Do the current fintech companies in India have good enough data security?4 min read . Updated: 19 Mar 2018, 01:13 AM IST
Adoption of digital services is growing even as many consumers are unaware of the risks. Experts say much more needs to be done, and that customers too have to do their bit
The spread of digital services is widening but consumers are not fully aware of the associated risks. Some experts talk about where Indian fintech stands on consumer data security and privacy
Tanuj Bhojwani, venture capitalist, Bharat Innovation Fund, and core volunteer, iSpirt
There are many types of fintechs at different levels of maturity, and their security practices vary. Currently, we depend on these companies’ fear of reputation loss, and in some cases, threat of regulations, to keep our data safe. But all of these measures are equivalent to a slap on the wrist. We must first push for a data protection law that gives us the freedom to transact with our data and holds corporations responsible for harms coming from bad security. Consumers should worry, but not to the point of paranoia. The current narrative around security has become prime-time ‘breaking news’ and we know how issues are treated there. Follow best practices to keep online identities and data safe. Use a password manager to generate and store passwords. It helps create stronger passwords. Don’t give more permissions or information (to apps or websites) than needed. Hackers can create near-identical copies of popular websites. Look for trusted sites That show a green lock icon on web browsers.
Sanjay Katkar, joint MD and CTO, Quick Heal Technologies Ltd
The financial industry stores sensitive consumer data which attracts cybercriminals. Fintech is a relatively new space and data security is still at a nascent stage. There is a significant lack of resources to address data protection. Also, the BYOD (bring your own device) policy, which allows employees to use their personal devices at work, raises several questions about data security.
Fintech firms need to enforce security in development lifecycle at the design and architecture stage by identifying various threat models and ensuring enough mechanism to mitigate them. They must have a robust data security policy in place which outlines the procedure and designates responsibilities for ensuring complete privacy of consumer information. This should include strong password policy, investment in the right IT security solutions like endpoint security, data loss prevention (DLP) and encryption, regular data backups, employee awareness programmes, and a comprehensive action plan to counteract data breach incidents. On the regulatory front, the government should work on a strong data protection framework similar to Europe’s General Data Protection Regulation (GDPR) which comes into effect in May 2018. The regulation carries provisions that require businesses to protect their customers’ data and privacy. Consumers should stay alert and start treating their data security as a necessity and not as an afterthought.
Murari Sridharan, chief technology officer, BankBazaar.com
Whether you are a company or a an individual consumer, you should assume that your data is at risk and take appropriate precautions. The challenge isn’t insurmountable if you go back to the basics.
Companies should have a clear, well-documented information security policy, and a process to go along with it. They should conduct periodic internal and external audits. There are several forms of defence. Data analytics can be handy as one can look for odd patterns while mining data.
Once vulnerability or a process gap is found, the issue must be immediately fixed. A well-documented and implemented partner, vendor, employee on-boarding and exit process is also a must.
For a customer, it is imperative to create backups for personal data. They should educate themselves about the apps, products, and companies they use and make sure that the recommended privacy settings are in place. They should demand data safety. In an increasingly all-digital world, being well informed about data protection and user rights is necessary.
We are at an interesting juncture. As India frames its data protection laws, all stakeholders must come together to create an ecosystem where the customer is at the centre and in charge of her data and the companies provide value added services in exchange for that customer data, which is held in accordance with all the data protection practices.
Amit Jaju, partner and head of forensic technology, EY India
Demonetization and Aadhaar-based eKYC have fuelled rapid adoption of fintech solutions and services. This has brought about immense pressure on fintech companies to not only manage huge volumes but also to protect themselves and customers from cyber risks. They have invested significantly in protection from cyber security risks, but such risks continue to evolve. The present environment requires fintech companies to interact and exchange information with external parties in realtime. This makes it difficult to detect and respond to risks that may originate from authorised channels and third-parties involved in the facilitation of transactions. Further, services are offered to customers over mobile and computers, which are traditionally less secure, though mobile phones offer security solutions such as biometric authentication. Phishing, malware, social engineering and unauthorized device access continue to be the top risks for fintech channels. These risks can be reduced by improving the design and security aspects at technology level but 100% effectiveness cannot be achieved unless customers know the dos and don’ts. Presently, the focus is to push for KYC and Aadhaar linking of accounts, and this may in some cases push additional cybersecurity initiatives to a lower priority. Customers must read the guidance provided and follow basic security hygiene.