Cybersecurity in the Indian banking sector

Banking customers are frequent victims of internet based frauds, phishing, vishing and other malware attacks. Irrespective of these threats, there is a continued interest and love for technology-backed innovations in the banking and financial services such as online banking and mobile banking, amongst others.The establishment of an IT subsidiary by RBI is a welcome step not only for the BFSI sector but also for IT security solutions providers like Quick Heal, as it will ensure better compliance with regulations to prevent data theft and to check financial fraud.



The number of cyber security incidents has gradually increased in India over the last few years. Minister of State for Electronics and IT, Mr. PP Chaudhary stated that as per the information collected by India’s Computer Emergency Response Team (CERT-in), 44,679, 49,455 and 50,362 cyber security incidents took place in India during the years 2014, 2015 and 2016, respectively. These incidents include phishing, website intrusions and defacements, virus and denial of service attacks amongst others.

Pic Courtesy- Dqindia

As per the ‘2016 Cost of Data Breach Study India’ the average total cost of a data breach paid by Indian companies increased by 9.5 percent, while the per capita cost increased by 8.7 percent and the average size of a breach grew by 8.1 percent. Although, the government has taken certain cyber security initiatives as discussed below, more expansive and aggressive measures are required to meet the rising challenges.

Technologies and Threats are developing 

Utilizing new channels of correspondence are essential to better serve clients, however keeping pace with developing advancements and their related dangers are additionally key difficulties. Cell phones and applications are essential cases of the harmony between more noteworthy productivity and new sorts of cyber risks. Some money related foundations battle here, while others discover approaches to join ease of use and security.

As indicated by this current report’s hazard radar which depends on our review discoveries, phishing, botnets and portable malware were evaluated among the in all probability dangers confronted, and furthermore among the ones with the greatest effect.

The Long Road Ahead

In the last quarter of 2015, RBI Governor Raghuram Rajan announced that the revenue arm of the government plans to set up an Information Technology (IT) subsidiary for monitoring and regulating internet-based services offered by banks in India. As we are moving towards a paperless banking system driven by dependence on IT, the subsidiary will help banks address issues on cyber security and evaluate the technological capabilities of banks. The steps to stay ahead of cyber criminals is a prime concern for the Indian banking sector and customers who are becoming more and more dependent on simplified digital banking experiences.

India has the second largest number of smartphone users in the world. And, internet acts as a catalyst in driving the growth of smartphone users in India. This has prompted sectors like banking and financial services to conduct rapid migration of their services to the internet and mobile platforms without fully comprehending the threats associated with them. Thus, they end up rendering themselves vulnerable to an array of cyber security threats.

Banking customers are frequent victims of internet based frauds, phishing, vishing and other malware attacks. Irrespective of these threats, there is a continued interest and love for technology-backed innovations in the banking and financial services such as online banking and mobile banking, amongst others.The establishment of an IT subsidiary by RBI is a welcome step not only for the BFSI sector but also for IT security solutions providers like Quick Heal, as it will ensure better compliance with regulations to prevent data theft and to check financial fraud.

The setting up of an IT subsidiary is not the first attempt RBI has taken to address vulnerability issues that come with digitization of the banking sector. In 2010, the RBI had set up a working group in order to ensure a minimum standard of cyber safety norms for the BFSI sector. In 2011, the RBI released the Information Technology Vision Document 2011-2017, focusing on the growing menace of cyber security attacks and reiterated its commitments to mitigating IT fraud in the banking sector. In spite of the best possible intentions of the RBI to combat cyber-attacks and to ensure transparency at all levels of banking operations, Indian banks have been finding it hard to handle the magnitude of cyber-attacks.

Pic Courtesy- byte academy

The Centre offers the following security and protective tools

  1. “USB Pratirodh”, was also launched by the government which, Union IT and Electronics Minister Ravi Shankar Prasad states is aimed at controlling the unauthorised usage of removable USB storage media devices like pen drives, external hard drives and USB supported mass storage devices.
  2. An app called “Samvid” was also introduced. It is a desktop based Application Whitelisting solution for Windows operating system. It allows only preapproved set of executable files for execution and protects desktops from suspicious applications from running.
  3. M-Kavach, a device for security of Android mobile devices has also been developed. It provides protection against issues related to malware that steal personal data & credentials, misuse Wi-Fi and Bluetooth resources, lost or stolen mobile device, spam SMSs, premium-rate SMS and unwanted / unsolicited incoming calls.
  4. Browser JSGuard, is a tool which serves as a browser extension which detects and defends malicious HTML & JavaScript attacks made through the web browser based on Heuristics. It alerts the user when he visits malicious web pages and provides a detailed analysis threat report of the web page.

Experts also suggest that the most effective ways to move forward with digitisation in order to ensure banks remain completely secure include the embracing of crypto-currencies and blockchain technology. Further, the Information Technology Act, 2000 is also ripe for a complete overhaul to counter the increased security risks in a cashless economy. These measures, of course, must also be accompanied by attempts to ensure widespread consumer education and awareness.

International Cooperation Initiatives

Information sharing and cooperation is an explicit strategy under the 2013 Policy. Consequently, as an answer to the increasing international nature of cyber crime, the Indian government has entered into cyber security collaborations with countries such as the USA, European Union and Malaysia. The U.K. has agreed to assist in developing the proposed National Cyber Crime Coordination Centre in India. The shared principles of the U.S.-India Cyber Relationship Framework provide for the recognition of the leading role for governments in cyber security matters relating to national security; a recognition of the importance of and a shared commitment to cooperate in capacity building in cyber security and cyber security research and development, and A desire to cooperate in strengthening the security and resilience of critical information infrastructure.

IT Act with regard to the Indian Banking Sector

Section 43A of the IT Act provides for compensation in the event that a company fails to use reasonable security practices and procedures in order to protect sensitive personal data and such negligence results in a wrongful gain or loss. However, the statute provides for compensation only when a wrongful gain or loss results from the failure to observe reasonable security practices and procedures. It can be argued that this is nothing more than a codification of the law of negligence.

This means that no negative consequence arises from the failure to observe reasonable security practices and procedures. Further, the IT Act defines ‘reasonable security practices and procedures’ as procedures stated by a law in force or as agreed by the parties and, in the absence of both, the rules framed by the government.

Penalty for Offences

Section 72 of the IT Act provides for a criminal penalty where a government official discloses records and information accessed in the course of his or her duties without the consent of the concerned person, unless permitted by other laws. The penalty prescribed is imprisonment of up to two years, a fine of up to Rs 100,000 or both.

Section 72A of the IT Act provides for a criminal penalty where in the course of performing a contract, a service provider discloses personal information without the data subject’s consent or in breach of a lawful contract and with the knowledge that he or she will cause or is likely to cause wrongful loss or gain. The punishment prescribed is imprisonment of up to three years, a fine of up to Rs 500,000 or both.

To conclude we can say that the areas of corporation provide inter alia that both countries agree to share and implement cybersecurity best practices, share cyber threat information on a real-time basis, develop joint mechanisms to mitigate cyberthreats, promote cooperation between law enforcement agencies and improve their capacity through joint training programs, encourage collaboration in the field of cybersecurity research, and Strengthening critical Internet infrastructure in India.

Pic Courtesy- Scroll.in

In November 2014, Rs. 800 crore out of 1,000 crore allotted to improve Indian cyber security would be utilised for NCCC purposes. However, establishing an NCCC like body would require compliance and adherence to international privacy law standards. It is hoped that the Government’s initiatives can keep pace with the rapidly changing nature of cyber attacks.