The multi-million dollar banking frauds and card breaches in India in the last year are proof of inadequate security and the lack of a thorough audit mechanism.
It appears that many banks in the region carry out audits of systems in silos and don't adequately check the processes that span multiple stakeholders.
Given the increased sophistication in cyberattacks and threats, banks need to ensure thorough audits are carried out across functions and not consider them as unavoidable overhead.
Given the increased sophistication in cyberattacks and threats, banks need to ensure thorough audits are carried out across functions and not consider them as unavoidable overhead. Bridging the people, process and technology gaps with intensive audits and security measures is essential.
When the Reserve Bank of India says that the $1.8 billion fraud in the state-run Punjab National Bank was due to delinquent behavior by one or more PNB employees and the failure of internal controls, it indicates that the bank apparently lacked effective auditing mechanisms for internal risks.
The scope of security and IT risk auditing must go far beyond a focus on compliance.
"Most often, banks consider security audits an unavoidable overhead and want to minimize the cost, resulting in compromising the scope, quality and cost," says Dr. Rakesh Goyal, CEO of Sysman Technologies, ae CERT-In empanelled auditor. The result? Data breaches owing to vulnerabilities that are never addressed.
While banks conduct periodic audits, many apparently fail to use best practices and primarily aim at ticking the checklist prescribed by the audit company. Some security practitioners argue that the current approach to auditing banks' security practices fails to comply with international best practices that the U.S. National Institute of Standards and Technology recommends.
Mani Kant Singh R. , chief technology officer and CISO at Orbis Financial Corporation Ltd., says that audits should size up the measures banks are taking to mitigate insider threats and evaluate whether they're adequate.
Banks that don't conduct audits on their own rely on external consultants. According to industry estimates, there are about 54 CERT-In empanelled auditors who are conducting the banking audits, a number that some say is far too small to meet the banking industry's needs.
Too often, says Ashok Agarwal, head of audit at DCB Banks, audits fail to cover legacy applications, which often have vulnerabilities.
Cyber fraud investigator Anil Chiplunkar, founder of InfoCounselors, notes: "Multiple areas must be looked at, like processes and practices, technology and people. A majority of big banks, and a few smaller ones, have the controls designed and implemented from the processes, systems and technology perspective. But there's a gap in people-related controls, which are missing as part of audit mechanism."
Stronger Security, Audit Controls
Although many large and midsize banks follow Cobit, ISO, ITIL, and Bessel II standards for audits, too often, they focus on compliance but miss out on big-picture security.
RBI is making a good move in compelling banks to strengthen their audit controls and beef up security.
The regulator has formed an expert committee under the chairmanship of Y.H, Malegam, a former member of RBI's central board of directors, to look into the factors leading to increased fraud and pinpoint the measures needed to curb and prevent it.
The committee will also assess the role and effectiveness of various types of audits conducted at banks in mitigating the incidence of breaches and fraud, says Jose J. Kattoor, RBI's chief general manager.
Goyal says that banks need to emphasize scrutiny of IT and cybersecurity measures as part of their audits.
Senior skilled professionals should conduct all audits, Chiplunkar stresses, so that audits can pinpoint emerging security issues.
Indeed, banks need to be more aggressive in ensuring that their auditors are well-qualified and doing a thorough job. Otherwise, fraud and breaches will continue to grow.