Incentivising financial sector cybersecurity
Two developments last week point to the evolving cybersecurity architecture in India’s financial sector. First, the government made public a report by the working group established to help set up the Computer Emergency Response Team in the Financial Sector (Cert-Fin). Then, the Reserve Bank of India (RBI) released guidelines on customer liability in case of unauthorized electronic banking transactions. They represent different aspects of the cybersecurity problem—the technical and the broader economic framework. The latter deserves more attention than it has received.
The Narendra Modi government’s push for a less-cash economy is increasing the digital density of India’s financial services space. For instance, the government has targeted Rs2,500 crore worth of transactions via digital means such as the Unified Payment Interface, Aadhaar Pay and debit cards in FY18. More fundamentally, Modi’s financial inclusion and development push, based on JAM (Jan Dhan Yojana, Aadhaar, Mobile connectivity), has digital underpinnings that mean potentially cascading effects if there are breaches in the financial sector. The cyberattacks, meanwhile, have been getting audacious. Last year, a malware-related security breach compromised millions of debit cards that had to be blocked by the State Bank of India, HDFC Bank Ltd, ICICI Bank Ltd, YES Bank Ltd and Axis Bank Ltd. There was also the near-loss of $171 million, transferred via unlawful access to the Union Bank of India’s SWIFT codes.
New Delhi’s response thus far has focused on the technical aspects of the problem. That is necessary, certainly. There is a risk that Cert-Fin will become deadwood given that sectoral regulators RBI, the Securities and Exchange Board of India and the Insurance Regulatory and Development Authority of India are already working on cybersecurity issues. But if implemented well—as per the report, its role stretches from collection, analysis and dissemination of information regarding cyber incidents to monitoring the financial sector’s efforts to establish an effective cybersecurity architecture—it could enable coordination across the sector.
But no cybersecurity architecture can be foolproof for three reasons. First, when it comes to any reasonably complex system, attackers will always have the edge over defenders. Even if the former are poorly resourced and the latter have all the resources of a national government available to them, the number of potential bugs and vulnerable points in any system mean that the mathematical odds favour the attackers. Second, no code can be perfect enough to compensate for human error. In the Union Bank of India case, for instance, the attackers, posing as RBI officials, successfully phished a Union Bank staffer. And lastly, cybersecurity functions somewhat like herd immunity does for vaccinations. A bank might have robust cybersecurity architecture, but it will still be vulnerable if the systems of other networks that carry pertinent information are not secure. For example, the telecom sector is a potential avenue of attack when it comes to the financial sector.
That means that as much as technical measures, policy that offers the correct economic incentives for institutions to be proactive about cybersecurity, cooperate with the regulator and report breaches, is important. In a 2001 paper, Why Information Security Is Hard—An Economic Perspective, security engineering researcher Ross Anderson pointed out that in an international survey of ATM frauds, the US, where burden of proof lay with the banks, fared much better than Britain, Norway and the Netherlands, where burden of proof lay with the customer. The RBI’s guidelines on customer liability are welcome in this context.
What about liability for distributed denial of service (DDoS) attacks, now the most common kind of attack on financial institutions globally? Should dangerously unsecured networks, servers or Internet of Things devices that are infected and used to launch such attacks invite liability? Would that impose too heavy a regulatory burden and stifle business, or would it be positive inducement to be proactive in hardening cyber defences?
Then there is the software industry. From operating systems to security software, the first-mover advantage due to network effects—the more people use a particular software, the more valuable it becomes—has led to a “release first, patch later” approach. Should liability for companies that knowingly put out software with security holes be considered? It’s a dicey proposition on the face of it—but as The Economist puts it, public opinion and governments are unlikely to be accommodating the first time a self-driving car causes an accident owing to a security breach.
Data breach disclosure norms, with penalties for failing to do so, are also important; they incentivise financial institutions to swiftly report cyberattacks instead of keeping mum to avoid reputation loss, regulatory intervention and liability. Many countries have such norms, but India does not. The RBI has mandated disclosure for banks, but deputy governor S.S. Mundra has admitted that many continue to suppress such information.
These are tricky issues. Going overboard with the regulatory burden and the negative effects of heavy-handed liability laws are both real dangers. But one thing is for certain: The tragedy of the commons dictates that companies and institutions will rarely expend the resources necessary for the collective security needed to protect the sector, until the right economic incentives are found.
Should liability be used to incentivise institutions and companies to focus more on cybersecurity? Tell us at firstname.lastname@example.org