when there has been a burst of activity in India’s fintech space. Photo: iStock
New Delhi: An expert group has proposed the setting up of an independent Computer Emergency Response Team for Finance (CERT-Fin) to be the cyber warrior of the financial sector.
CERT-Fin will be the key to ensuring a comprehensive cybersecurity framework for the financial sector, especially at a time when there has been a burst of activity in the fintech space as India makes efforts to embrace a less-cash economy.
Till this body—to be set up as a not-for-profit company with a governing board—is functional, the panel has recommended that Reserve Bank of India (RBI) act as the lead regulator.
CERT-Fin will report to the Indian Computer Emergency Response Team (CERT-In), the agency tasked with coordinating efforts on cyber security issues, to ensure complementarity.
The report of the working group, headed by CERT-In director general Sanjay Bahl, has been put in the public domain for discussions by the department of economic affairs. The deadline for submitting responses is 31 July.
In the Union budget for 2017-18, finance minister Arun Jaitley had announced the setting up of CERT-Fin. Subsequently, the government set up the expert group to give shape to this entity.
The vulnerability of the financial sector has increased as India pushes towards a less-cash economy. Last year, after a malware injection in the systems of Hitachi Payment Services Pvt. Ltd, about 3.2 million debit cards were compromised; similarly, hackers had infected the servers of the Union Bank of India with malware.
“India is one of the largest targets of cyber attacks not only on businesses but also on individuals. The threat of cyber attack is real. Most of the times, companies are either not aware that an attack has taken place, or are hesitant to report it,” said Jayant Saran, partner, forensic-financial advisory, Deloitte India, while welcoming the move to create CERT-Fin.
Further, the panel observed that the dispersal of technical resources is skewed towards cities even as online financial transactions continue to spread across the country. “The preparedness of the financial sector to meet the cyber challenges from different threat vectors cannot be considered robust,” the expert group said.
The group has recommended that CERT-Fin include representatives from regulators as well as experts with sophisticated IT skills hired at market-linked rates.
The panel was instituted by the Financial Stability and Development Council, an apex body chaired by the finance minister.
The panel also suggested that CERT-Fin should operate a 24×7 help desk, analyse cyber security incidents and give inputs for cyber security policy making. Initially, the body will be funded by all financial regulators and will coordinate with institutions in other countries and adopt global best practices.
At the same time, every financial regulator will have its own cyber cells which will report patterns of cyber incidents to CERT-Fin, which will issue timely alerts.
“Cyber attacks and malicious cyber activities in the financial sector have the potential of loss of money to the customer and/or the bank. It affects the institution’s reputation and impacts the economy, besides creating trust deficit,” the panel said.
The estimated combined global spending on cyber security of just a few major banks in 2016 was $500 billion, the panel said, citing a report by business magazine Forbes.
The panel also said, citing another research report, that approximately 20 million financial records were breached in 2015 costing financial institutions an average of $215 per stolen record.