Complying with IT Security Guidelines

May 6, 2020


The world is undergoing a digital revolution, and its effects have become crucial to the very functioning of society. But while this digital connectivity has given rise to newer heights and incredible developments, it is also paving way for newer vulnerabilities and security loopholes that cybercriminals breed into. The global threat landscape is evolving at a robust pace, with cybercriminals and threat actors leveraging advanced technological tools such as AI, ML, and Big Data to target individuals, enterprises, and governments, across the world at a phenomenal speed and scale. To put this into perspective, Cybersecurity Ventures projects that cybercrimes will cost the world in excess of USD 6 trillion annually by the year 2021.

The situation is grave but unfortunately, the awareness remains minimal. Even when updated with the latest developments in the cybersecurity domain, users across multiple geographies do not possess a complete understanding of impact of threats. For instance, according to Trustwave, only 28% of businesses deploying IoT technology consider strategizing about security as ‘very important’. Moreover, cybersecurity in India itself constitutes less than 10% of the overall enterprise expenditures, and this is way below than global standards. Considering how the average cost of a cyber attack is USD 5 million (source: Ponemon), it has become an imperative not just for players in the domain but for governments as well, to drive true awareness about the threats, and the importance of cybersecurity among individuals as well as enterprises.

The Reserve Bank of India (RBI) has been taking a proactive approach towards making a compliance framework that takes into consideration the changing cyber threat landscape, that traditional as well as new-age digital financial institutions across the country face. For instance, the IT Governance proposes to lay emphasis on holding the board of directors and the executive management accountable for IT risk management in order to ensure that the organization’s IT security sustains amidst the structure.  The governance also requires that these financial institutions regularly undergo RBI IS Audits to understand and mitigate the risks associated with their IT infrastructure.

The increasing adoption of technology in the financial services sector of India has led to the complexities within the IT environment. To tackle this, Internal Control framework is implemented by the banks and NBFCs, which is based on the various standards, control requirements and RBI guidelines. For assurance on the effectiveness of these controls, financial institutions and RBI perform the IS Audits. These audits provide the independent view on the management of IT risks. Since the key processes in banks, NBFCs and other financial institutions are getting automated, it has become a necessity to check the effectiveness of the IT framework on which these processes rest. The scope of IS Audit includes determination of effectiveness of planning IT activities, evaluation of operating processes and internal controls, determination of compliance efforts with respect to IT policies, identification of gaps in internal controls, recommendation of corrective actions and effective implementation of required actions by the management. In essence, as we continue furthering and striving towards achieving both our vision of ‘Digital India’ as well as true financial inclusion, the need to back it by a robust cybersecurity framework is severe. And creating an exemplary culture of cybersecurity involves a lot beyond merely generating awareness or implementing a comprehensive strategy. It also goes on to include complying with the various regulations applicable, applying relevant policies that cover all the devices connected, and ensuring proper adoption and implementation throughout the organization. The need of the hour for banks, NBFCs, and fintech companies is to become aware of the security threats they face, adopt a multi-layered approach to business operations that prioritizes security, and comply with applicable standards and regulations to truly strengthen their internal cybersecurity framework.

Disclaimer: The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of DLAI and DLAI does not assume any responsibility or liability for the same