In a move mirroring the FCA's approach and current focus on cybercrime risks, the Reserve Bank of India (RBI) has announced that it plans to extend its previous practice of conducting cyber audits for the bigger banks to ensure that it covers all banks regulated by it.
This follows a series of high profile cybercrime attacks on Indian banks and last year, it increased its cyber security and IT audits to include 30 banks, and now it plans to cover all banks.
The RBI plans to allow time for banks which do not currently comply with its standards to put the necessary security measures in place before it looks to take any remedial action.
Cyber Security is the ability to protect or defend the use of cyberspace from cyberattacks. Banks are vulnerable to cyber-attacks because consumers are statistically more likely to be the victim of an attack including an email purporting to be from a bank than one from another industry. As banks continue to innovate and adopt new technologies, their exposure to cyber incidents/attacks increases.
Cyberattacks can have wide-ranging impacts on both customers as well as the banks. Customers' information can be jeopardised and access to customers' accounts can results in great losses to both the customer as well as the bank. Additionally, large cyberattacks can negatively affect the markets as whole.
RBI's data shows that the number of cases related to cyber fraud within Indian banks has risen year on year since 2013, with over 16,000 cases in 2015-16 including incidents such as phishing attacks, website intrusions and defacements or damages to data as well as ransomware attacks.
As a result, the RBI published guidelines in June 2016 on a Cyber Security Framework to ensure that banks are prepared for and are able to manage their risks effectively. This included a requirement to share information on cyber security incidents with the RBI with a view to assisting it to structure proactive threat identification and mitigation.
The FCA has a similar focus to the RBI's on reducing cyberattacks within financial services firms in the UK. Cyberattacks in the UK have risen in a similar trend to those in India with a 1,700% growth in attacks since 2014. The FCA is creating a 'security culture' which doesn’t solely focus on IT systems, but also on responsibility and accountability by the personnel in firms. Taking a wider approach ensures that firms are able to have more enhanced cyberattack prevention strategies and will also better equip them to respond to cyberattacks in the event one occurs.
To mitigate the incident rate of cyberattacks within UK, the FCA has produced a manual outlining key steps firms should take to enhance internal processes and establish a higher level of security. However, as IT systems become more complex, the likelihood of cyberattacks increases due to the fact there is increased scope in how criminals can access customer accounts. Therefore, taking a risk based approach and identifying the key assets to protect can assist in ensuring a bank prioritises the steps required to strengthen its prevention strategy.
Banks face possible sanction by the FCA if their systems and controls do not adequately mitigate the risks of a cyberattack. To avoid potential fines and a major disruption in business, all banks should ensure they review their current systems and controls, identify key assets needing enhanced protection, and implement the security measures and guidance published by the regulator. Implementing these controls will inevitably reduce the financial burden of rectifying such attacks and will provide customers and the market with confidence that their information is well protected and secured.