Over the last few days, there have been lot of discussions in all levels about what caused the mega data breach that compromised a suspected 32 lakh debit card data belonging 10 around 19 Banks.
As we expected and desired, RBI and CERT-In as well as the Finance Ministry have made some sounds. But they are still murmurs and mostly to cover their backs. There is very little substance in what has been done so far.
CERT-In says that they had issued an advisory that “After URI Attack and the Counter Military operation, there could be a retaliatory cyber attack”. Yes. This is a reasonable expectation and it was the duty of CERT In to issue such an advisory. But such advisories have been issued by many security specialists also since it is always easy to guess the minds of the enemy. But the difficulty is that when the advisory does not constitute an “Actionable Intelligence”, it gets ignored at the recipient’s end. Knowing that any such attack requires months of preparation, if the CERT-In had advised immediate systemic change of all Card and Internet Bank related passwords of all customers immediately after the surgical strikes, we could have appreciated their advisory. To simply tell the Banks, “Take Care..there may be attacks”… is like telling the BSF that there may be cross border firing. We know the risk exists and the advisory gets ignored as yet another circular to be dumped.
As regards RBI, there is no doubt that since June this year, there has been a real upping of the security ante, and the measures suggested such as setting up of SOCs, under the Cyber Security Framework and the August 11 circular on Limited Liability of Customers can be considered as specific proactive steps initiated to defend the system against the attacks such as this mega breach indicates. However, where RBI can be faulted is that it appears reluctant to walk its talk and go beyond issue of paper instructions. Even now, after the incident, RBI has sent a letter to the Banks to give a report about the incident. It will be long before any action is taken by RBI. If by that time the heat is off, then nothing is going to happen.
An indication that there will be no change is visible in the way the stock markets reacted to the news of the mega breach. The Bank shares have actually been moving upwards instead of nosediving. SBI, Yes Bank , ICICI Bank and HDFC Bank shares should have come down significantly in anticipation of strict regulatory action. But they have not. This indicates that the wisemen in the stock markets donot feel there will be any adverse financial impact on these Banks arising out of the data breach.
On the contrary, if any reasonable action is expected to be taken on the Banks, any professional in Banking or Information Security would immediately foresee a quantum jump in information security related expenses, card replacement expenses, payment of penalties to RBI, Payment for frauds, increased insurance expenses etc. Probably stock markets donot see this happen.
RBI should compare its actions with what TRAI has been doing to regulate the Telecom Industry. TRAI has imposed a penalty of Rs 50 crores per circle on Airtel, Vodafone and Idea for deliberately sabotaging Reliance Jio’s launch. In this case the penalty is for non compliance and not for compensation to any customers.
On the other hand, RBI is talking of Rs 5 lakhs to Rs 1 crore per Bank as penalty for some violations. (RBI Framework for imposing penalty under PSSAct) This is grossly insufficient to be a deterrent. Considering the serious dent caused to customer confidence in the Indian Banking system in a digital era, each of the 19 Banks involved should have been imposed not less than Rs 100 crores as penalty or a penalty of Rs 10000/- per breach (Total Rs 3200 crores) should have been imposed.
I hope RBI will consider this after they get the response from the Banks to its query.
However, there is no reason why RBI should still be waiting to issue the August 11 circular as an operational circular. Going by some press reports, many consider that the circular is already applicable. But when it comes to a real case of a fraud, I am sure that Banks will argue that the circular was only a “Draft” and is not applicable.
RBI must therefore confirm the circular as operative immediately…not withstanding the opposition from IBA.
Let RBI not allow the tail to wag the dog. Let it show who is the boss.
If RBI continues to remain silent on this circular on limited liability, it can be presumed that Governor Mr Urjit Patel is personally protecting the interests of the erring Banks which includes SBI. It will also be interpreted as RBI’s inability to face the political pressures that must be playing to protect the reputation of the Chair Persons of some of these erring Banks.
I wait to be proven wrong on this account.