personal finance

Expert view: Indian banks need to wake up to harsh cyber realities


By Sujan Hajra

In August 2018, Cosmos Bank was faced with a cyber attack, resulting in nearly Rs 100 crore being siphoned off. In most developed countries similar attacks are rare. Such incidents require a large number of accounts to transfer the stolen money. With stringent KYC norms, anti-money laundering measures, multi-level transaction authentication requirements and AIbased real-time ‘unusual’ transaction tracking, carrying out such operations is difficult barring gross negligence by the bank/ related parties.

In most countries, direct money siphoning from banks through cyber-attacks are small-scale frauds through phishing attacks and cloning/stealing of payment cards/net banking identities/information. These are high-frequency but low impact events. RBI data and our estimates show that during 2008-17, banks in India faced 1,30,000 reported cases of cyber fraud involving an estimated Rs 700 crore. This is equivalent to just 0.006% of the outstanding deposits of Indian banks. By contrast, a severe cyber attack can result in bank failure even when no money is lost directly.

The main threats that a bank faces from cyber attacks include breach of customer data privacy, loss of reputation, business discontinuity, loss of assets/business information, post-breach information security revamping cost, third-party claims and penal actions from regulators. Strong customer data privacy protection norms and stringent penalties for infringement have been the main drivers of robust cyber security arrangements by banks in most OECD countries. For example, General Data Protection Regulations (GDPR) in the EU imposes a penalty of up to €20 million, or up to 4% of the annual worldwide turnover, for violation of norms.

The extent of data privacy norms in India are far less stringent versus those of the GDPR. Besides, the predominance of public-sector banks creates the impression of an implicit sovereign guarantee against the failure of such banks. This reduces the threat of reputation loss of public-sector banks due to cyber attacks. Also, the severe implications of a cyber breach seem to be lost on a large number of bank managements. These factors could have created a relaxed attitude among banks to cyber-risk management.

At the same time, even in industrialised countries, the sensitivity of banks to cyber attacks and investments for cyberrisk management have gone up sharply only in the current decade. For a large part of this period, Indian banks, especially those in the public sector, were faced with serious asset quality deterioration, restricting their capacity to invest in cyber security.

Indian banks do not have much choice concerning a major revamp of cyber security. Cyber attacks are global in nature and, with better cyber-risk preparedness in OECD countries, hackers are increasingly focusing on vulnerabilities in emerging-market countries. This can create existentialist problems for Indian banks. For example, the money siphoned off from Cosmos Bank is 14 times the bank’s FY18 profit.

The regulatory situation in India is also becoming more stringent. In 2016, the RBI has asked banks to put in place board-approved, robust cyber-risk management systems. The regulator has also set norms that put losses due to cyber attacks almost exclusively on banks. Most importantly, the draft Personal Data Protection Bill, 2018, has proposed that for breach of personal-data protection, banks would face penalties similar to those under the GDPR.

Our detailed analysis of cyber-risk management by listed Indian banks shows that there is considerable divergence in the cyber-risk preparedness of Indian banks. While private-sector banks generally exhibit greater cyber maturity than the public-sector banks, there are numerous exceptions. The perception that smaller banks generally have lower levels of cyber-risk preparedness and, thereby, greater vulnerability, however, does not seem to be true.

Many of the ‘old’ private sector banks appear to be better prepared than their larger peers. Indian banks seem to focus more on identification and prevention of cyber-attacks than breach detection, crisis management in the immediate aftermath of detection and corrective measures thereafter. As examples of major global banks including the Bank of America, Citi, JP Morgan Chase, PNC, USB or Wells Fargo suggest, irrespective of the cyber investment, preparedness and management, cyber breach is a near certainty for banks. Quick breach detection and appropriate corrective actions decide the impact of such incidents on banks. It is high time that Indian banks wake up to harsh cyber realities.

*Author is chief economist at Anand Rathi Group. Views are personal.





READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.