Incentivising financial sector cybersecurity
- Government made public a report by the working group to set up the Computer Emergency Response Team in the Financial Sector (Cert-Fin)
- RBI released guidelines on customer liability in case of unauthorized electronic banking transactions.
- They represent different aspects of the cybersecurity problem—the technical and the economic framework
- Push for a less-cash economy is increasing the digital density of India’s financial services space.
- The cyberattacks getting audacious
- New Delhi’s response thus far has focused only on the technical aspects of the problem
- There is a risk that Cert-Fin will become deadwood given that sectoral regulators RBI, SEBI and IRDA are already working on cybersecurity issues.
- So proper coordination across the sector is necessary.
- Companies and institutions will rarely expend the resources necessary for the collective security needed to protect the sector, until the right economic incentives are found.
No cybersecurity architecture can be foolproof .Why?
- In case of a complex system, attackers will always have the edge over defenders. The number of potential bugs and vulnerable points in any system mean that the mathematical odds favour the attackers.
- No code can be perfect enough to compensate for human error.
- Example:A bank might have robust cybersecurity architecture, but it will still be vulnerable if the systems of other networks that carry pertinent information are not secure.
- In software industry, the more people use a particular software, the more valuable it becomes- has led to a “release first, patch later” approach
Guideline on Burden of proof. What it is?
- In case of ATM frauds, in US, burden of proof lay with the banks, fared much better than Britain, Norway and the Netherlands, where burden of proof lay with the customer.
- The RBI’s guidelines on customer liability are welcome in this context.
- Data breach disclosure norms, with penalties for failing to do so, are important;
- Incentivise financial institutions to swiftly report cyberattacks instead of keeping mum to avoid reputation loss, regulatory intervention and liability. Many countries have such norms, but India does not.
- Address the issues such as regulatory burden and the negative effects of heavy-handed liability laws.