India Insights with Geetha Nandikotkur

Breach Notification , Security Operations

India's Banks Making Progress on Breach Notification

Actions by RBI Serving as a Catalyst, But More Needs to Be Done
India's Banks Making Progress on Breach Notification

Although India lacks a national mandate that all data breaches must be reported to authorities and victims notified, some larger banks have, nevertheless, been reporting breaches to the Reserve Bank of India. That's a hopeful sign.

See Also: Restructuring Your Third-Party Risk Management Program

Now, let's hope nationalized banks and smaller banks will follow so that breaches in the financial services sector will be more routinely reported to RBI.

The banking sector can lead the way in a movement toward more transparency about data breaches in all of India's business sectors. 

In the meantime, the RBI needs to extend technical and operational support and also have a mechanism to establish and retain customer confidence and ensure that banks that report a breach do not lose their reputation.

This will help banks establish a culture of reporting breach incidents while we continue to await a national breach notification mandate.

Why Are They Reporting Breaches?

One catalyst for more banks reporting breaches to the RBI is the central bank's recent draft circular on customer protection, limiting liability of bank customers in unauthorised electronic banking transactions.

If there's any fraud in the banking transaction, the liability generally lies with the banks and not the customer, the draft states. This has led more banks to notify the RBI of breaches, knowing that consumers won't fear losses due to fraud.

The RBI's draft stated that customers will not be liable:

  • Where fraud is due to bank negligence;
  • In the case of a third-party breach where the customer notifies the bank within three working days of receiving communication from the bank regarding an unauthorized transaction.

Another reason for banks opting to report breaches could be that the RBI now has a dedicated team to work on curtailing fraud and conducting periodic checks on the banks to ensure they have appropriate controls in place.

S. S. Mundra, the RBI's deputy governor, stated during a recent media conference that as a result of increasing concern about cybersecurity, the RBI started inspecting a few banks separately on cybersecurity last year to ensure they have appropriate controls in place. "This year, the coverage's being expanded to more than 30 banks; we intend to cover each bank," Mundra said.

Also, in June, the RBI issued new guidelines to scheduled banks (private, foreign and nationalised banks listed in the schedule of RBI Act, 1934), directing them to devise cybersecurity policies distinct from their institutions' IT security policies.

The RBI has advised banks to put in place a cybersecurity policy approved by their board that contains an appropriate approach to combat cyber threats.

Breaches Reported

Among the banks that have informed the regulator about cyberattacks in the last three months are Canara Bank, Axis Bank and Union Bank of India. Also, State Bank of India announced that it was reissuing more than 600,000 debit cards because of a potential security breach.

This October, Axis Bank reported that it was contacted by an engineer from the Moscow-based Kaspersky anti-virus firm who told the bank he'd discovered a bug in Axis' system while carrying out a separate probe.

In August, the Canara Bank site was defaced by a Pakistani hacker who tried to block e-payments by inserting a malicious page. The bank immediately reported this to the RBI. It also filed a first information report with the cybercrime police.

And in July, Union Bank of India declared that a breach at one of its nostro accounts had been quickly detected and attackers' attempts to transfer funds from that account were foiled.

Challenges Remain

Banks still have work to do when it comes to detecting breaches early and taking alerts seriously.

The RBI's Mundra acknowledges that it's challenging for many banks to detect symptoms of an attack except through a service provider because banks lack staff with security expertise.

While we wait for a national law mandating breaches, the RBI must continue to help banks prevent and detect attacks, which will, in turn, lead to more banks reporting breaches.

The regulator also should consider establishing a centralised monitoring system (maybe outsourced) for banks to monitor signs of attacks on critical infrastructure in real time.

The banking sector can lead the way in a movement toward more transparency about data breaches in all of India's business sectors.

About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.