Banking technology is expected to grow to $2.4 billion by 2020, with significant advancements in digital transformation efforts. But with the surge in digital banking services, hackers are increasingly focusing on vulnerabilities in emerging-market countries like India leaving organizations with no choice but to undertake a major revamp of cyber security.
Any technology which is not secure by design is a huge risk to the business and no amount of benefits of the said technology can offset the potential risk to the organization.”
Anshuman Pandey, Chief Technology Officer, Goals101
In an increasingly digital landscape, customer centricity and anytime availability are transforming how banking and financial services are delivered in the country. With customer expectations at an all time high, the focus on improved digital and mobile banking experiences has seen rapid increase. This has been directly proportional and can even be squared in terms of the security tools and reinforcements in the sector. Keeping up with competition is a continuous task for BFSI CXOs, which has influenced heavy investment in advanced technologies recently as Machine Learning, Artificial Intelligence, Behavioral Analytics, IoT and Mobility being at the forefront of every new BFSI offering. This has fuelled innovation among both vendors and internal product development teams in enterprises.
The issue isn’t that security devices aren’t in place but that they operate in isolation. Security and operations teams rarely have clear and consistent insight into what is happening across the network.”
Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet
The industry has been witnessing a huge shift among financial services organizations towards cloud-based services and infrastructure to cater to scaling consumer demand for greater convenience, mobility, and simplicity in digital capabilities. With innovation in mobility and digital banking, cybersecurity as a menace appears to be a persistent thorn in developments and unhindered success of BFSI innovations. Black hat hackers have been siphoning money from banks through small-scale to large scale critical cyber frauds through phishing attacks and cloning/stealing of cards/net banking identities/information. Data from India’s apex bank RBI shows that during 2008-17, banks in India faced 130,000 reported cases of cyber fraud involving an estimated Rs. 700 Crore. The money siphoned off from one of the banks in the recent time is 14 times the bank’s FY18 profit. Cyber threats have been a constant for Indian financial enterprises where a severe cyber-attack can be bad enough to result in bank failure.
Given the ubiquitous nature of their use in evolving fintech world, cloning of digital identities can lead to amplified risks. Managing customer access to solutions and services becomes increasingly confusing.”
Biju Varghese: SVP, Enterprise Solutions, SAARC & APAC, eMudhra
The Technology Landscape
Digital transformation based on customer centricity and mobility being the norm, one of the most significant technology developments in BFSI has been the Cloud. The benefits of cloud for digital banking purposes extend far beyond happy customers and investors. As Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet points out, “In fact, data shows that by shifting their back-office functions to the cloud, banks can achieve savings between 30 to 40 percent.” With the deep embedded challenge of create more customers, and keeping the current ones interested, several factors are affecting the technology acquisition plans of enterprises today. As Biju Varghese: SVP, Enterprise Solutions, SAARC & APAC, eMudhra opines, “Various factors affecting technology acquisition include enhancing core banking value; revamping the digital agenda; moving from information to insight; dealing with a changing risk regime; from cash to electronic modes of payment; grappling with financial inclusion and accelerating innovation.”
Operational factors such as the Capex involved significantly impacts technology developments for BFSI enterprises. Anshuman Pandey, Chief Technology Officer, Goals101 explains, “BFSI organizations already have systems in which they have invested heavily, and hence are increasingly cognizant of what new investments they make. With the prevalence of cyber-attacks, phishing, social engineering, and the likes, security and regulatory compliance aspects of each new technology acquisition are significant factors.” Anshuman continues, “A key contributor to acceptance or reluctance in acquisition, however, is the learning curve. Like any other established industry, getting employees to alter the way they work, and taking time out from core business to train employees is a challenge for BFSI organizations.”
The sector will invest in AI and ML to stay ahead of attackers. Growing demand for highly skilled cyber-defenders will lead larger BFSI players to build in-house cyber academies to train their teams.”
Rakesh Viswanathan, Regional Director at Cyberbit
This is a critical factor as Rakesh Viswanathan, Regional Director at Cyberbit points out, “Acquisition of technology is never a problem, but the concern is the troubling gap between the inherent value of the technology and the ability to put it to work effectively. To close this gap, BFSI organizations need skilled teams which can use these technologies in a best possible manner without compromising on cyber security.” There needs to be increased focus by BFSI organizations to train their workforce in technology operations and cyber-security awareness to ensure smooth delivery in actuality.
