Security Scenario in BFSI sector in India

By Dinesh Pillai, CEO, Mahindra Special Services Group
Security Scenario in BFSI sector in India

Banking as a business involves the management of risks. While much has been said about the financial risks, the risks arising out of the large scale implementation of technology has been on the rise over the last few years, unfortunately to compete banks have no choice except to leverage on large scale use of technology for their normal day-to-day business. Security in banks has thus assumed significant position, comprising both physical as well as Information, as it could have an impact on the reputational risk of a financial organisation. The onset of the digital age has had a transformative effect on economic and social interaction. One landscape on which the impact has been most notable is that of the financial and the banking sector in particular.

Enhancing customer experience and trust has been the constant endeavour of financial instructions and banks across the world. Today, there are a plethora of opportunities for a better customer experience. Digital avenues of interaction such as the internet, mobile, tablets have veered customers away from traditional channels such as branches and ATMs. While this presents a huge potential for improving both the reach as well as the quality of engagement, it also brings up the other challenge security risks, frauds and cybercrimes and many more. Over the past few years, Cyber criminals have been constantly developing new and increasingly sophisticated tactics, and deploying them quickly throughout their networks. However they are going beyond some of the more common security threats that the banks and other financial institutions are aware of like Phishing, Spyware and Adware, Viruses, Trojans and Key loggers.

As banks become more involved in technology outsourcing, they face significant challenges in managing the risks associated with the third party technology service providers. When partnering with a security vendor it is essential to look at a number of elements including vendor reputation, reliability, scalability and lastly security which is of utmost importance. A bank must conduct adequate due diligence to identify and select a competent and reputed partner who can not only support the current requirements based on the ISO 27001, but also go beyond ISO 27001 by having provisions and a vision for innovation to match up with the threat landscape which continues to evolve as per the time.

At Mahindra SSG we offer risk assessments, advice & implement risk mitigation framework & provide positive assurance on governance & compliance.

For the BSFI sector in India, we offer an integrated solution that includes Information Security Management System, Technology & Baseline Hardening, and Electronic Counter-Surveillance & Change Management. Mahindra SSG believes in mapping the organization's risk profile by analysing business processes, technology infrastructure and people awareness level. Based on the risk profiling, Mahindra SSG designs the Information Security Framework which mainly consist of policies, procedures and necessary controls to bring the risk exposure to acceptable level. The sensitization process starts with the organization leaders as what leaders do common men follow. When leaders are sensitized it becomes easier to drive the awareness initiative to the rank and file and to third party personnel to create a change in the cultural ethos for successful implementation of the security program.

Mahindra SSG has grown to be one of the leading Corporate Security Risk Consulting firms in India and over the past years and have been instrumental in enabling over 250 major corporate clients secure their people, assets, information and reputation. The company's distinctiveness lies in its 'People-Centric' approach; endorsed by clients across scores of implementations. Headquartered in Mumbai, India, the company has presence in major cities and the capability to operate out of several global locations.

The following needs to be rewritten as mobile banking seems to be picking up at a faster pace these days with Axis Bank offering facilities to bank using Twitter, Facebook etc.
In India, due to high mobile density the potential of mobile and online banking as a delivery channel in particular for financial and banking services is unrivalled in India. However, mobile banking has not picked up in a big way due to constraints of mobile numbers registration, user authentication, user interface, etc. However, this is fast changing. According to Reserve Bank of India data, the volume of mobile banking transactions has risen from around Rs. 1,819 crore in 2011 – 12 to approximately Rs. 1,01,851 crore in 2014-15, indicating a growing acceptance for online and mobile banking in India.

A few essential security tips for consumers to remember:
1) Password protects your smart device, laptop as well as your banking application. Never store usernames and passwords on your mobile device
2) Install adequate antivirus software
3) Adopt safe practices such as not opening attachments or clicking on links contained in emails received from unfamiliar sources
4) Never respond to text messages requesting personal information, such as Social Security numbers, credit/debit/ATM card numbers, and account numbers
5) Check your online statement regularly and immediately notify the banks of any unauthorized transactions

With increasing numbers of online data theft, cyber insurance is in demand by corporates globally as well as in India. Privacy breach liability, cyber extortion, business interruption losses, liability from multimedia and public relations costs, legal expenses and data theft liability are some of the elements covered under cyber insurance. As per data sourced by the Right to Information Act, In 2012-13, domestic banks lost Rs.17,284 crore on account of fraud.

As India goes digital and e-Commerce takes off, many leading banks and financial institutions are opting for Cyber Insurance.

Over the past few years, plastic money has gained a lot of acceptance and popularity as it eliminates the risk of handling cash and dealing the issues of mutilated notes, fake notes. Even merchants encourage the concept of a plastic transaction. A few years back card transactions were highly vulnerable, but the recent RBI mandate to verify all offline tractions with the PIN number and all online transactions with a second-level authentication has really minimized threats when making card payment.


A client of ours is a leading player in the Indian industry in both retail and corporate banking sector. In the last few years there had been rapid development of IT systems and services in the organization and various businesses within the bank stored and used data differently, therefore a common classification of such information was a key challenge to be overcome. Hence, the bank felt an urgency to protect their information assets, customer confidentiality and trust; but were uncertain about the priority areas and the current risk profile of the bank. Integrated Solution Information Security (InfoSec) posture was defined to include handling, processing, storage, transmission and destruction of information to assure and constantly improve the security effectiveness without affecting operational efficiency beyond acceptable limits. The implementation was executed over the following phases viz. Benefits to the Client Information Security Management System, Technology & Baseline Hardening, Electronic Counter-Surveillance & Change Management. Implementation methodology ensured evaluation of the existing environment at the bank with regards to the InfoSec awareness levels, threat perceptions, systems & procedures in place & the capability of the bank to prevent InfoSec breaches. This was done in a 'dollarized' manner which clearly displayed the cost of status quo.

Some of the benefits to the client included:

Retaining and Enhancing Competitive Advantage - We derisk their processes such that customer data and confidentiality of operations is maintained. Third party access to sensitive data was also defined and strict controls were put in place. The implementation methodology ensures InfoSec gaps are identified and addressed immediately.

Regulatory Compliance - This mandate ensured that relevant control processes were put in place to facilitate compliance with stringent regulatory requirements related to operational data and client sensitive information. In the second part of the mandate, we would be assisting the bank in an organization wide roll out of the implementation as was done for the corporate office, along with hand holding them for attaining the ISO27001 certification for Information Security. Positive Assurance Our InfoSec Implementation Methodology established risk management systems that reinforce and support accountability, making it a sustainable initiative in the long term and helped to minimize the gap between management perception and ground reality.