Thanks to globalization, the world has become a global village. Digital technology has interconnected and enmeshed the world economies, cultures and populations. With over 400 million internet users as of 2018, India has the second-largest internet population in the world. The greater connectivity, while a boon to world economies, has its downside as well. Our digital societies have become more vulnerable to cyber-crimes, which transcend borders and geographies and have also managed to keep pace with emerging technologies. In simple terms, “Cyber Crimes” are crimes that involve a computer and a network.
With the increase in the number of people using the internet and mobile banking, cyber crime has been growing steadily over the years. Cyber Crime incidents include, but are not limited to, credit card frauds, spamming, spoofing, e-money laundering, ATM frauds, phishing, identity theft and denial of service.
India recorded 21,796 cyber crimes in 2017, an increase of 77% from 2016. In 2018, the number rose further to 27,250. The real numbers could have been much higher due to lack of awareness about cyber crimes or mechanisms to classify them. Of the cyber crimes reported, most cases were recorded under ATM fraud, followed by online banking fraud. Karnataka and Maharashtra recorded the highest number of cases.
According to a report by leading cybersecurity provider Kaspersky, criminals were carrying out targeted attacks on financial institutions like banks. The prime targets are small banks and targeted ransomware attacks on banks are likely to rise in 2020, according to the report. A method known as “JS Skimming”, which uses malware to capture the card details used in the websites of E-Commerce firms like Amazon is also on the rise.
According to Rakesh Kharwal, MD, Cyberbit India, “Because of the enormous reserve of cash and consumer data, the banking industry is the top target for cybersecurity criminals. The repercussions of a data breach on the sector can be very severe including the threat of financial losses, regulatory consequences, and reputational damage”.
This raises the question of whether banks are fully prepared to combat the threat of cyber crimes.
As digital transformation and adaptation of new technologies help the banking industry serve their customers better. These are not un-mixed blessings and bring in their wake, new challenges for banks. Banking industry spends a huge budget on cybersecurity systems and to maintain a robust IT infrastructure. However, cyber criminals are finding new ways of hacking into the systems of banks.
Fears of a major cyber attack on banks have been rising since hackers successfully stole nearly USD 100 million from Bangladesh’s central bank in February 2016. Shortly after that incident, Russian central bank officials disclosed that hackers stole more than USD 31 million (two billion roubles) from the country’s central bank and commercial banks. Similarly, Union Bank of India also became the victim of an attack in July 2016. Cyber thieves stole nearly USD 171 million from its Nostro Account. The attackers reportedly gained entry using spearphishing, using spoofed RBI IDs.
About USD 2 million was stolen from City Union Bank accounts in February 2018 after a cyber attack compromised the SWIFT messaging system with payment instructions being sent to other banks in multiple jurisdictions. The bank detected the transactions while reconciling accounts and about half the money has been recovered by it.
In August 2018, two men from Navi Mumbai were arrested for cyber crime. They were involved in fraudulent activities concerning money transfers from the bank accounts of numerous individuals by getting their SIM card information through illegal means. In July 2018, fraudsters hacked into Canara bank ATM servers and wiped off almost 20 lakh rupees from different bank accounts. The number of victims was over 50 and it was believed that they were holding the account details of more than 300 ATM users across India. The hackers used skimming devices on ATMs to steal the information of debit cardholders and made a minimum transaction of INR 10,000 and the maximum of INR 40,000 per account. Fraudsters launched a cyber-attack and syphoned off INR 94.42 Crores (USD 13.2 Million) from Cosmos Bank, a Pune-based bank, on August 13 and 15, 2019.
According to a recent report titled “Emerging trends and challenges in cybersecurity” by Reserve Bank Information Technology Private Limited (ReBIT), some of the systemic challenges to cybersecurity in India are the following:
Measuring and following cybersecurity guidelines for the banking industry is very important since banks carry confidential and important customers’ data like account details, card details, online login credentials etc. Any mishappenings will not only damage banks financially but also their reputation.
According to the Economic Times, strong customer data privacy protection norms and stringent penalties for infringement have been responsible for robust cybersecurity arrangements by banks in most OECD countries. For example, General Data Protection Regulations (GDPR) in the EU imposes a penalty of up to EUR 20 million, or up to 4% of the annual worldwide turnover, for violation of norms.
The extent of data privacy norms in India is far less stringent than GDPR. Also, the predominance of PSBs creates the impression of an implicit sovereign guarantee against the failure of such banks. This reduces the threat of reputation loss of PSBs due to cyber-attacks. Also, the severe implications of a cyber-breach seem to be lost on a large number of bank managements. These factors could have created a relaxed attitude among banks to cyber-risk management. With better cyber-risk preparedness in OECD countries, hackers are increasingly focusing on vulnerabilities in emerging-market countries. This can create existentialist problems for Indian banks. For example, the money siphoned off from Cosmos Bank is 14 times the bank’s FY18 profit.
However, all this seems to be changing, with the regulator taking the lead in nudging the banks towards having a board-approved robust cyber-risk management system. Even here, there seems to be a divergence in the approaches of PSBs versus private sector banks. Even among private sector banks, many of the “old” private sector banks appear to be better prepared than their larger peers.
Indian banks seem to focus more on identification and prevention of cyber-attacks than breach detection and crisis management in the immediate aftermath of detection and corrective measures. As examples of major global banks including Bank of America, Citi, JP Morgan Chase, Wells Fargo etc. suggest, irrespective of the cyber investment, preparedness and management, the cyber breach is a near certainty for banks. Quick breach detection and appropriate corrective actions decide the impact of such incidents on banks. It is high time that Indian banks wake up to the harsh cyber realities.