Globally, banks have installed multiple disparate technology solutions over the years, and integrating them into a unified data standard, along with effective cybersecurity and data governance, has proven elusive. This fragmentation lies at the heart of many challenges within the Indian banking system and remains a persistent regulatory concern. 

In today’s digital landscape, where money is essentially represented as bytes of data, ensuring robust data governance is essential to maintaining trust in the banking sector. This is why there is regulatory urgency to push banks towards enhanced technological governance and continuous upgrading of standards. This, however, is an area where the sector has consistently lagged behind regulatory expectations.

Building cyber resilience in Indian banking is no longer a strategic project; it has become an urgent necessity that has been delayed for far too long, leading to a potentially chaotic situation. As cyber threats continue to evolve in both sophistication and frequency, the failure to prioritise cybersecurity exposes banks to significant risks that can undermine customer trust and financial stability. 

The ongoing reliance on outdated systems and reactive measures illustrates a concerning lack of proactive engagement from leadership. At a time when digital transactions are becoming the norm, the absence of robust cyber resilience strategies not only jeopardises the banks themselves but also places the broader financial ecosystem at risk, making immediate action imperative.

RBI’s soft-touch approach

While the RBI has been increasing its scrutiny of regulated entities, it appears to be handling them with a soft touch. In April 2024, The Reserve Bank of India (RBI) took action against Kotak Mahindra Bank, barring it from onboarding new customers through online and mobile banking channels. 

“Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch, and change management, user access management, vendor risk management, data security, and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc. For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines,” the RBI noted in relation to Kotak Mahindra Bank. 

In October 2023, the RBI levied a Rs 5.39 crore fine on Paytm Payments Bank for not complying with RBI guidelines related to Know-Your-Customer (KYC) norms and not reporting incidents of cyber security breaches in time. Even earlier, in December 2020, the central bank temporarily stopped HDFC Bank from launching new digital banking initiatives and issuing new credit cards after taking a serious view of service outages over the last two years.

This presents a Hobson’s choice—if the RBI becomes stricter than it currently is with its Regulated Entities (REs) that fail to meet cybersecurity standards, we might see quite a few sector participants temporarily shutting down as they will almost certainly struggle to keep pace with regulations. Nonetheless, stringent enforcement is necessary to ensure that all banks (as well as other regulated financial entities) are equipped to handle the evolving cyber threat landscape, thereby safeguarding consumer trust and the stability of the financial system.

After all, consumer trust in the digital age is fragile, and in banking, it is built not on promises but on the strength of cyber resilience. Without robust cybersecurity, even the most established financial institutions stand on shaky ground, risking both stability and reputation.

A rising threat

The RBI’s mandate is a call to banks: evolve or face the inevitable collapse of trust in an increasingly digital financial ecosystem. According to the RBI's Financial Stability Report, the financial sector has experienced over 20,000 cyberattacks in the past 20 years, resulting in losses totalling $20 billion. A December 2023 report by the Data Security Council of India found that 25% of these attacks in India stem from clicking on malicious links in emails and websites. 

Additionally, 69% of cyberattacks on financial institutions were reported by scheduled commercial banks (SCBs), 19% by urban co-operative banks, and 12% by non-banking finance companies (NBFCs). The current annual estimated loss is over Rs 10,000 crore. These figures underscore the urgency for a fortified cybersecurity framework that can withstand the evolving threat landscape.

For banks, the primary stakeholders, the mandate is clear: they must invest significantly in advanced cybersecurity technologies and strategies. This includes deploying artificial intelligence and machine learning to detect anomalies in real time, employing robust encryption methods, and ensuring multi-factor authentication across all digital channels. Banks must also prioritise regular security audits and vulnerability assessments to identify and rectify potential weaknesses before they can be exploited.

While the increase in insurance coverage by nearly 8% in 2023-24 is beneficial for banks, it does not address trust issues and consumer data governance. Cyber insurance claims by banks rose to over 50% in 2022-23, up from 40% the previous year. However, Bank Boards must take an active role in addressing these concerns, rather than being mere listeners. 

