The notification from MeitY dated 16th June 2022 declaring the CBS system, RTGS System, NEFT System and the Structured Financial Messaging Server as protected systems and imposing the information security guidelines of 22nd May 2018 is a watershed moment in the history of Cyber Security Management in the country.
The decision indicates that from now onwards, a representative of CERT-IN will sit in the Information Security Governance Committee of ICICI Bank and supervise all policies and their implementation regarding the information security in the Bank.
This development is similar to “Nationalisation of the Information Security System of ICICI Bank” and is a huge embarrassment to the Bank’s credentials as a trusted repository of public funds.
The Press reports that the systems of HDFC Bank and NPCI has been simultaneously declared as “Protected Systems” but details of the gazette notification is available only in respect of ICICI Bank.
Some members of the public would mis-understand this development and consider as if the Government has bestowed an honour on ICICI Bank by giving it’s systems the status of a “Protected System”. Perhaps ICICI Bank would also like to propagate the same perception.
But the truth is different.
Declaration of a system as a “Protected System” is to enable the Government to exercise a close control on the security of the system because the Government apprehends that the the incapacitation or destruction of the system , shall have debilitating impact on national security, economy, public health or safety.
We must observe that most of the Government financial assets such as the Treasury accounts are presently held in State Bank of India and except by market capitalization ICICI Bank is not more critical than SBI in terms of national security or security of national economy.
ICICI Bank on the other hand has been saddled with thousands of data breach incidents in the form of phishing complaints from their customers and we have already pointed out one documentary evidence of how a Phishing website was run from within the ICICI Bank server itself. ICICI Bank was also in the forefront of Crypto transactions and was enabling Bitcoin remittances from abroad.
We can perhaps consider that the Government might have taken notice of these Bitcoin transactions and the thousands of phishing transactions as potential money laundering incidents which may need a closer scrutiny and investigation on a day to day basis. The ongoing investigation on Mrs Chanda Kochhar also may require a close oversight on the operations of the Bank, the information deletions that have been made in recent times, the background of the custodians of the transaction servers etc.
Unless properly denied, the existence of a huge scam which is about to be unravelled cannot be ruled out.
I trust that the development is big enough to need a notice to the stock markets under Clause 49 of the listing rules and there has already been a delay in this regard.
ICICI Bank has to also come out with its own official explanation and disclosure of how this development could affect the investors and affect the share price.
Unless immediate action is taken by the Bank to manage the reputational damage through appropriate public messaging, the share prices of the Bank are in the danger of being adversely affected.
It is an immediate necessity that ICICI Bank makes a public disclosure of it having been notified as a “Protected System” and the changes in the policies and information security Governance system on its website.
I understand that it is a painful situation for the Bank but the gazette notification has already been made and the clock cannot be turned back.
It is an unenviable situation for ICICI Bank. Substantial damage has already been done and cannot be reversed. Now only containment of further damage is possible and it may require a careful communication strategy avoiding any false statements that can further damage the organization.
I pity the life of the CISO in ICICI Bank which will change permanently and could be a bed of thorns with the CERT In breathing down its neck on a minute to minute basis. We can also watch out for some attrition in IS workforce in the Bank.
I expect a series of press articles planted by the Bank in the next week highlighting as if the notification is a “Padma Award” for its Information Security department. Good time for journalists.
(P.S: The situation in HDFC Bank is similar. We are yet to access the notification regarding HDFC Bank and NPCI and hence not commented on the impact of the decision on these organizations in detail. There are many other large Banks such as PNB where also a largescale risk of data breach exists and may require a CERT-IN supervision of the security systems)
Naavi
