India Insights with Geetha Nandikotkur

Governance & Risk Management , Incident & Breach Response , Professional Certifications & Continuous Training

Financial Sector's Response Team Set to Tackle Cyber Wars

Will New CERT-Fin Fill its Role to Strengthen Cybersecurity?
Financial Sector's Response Team Set to Tackle Cyber Wars

India's proposal to strengthen the financial ecosystem through the formation of a computer emergency response team has resulted in action - the working group set up by the finance ministry has rolled out an exhaustive framework to prevent breach incidents. (See: Challenges in Building a CERT-Fin)

See Also: Restructuring Your Third-Party Risk Management Program

In January this year, you may recall, the finance ministry and financial sector regulatory heads decided that a Computer Emergency Response Team in the Financial Sector was essential to strengthen cybersecurity. Subsequently, finance minister Arun Jaitley announced this new group in his budget speech for 2017-18. (See: Separate Financial CERT Proposed: Will it Prove Effective? )

The working group just released its report with the design structure of CERT-Fin after deliberations with regulators and other stakeholders. Now in the public domain for discussions by the department of economic affairs, the deadline for submitting responses is 31 July. 

To many people's surprise, this didn't end up just an announcement; the ministry actually set up a working group with (See: Sanjay Bahl, DG, CERT-in, as chairperson in March this year to recommend measures for setting up CERT-Fin and its cybersecurity framework.

The working group just released its report with the design structure of CERT-Fin after deliberations with regulators and other stakeholders. Now in the public domain for discussions by the department of economic affairs, the deadline for submitting responses is 31 July.

The proposal was invoked by the government's mission to set a target of 2500 crores worth of digital transactions for FY 2017-18 through Unified Payment Interface, Unstructured Supplementary Service Data-USSD, Aadhar Pay, IMPS and debit cards. As proposed, CERT-Fin has a big role in securing transactions through stringent security controls.

And, of course, the government's drive toward a cashless economy has also increased vulnerabilities. The largest breach incident last year occurred after a malware injection in the systems of Hitachi Payment Services Pvt. Ltd, compromising about 3.2 million debit cards. Likewise, hackers infecting the servers of the Union Bank of India with malware helped fuel the move to have a CERT for the sector. (See: India's Cybersecurity Efforts: Too Much Redundancy? )

Structure of CERT-Fin

No stone is seemingly left unturned in designing CERT-Fin's structure, considering the increasing interconnectedness of the financial services sector with a key focus on bolstering the quality and timeliness of cyber threat intelligence received by financial institutions, strengthening cybersecurity risk management and response, and championing cybersecurity programs and initiatives in the sector.

The group recommends:

  • CERT-Fin act as an umbrella CERT for the financial sector and report to CERT-In at the national level in accordance with IT Act and Rules;
  • Subsectoral CERTs may be set up and housed in each of the financial sector regulators and below those, in major financial institutions, feeding information on real-time basis to the proposed CERT-Fin;
  • For smooth functioning, an MoU/legal arrangement in accordance with the Rules and IT Act clearly outlining the area of coverage/sharing protocol of proposed CERT-Fin and CERT-In, should be in place;
  • CERT-Fin should be an independent body to be set up as a company under Section 8 of the Companies Act, 2013 with a Governing Board. An Advisory Board may be set up for, inter-alia, providing strategic direction, review of performance and recommendations for allocation of budget/resources. It is necessary that during transition, RBI may act as the lead regulator in terms of setting up CERT-Fin.

Role Well Defined

It's heartening that the group is drawn on international best practices in defining the role, structure and constituency of CERT-Fin and funding arrangements.

The role includes:

  • Threat intelligence sharing among constituents;
  • Information collation and sharing on real-time basis;
  • 24/7 vulnerability assessment;
  • Conducting assessment/provision of response;
  • Bringing down rogue sites/apps;
  • Developing Standard for data protection (encryption, access rights etc.)
  • Analysis of incidents, response & policy suggestions for promoting cybersecurity.

The new report underlines the critical need to identify protected systems/critical infrastructure in the sector, for which CERT-Fin should play an important role along with sub-sectoral CERTs and NCIIPC.

Funding of CERT-Fin

The working group proposes that CERT-Fin be funded by all financial sector regulators. This may continue, say, for five years or so, till its maturity after which CERT-Fin can plan a feasible long-term self-reliant funding strategy following FS-ISAC, EFIISAC, ISAC-JP models.

RBI may act as a lead regulator, playing an active role in conceptualising, rolling out and steering CERT-Fin activities in the initial years as an incubator.

Cybersecurity: How Much is Enough?

The group recommends that CERT-Fin handle analysis of financial sector cyber incidents, understand patterns across financial sectors, envisage basic functions for CERT-Fin as delineated by the group, while reporting cybersecurity incidents to CERT-In. It also suggests that CERT-Fin create awareness on security issues through dissemination of information on its website and operate a 24x7 incidence response help desk.

But are organizations prepared to report breaches to any authority?

As Sriram Natarjan, COO at the business processing services firm Quatrro Processing Services, argues, "CERT-Fin's major task's to ensure breaches are reported by organisations and also help establish a transparent mechanism."

And the new group should prescribe policies and mandates for organizations to report breach incidents and guide them on necessary action against breaches. This, ultimately, would validate the group's formation.

About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.