Technology alone is insufficient here. Banks must cultivate a culture of cyber awareness among their employees and update their processes to be digital-native. Most of the processes are traditional brick-and-mortar and need updating to redesign processes to be digital-native. Regular training sessions, not just mandatory checkbox ones, on cybersecurity best practices, phishing awareness, and incident response protocols are crucial. A well-informed workforce serves as the first line of defence against cyber threats. Furthermore, banks should establish clear protocols for responding to cyber incidents, ensuring that all employees know their roles in the event of a breach.

In many banks, the prevailing organisational culture views technology as an internal vendor or support function, rather than recognising that digital transformation is essential for modern banking. This mindset reflects a significant failure of Bank Boards to foster a consumer-centric culture. If technology was prioritised as a strategic investment rather than a compliance-driven necessity, digital initiatives would be the first consideration in decision-making processes. Instead, banks often find themselves merely reacting to regulatory demands rather than proactively leveraging technology to enhance customer experiences and drive innovation.

Time to act

Regulators, particularly the RBI, play a pivotal role in this ecosystem. The RBI has made commendable strides with guidelines such as the Cyber Security Framework for Banks, mandating banks to establish robust cyber defences. 

The framework outlines key guidelines aimed at enhancing the cybersecurity of the Indian banking sector and requires banks to establish a robust governance framework by creating dedicated cybersecurity cells, involving senior management, and regularly reviewing security policies. 

Banks are required to implement risk-based approaches, ensuring systems are protected against evolving cyber threats. Specific measures, such as real-time monitoring, data encryption, secure configurations, and stringent access controls, are emphasised. Additionally, banks must conduct regular vulnerability assessments, penetration testing, and cyber incident response exercises. 

The framework also highlights the need for timely reporting of cyber incidents to the RBI and fostering continuous collaboration with industry-wide threat intelligence platforms to share information and best practices.

However, as threats evolve, so must the central bank’s regulation and supervisory actions. The RBI needs to continually update its guidelines, incorporating global best practices and addressing emerging threats like quantum computing and deepfake technology. Regular compliance checks and stringent penalties for non-compliance will ensure that banks adhere to these standards rigorously.

Customers, the end beneficiaries of banking services, also have a role to play in building cyber resilience. Financial literacy programs should incorporate modules on cybersecurity awareness, teaching customers to recognise phishing attempts, use strong passwords, and regularly change their passwords and secure their personal devices. 

Banks should engage with their customers regularly, providing them with updates on potential threats and tips on staying safe online. Empowered customers can significantly reduce the success rate of cyberattacks targeting them directly. Even these basic steps are not followed by much of the RE ecosystem.

Additionally, the government’s role cannot be overlooked. National policies and frameworks that support cybersecurity in the banking sector are vital. The establishment of the National Cyber Coordination Centre (NCCC) and initiatives under the Digital India program are steps in the right direction. However, more targeted efforts, such as subsidies for cybersecurity investments and incentives for research and development in cybersecurity technologies, could further bolster the sector's defences. 

The private sector, including cybersecurity firms and technology providers, must also step up. Innovations in cybersecurity technologies must keep pace with the evolving threat landscape. According to a recent Cisco report, only 4% of companies in India have achieved a "mature" level of readiness to manage cybersecurity risks (admittedly, the global rate is just 3%). The report, part of the 2024 Cybersecurity Readiness Index, indicates that 37% of Indian companies are at the "progressive" stage, 52% are classified as "formative", and 7% are considered "beginners". This comes at a critical time, with organisations facing a wide array of cyber threats, including phishing, ransomware, supply chain attacks, and social engineering tactics. 

But while sending a stronger message across all sectors for proactive cyber governance is important, this is especially critical in the financial sector, where consumer trust is at stake. With a coordinated and proactive approach, the Indian banking sector can fortify itself against the ever-present threat of cyberattacks, ensuring stability and trust in the financial system.