Challenges with Digitization
With online banking, increased reliance on dynamic collection of data through new digital channels, protecting this data and providing it to customers and third parties in a secure manner and when required are a challenge for the industry. Attacks like Cryptojacking have leapfrogged ransomware as the malware of choice. As Rajesh Maurya of Fortinet points out, “While ransomware continues to be a serious concern for financial networks, the number of unique cryptojacking signatures nearly doubled in the past year, while the number of platforms compromised by cryptojacking jumped 38%. Perpetrators include advanced attackers using customized malware, as well as “as-a-service” options available on the dark web for novice criminals.” Another big challenge is growing encrypted traffic. While encrypted traffic has always been a staple of financial organizations, it now represents an unprecedented 72% of all network traffic, up from 55% just one year ago. Rajesh explains “While encryption can certainly help protect data and transactions, it also represents a challenge for traditional security solutions. The critical firewall and IPS performance limitations of most legacy security solutions continue to limit the ability of organizations to inspect encrypted data at network speeds. As a result, rather than attempting to slow down time-sensitive financial transactions, a growing percentage of this traffic is simply not being adequately analyzed for malicious activity, making it an ideal mechanism for criminals to spread malware or exfiltrate data.” Another major security challenge is Botnets which are getting smarter. The number of days that a botnet infection was able to persist inside an organization increased 34% during Q3, rising from 7.6 to 10.2 days, indicating that botnets are becoming more sophisticated, difficult to detect, and harder to remove. This is influenced by organizations failing to practice good cyber hygiene, including patching and updating vulnerable devices, protecting IoT and other devices that can’t be directly hardened, and thoroughly scrubbing a network after an attack has been detected.
As per Rakesh Viswanathan of Cyberbit, the challenges for BFSI in 2019 will include “finding the right mix of investment and automation using artificial intelligence, dilemma of implementing blockchain technology which can prove to be a panacea, connecting with third party providers to drive customer centricity, tailor service catering to individual needs and speeding up response time to clients.”
Another major challenge is management of digital identities of individuals and enterprises to offer an integrated omni-channel experience that extends banking, wealth management and payment services in a seamless fashion. As Biju Varghese of eMudhra opines, “While digital identities have become safer at one level, given the ubiquitous nature of their use in the evolving fintech world, cloning of these identities can lead to amplified risks. Managing customer access to solutions and services becomes increasingly confusing.”
The customer demographic has witnessed a shift towards young, more tech-aware customers who less forgiving of inconveniences and expect instant, personalized services. BFSI organizations are always exploring adoption of new technologies to proactively ensure faster response in their services. Anshuman Pandey of Goals101 explains, “A key challenge will be to utilize these new technologies such as Mobile, Biometrics, Cloud, ML & AI, Blockchain, etc, to the fullest, while ensuring security and compliance. Another significant challenge that will be in focus is to best use data to engage customers, prevent attrition and positively impact business. The decision between building and buying will further exacerbate these challenges.”
A major challenge with new technology partnerships is that there are too many service providers with less expertise. We expect innovative solutions and support to come from the service providers.”
Srinivasarao Muppaneni, Group CIO, The AP and Telangana State Coop Banks
Perennial Security Headache
With data sensitivity core to BFSI, organizations have increased focus on security in their technology infrastructure. This is impacted by rise of digital banking but lack of privacy mindset in users. Recent much publicized cyberattacks like Pune’s Cosmos Bank, State Bank of Mauritius, UK’s Metro Bank, Bangladesh Bank and Australia’s Judo Capital have accelerated the need for revamp of security practices. Factors like financial risk, reputation loss, regulatory penalties, and post-facto security revamping costs have resulted in proactive adoption and greater emphasis on authentication, biometrics, encryption, digital certificates, firewalls, and filtering password protection to ensure customer confidence in their services.
As Rajesh Maurya explains, “Challenges continue to grow, and financial institutions– especially those in the midst of digital transformation efforts – are being highly targeted by cybercriminals. Commercial Banks, Fintech Companies, Stock Brokerage Firms, Asset Management Firms, and Insurance Companies that support digital transactions through mobile apps are increasingly being targeted and exploited by malicious criminals as they struggle to figure out how to inspect and secure the growing volume of encrypted traffic, battling the persistent botnets, and addressing new malware trends. The challenges of siloed deployments and fragmented infrastructure have further enabled an alarming increase in cyber events. The issue isn’t that there aren’t security devices in place but that these solutions almost always operate in isolation. Security and operations teams rarely have clear and consistent insight into what is happening across the network.”
RBI Guidelines on Cyber Security Framework for Banks has detailed the required Cyber Security Framework focusing on three main areas – Cyber Security Operations Centre (C-SOC), Cyber Security Incident Reporting and Cyber Security and Resilience. Financial organizations have deployed a SOC with their Network Operations Center (NOC) to increase visibility, centralize management, and improve control. But even with centralized NOC and SOC solutions in place, teams running them tend to still be siloed and only focus on half of the equation. In today’s complex ecosystem of hyperconnected digital networks, a unified approach to secure network operations effectively mitigates resource constraints while closing the gaps inherent in isolated management strategies.
