India's proposal to strengthen the financial ecosystem through formation of CERT-Fin is good news. But much more must be done to strengthen the financial sector's cyber defenses.
At a time of increased domestic and international cyber threats, this measure would certainly bring in higher protection to boost the confidence of consumers as the nation moves to broad digitization and an increasingly cashless economy.
"Before forming CERT-Fin, it's critical to take a close look at the role of the broader CERT-In, which, according to many industry leaders, has come up short in meeting its goal of protecting against cyber threats in all sectors"
The big challenge, however, is to work out a realistic framework for CERT-Fin's activities and carefully define its role in ensuring higher security for the financial sector.
Given the government's mission to set a target of 2500 crores worth of digital transactions for FY 2017-18 through modes such as Unified Payment Interface, Unstructured Supplementary Service Data-USSD, Aadhar Pay, IMPS and debit cards, CERT-Fin has a big role to play in securing transactions through stringent security controls.
Hurdles to Overcome
The new CERT-Fin, if approved by Parliament, will need to overcome several hurdles before it becomes functional.
Finance Minister Arun Jaitley says that CERT-Fin will work in tandem with all the financial sector regulators and other stakeholders. But this could be a big challenge.
Before forming CERT-Fin, it's critical to take a close look at the role of the broader CERT-In, which, according to many industry leaders, has come up short in meeting its goal of protecting against cyber threats in all sectors.
CERT-In, which is under the ministry of electronics and IT, focuses on garnering information about cyber threats and attacks from various organizations in both critical and non-critical sectors and providing advisories. The information sought, which is provided voluntarily, is analyzed and shared with the ministry whenever demanded to help track cybersecurity incidents in India.
But many cybersecurity experts say CERT-In has made inadequate progress in achieving its goals of helping protect India from cyber threats, building awareness of emerging threats and providing solutions for recovering from such attacks.
So it remains to be seen whether a new CERT-Fin could be more successful in focusing on protecting the financial sector against threats and fraud.
The banking industry faces the challenge of helping to define the exact role of CERT-Fin, considering that the RBI recently formed its new IT arm to prescribe cybersecurity policies for the sector. ReBIT will act as a think-tank for innovation and guide regulated entities - and RBI - on what needs to be done in the IT area of their operations. ReBit had already been putting its best foot forward to tackle cybersecurity related issues for the banking sector. But it's not yet clear whether Rebit will play a key role in forming CERT-Fin
CERT-Fin's Idealistic Role
Because cyberattacks in the financial sector, including account takeovers, business email compromises, distributed denial-of-service attacks and destructive malware, are expected to escalate, it's essential for CERT-Fin to enable financial firms to develop an even stronger community defense model. The new organization should provide an important resource to deliver deeper analysis, mitigate risks and encourage greater collaboration.
Considering the increasing interconnectedness of the financial services sector, CERT-Fin should focus on sharing of timely and actionable cyber information among financial institutions in building cyber resilience within the ecosystem.
The key focus should be to bolster the quality and timeliness of cyber threat intelligence received by financial institutions, strengthen cybersecurity risk management and response, as well as champion cybersecurity programs and initiatives in the sector. It must go far beyond just providing advisories.
The new CERT-Fin must execute effective polices and develop an effective incident response mechanism, which can be emulated by the organizations in the sector.
Also, CERT-Fin should provide the necessary thought leadership by providing deeper capabilities in cyber intelligence gathering and analysis and threat intelligence.
And the new group should prescribe policies and mandates for organizations to report breach incidents and guide them on taking necessary actions against breaches. This would really help in justifying its formation to combat new online frauds and threats.
But some security practitioners in the industry question if India really needs industry-specific CERTs, saying CERT-In could handle all issues pertaining to India's critical infrastructure. What do you think? Share your views in the space below.