Opinion
How safe is safe enough? Heed RBI on cyber security and risk reduction.
Summary
- Were RBI clamps on Kotak Mahindra Bank too stiff? Not if cyber risks are considered. Banks should view RBI’s IT insistences as laying a well-lit path towards better and safer banking.
The entire data of about 615,000 customers of UniSuper, an Australian retirement fund managing $81 billion in assets, was stored on Google Cloud but vanished into thin air recently. The situation could be retrieved only after considerable effort. This hitherto-unimaginable incident should refocus our attention on last month’s supervisory action against Kotak Mahindra Bank Ltd (KMB) by the Reserve Bank of India (RBI) for technology-related inadequacies.
Many compared it with similar action on Paytm Payment Bank Ltd (PPBL) and wondered if such drastic curbs were worth the cost of hardship imposed on affected customers, though it was less so in the case of KMB. One commentary compared technology adoption with a banana peel that Indian banks were slipping on, recalling that in 2020, RBI had put restrictions on HDFC Bank for technological inadequacies. Another article about the cost of digital banking, while failing to highlight its significant benefits in reducing transaction costs and enhancing financial inclusion, quoted various bankers who put the technology spend of banks at around 10% of their overall expenses.
With so much noise around the issue, we should examine the proportionality of such regulatory actions. Let’s start with the 24 April directive from RBI, directing KMB to stop onboarding new customers through its online and mobile banking channels and issuing fresh credit cards. RBI’s IT examination for two successive years had uncovered deficiencies in KMB’s asset inventory management, software patching, services outsourcing, data security and business continuity back-up. Further, KMB reportedly fell short on its compliance with a corrective action plan and risk and security governance norms.
The gamut of issues mentioned in the RBI press release cover most key aspects of the cyber security framework that banks are expected to adhere to. There is also a mention of KMB suffering “frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences." Surprisingly, though, the X (formerly Twitter) handle of KMB has no mention of any such planned or unplanned outage on that date. Keeping customers updated on such events is a good practice that many foreign banks operating in India follow.
We should also recall the ₹800 crore plus IMPS fraud/glitch in UCO Bank, amounting to almost half its previous year’s profit, which exposed weaknesses in the IT operations and security posture of the Kolkata-based lender. Such large-impact incidents are bound to cause concern among regulators, customers and the government.
A wake-up call for the Indian banking sector came in February 2016 in the form of a SWIFT system hack involving Bangladesh Bank in our neighbourhood, exposing the soft underbelly of large international fund flows through this network. Not surprisingly, several Indian banks faced multiple incidents of a similar nature in subsequent years, notably the $171 million (about ₹1,400 crore) hack at Union Bank of India in July 2016 and the ₹94 crore online attack on Pune-based Cosmos Bank in August 2018.
India’s bank regulator had taken note of this emerging risk. RBI had been working on appropriate regulations to deal with cyber risk and building its own supervisory capability to audit the IT systems of banks for cyber security and resilience. It also set up Reserve Bank Information Technology Pvt Ltd (ReBIT), its technology subsidiary, which I had the privilege of heading for five years. These efforts arguably improved the cyber posture of banks.
Central banks that have always had to worry about financial stability now have cyber risk looming on their radar. An entire chapter in the International Monetary Fund’s financial stability report released in mid-April deals with cyber risk. The report notes that cyber attacks have doubled since the pandemic and pose an acute threat to macro-financial stability, as shocks can arise from disruptions of critical services that are put at risk by their interconnectedness and from lost confidence. The Fund report’s prescribed remedy: Strengthen cyber resilience through a coordinated national and sectoral effort, technology investments and the development of a well-skilled cyber workforce.
Apart from considerations of financial stability, India also relies heavily on its digital public infrastructure to deliver financial and other essential services. Being in a rough neighbourhood, so to speak, the possibility of remote-controlled cyber attacks needs to be guarded against in full earnest.
Given this background, I, for one, would not fault the strong regulatory measures adopted by RBI, and would hope that regulated entities see these as forming a well-lit path towards higher-level IT capabilities that make for safer banking. The journey will help them not only mitigate risks better, but also get their digital banking services up to speed with what’s needed.
Bank boards and their top managers have their jobs cut out. They must aim to know more, understand better and execute well. Risk management, after all, is at the heart of banking.