There is a tendency for organizations to feel that their security posture is stronger than what it is. But breaches help open the eyes of information security leaders who have started formulating and following robust cyber crisis management plans to mitigate and deal with any possible scenario. Financial institutions are witnessing increased targeting (three times more than any other industry. As per Rakesh Viswanathan of Cyberbit, “Because of increased number of attacks, BFSI organizations are moving towards data lakes and threat hunting techniques for effective investigation of cyber threats. Data lake is the optimal solution to fulfill cybersecurity use cases as it collects log from all possible security layers like networks, endpoints, servers, and security products like DLP, VPN, firewalls etc. This technique makes forensics and investigation comparatively easy.”
As Anshuman Pandey, Chief Technology Officer, Goals101 opines, “Any technology which is not secure by design is a huge risk to the business and no amount of benefits of the said technology can offset the potential risk to the organization.” No technology is hack-proof if the users do not follow best security practices, creating the need for organizations to adopt a “train and test” mindset to imbibe these security practices in their employees. Building and retaining a highly skilled cyber security workforce is a huge challenge with the number of positions and demand is far outpacing the growth of young professionals entering this field.
Trends that will rule 2019
With digitization of operational aspects Smart paperless workflows will be a big deployment trend for enterprises in the space. As Biju Varghese understands, “With the help of embedded AI aiding backend operations and new changes in eSign guidelines by Govt of India, banks will be able to quickly identify bottlenecks in their operation workflows and bring in significant improvements in process efficiencies.” AI and ML are also the core technologies towards more personal customer experiences. “Virtual Banking is all set to be the raison d’être for technology in BFSI,” Anshuman Pandey continues, “Use of AI to engage customers with relevant content and deliver personalized services is a big focus.
Financial industry is the main market for blockchain use cases. Rajesh Maurya explains, “Firms are deploying blockchain to support mainstream sovereign currency processes—not the controversial cryptocurrency transactions that initially thrust blockchain into spotlight.” Rate of blockchain adoption is growing fast—expanding its footprint across multiple industries and economic sectors. A recent IDC report projects a 73.2% worldwide compound annual growth rate (CAGR) between 2017 and 2022 for spending on blockchain solutions with global rise in spending from $1.5 billion in 2018 to $11.7 billion in 2022. As Biju notes, “’IndiaChain’, the largest blockchain network in India by NITI Aayog, will see adoption to increase transparency, combat frauds, and many other use cases. Virtual Private Cloud and associated technologies such as IoT may play a big role in operational optimization in the sector.”
For the cybersecurity professional, blockchains are another enterprise asset to protect from adversary interference. Fortunately, at the technology’s current stage of evolution, almost every blockchain project is a greenfield project. This offers application designers the opportunity to build security into the project at the beginning of its development cycle.
Most cyber security measures up till now have been reactive rather than preventive in nature but banks are beginning to implement additional measures to ensure data security at all stages. As banking becomes more digital and automated, so will attacks. Rakesh Viswanathan explains how security in BFSI will unfold in 2019, “The sector will invest in technologies that use AI and ML to stay ahead of attackers. Growing demand for highly skilled cyber-defenders will lead larger BFSI players to build their own in-house cyber academies to train their teams. Security orchestration, automation and response (SOAR) having big data platform capabilities will remain a priority for SOC teams providing visibility into all raw data for analysts to investigate with accelerated response in real time with less manual intervention.”
Road ahead for BFSI
As pre-cursor to any successful implementation, CIOs need to ensure that the technologies they evaluate are secure & scalable by default, have the least learning curve, are easy to deploy and manage, and do not distract the organization from their core business. Digital transformation efforts spread security resources thin, restricting visibility and fragmenting controls and requiring an equivalent security transformation effort. CIOs need to rethink their security strategy and implement global best practices. They need to redefine the security framework and shift from conventional security like point products, manual management, and reactive security to a strategy where different security elements are integrated into a single system, security workflows can span multiple network ecosystems, threat-intelligence is centrally collected and correlated, and threat detection and response is automated and uniform. Rapid response times are crucial, which makes the implementation of truly expansive and integrated security automation essential, from data collection to coordinated responses to threats.
With mobile banking becoming mainstay, maintaining a comprehensive inventory of devices of end users through third-generation network access controls and behavior base-lining is important to monitor for aberrant behavior and malicious activity. Indian BFSI CIOs need to invest in detection tools and data lakes platforms to keep zero-day attack and threats residing at end-point at bay. They need to keep their infrastructure isolated and protected from the open environment and have robust and rapid incident response plan to deal with any possible attack scenario.
Hackers are increasingly focusing on vulnerabilities in emerging-market countries like India. BFSI IT and Cybersecurity leaders need to rethink their strategy, from automating their security hygiene measures to replacing isolated security devices with an integrated security fabric architecture that seamlessly spans the growing attack surface. As the Indian banking technology expected to grow $2.4 billion by 2020, the year will see significant advancements in BFSI digital transformation efforts. Organizations do not have much of a choice but to undertake a major revamp of cyber security.