The latest RBI circular highlights the importance of safety in digital payments. As a part of CISO Platform’s next BFSI webinar in association with FireCompass, we covered how safety in digital payments is changing and what the new regulations mean for the banks.
The panel was hosted by Ananth MS, CISO, FireCompass. Ananth was previously the CISO of Jana Bank. The Panel speakers were - Sovon Mukherjee, CISO, Fincare Bank, Satish K Dwibhashi, CISO, InMobi, and Aseem Rastogi, Head IT and Security Razor Pay.
The discussion focused upon :
- Understanding of the RBI mandate for the payments sector
- Key elements of preparedness
- Risks, and threats for the payments sector
- Structuring your security program to get ready for RBI
- what should be the part of your people, process, and technology stack.
Understanding Of RBI Mandate
Sovon explains that the mandate is a master directive to look at the entire state of digital products, not just from a security perspective but from performance monitoring and scalability as well. All the points in the directive are elaborative and explained well.
As for some key takeaways from the circular, Satish K mentions that the cybersecurity framework that RBI mentions is a strong foundation in the ecosystem. It covers everything right from cybereducation to standard cybersecurity policies.
Aseem adds, that the circular is broad technologies that are mandatory for banks like VA/PT, red-teaming, pre-production/post-production, application testing, etc is covered extensively. In today’s age of cyber insecurity, RBI has done a great job in terms of covering all the aspects.
Structuring The Security Program
Ananth put across the very important question of how the banks should form their cybersecurity posture given the mandate clearly chalks out a framework.
Satish starts by mentioning that to create a robust framework, the tone at the top is important. Having a strategy in place aligned back to the business objectives is also a major goal. All the technical controls need to be in place to make a safe card data environment. The strategy needs to be risk-based, so a risk assessment should be mandatory. And with time the organization needs to gain some maturity to attain the next level of security.
Sovon adds the master directive states that there should be a digital products and services policy for the banks. And this policy needs to be formed by the board. Since customer data, integrity needs to be paramount, so payments systems and channels need to be extremely secure. So for every bank monitoring their risks periodically is very important.
However, the first thing that banks need to do is start a gap assessment, in terms of where RBI wants you to be and where you are.
Aseem mentions that as a next logical step there will be separate security programs in banking sectors that would be headed by the CISO. There already are separate security and compliance teams present in organizations. The good part about this circular is RBI has clearly stated that customer education is a necessity. So the risks with every digital product need to be clearly communicated to the customer by the banks.
Mobile App Security
This current master directive by RBI has removed all the ambiguity from the previous circulars. Like previously there was ambiguity in terms of how many times the banks are supposed to perform their VA/PT assessment. Now the frequency has been made clear.
RBI has stressed on the importance of the continuous form of security and application testing.
Another thing that has been spoken about is mobile app security. Some of the things that need to be done for mobile security are :
- Continuous testing of mobile apps
- Periodic pentesting
- Security needs to be taken care of right at the start of building an application
- Containerisation, malware analysis, message digest, new upgrade notifications, all of these controls are mandatory now.
- There needs to be security by design, which basically means think of security right at the initiation. This would also help in threat modeling etc.
Satish mentions that today threat actors are trying to breach your security day in and day out and it’s really a challenge to defeat them every day. Thankfully there are tools that help you stay continuously secure but testing continuously. It’s important because mobile breaches are getting common and it becomes important for banks to continuously test their assets. There are new threats every day and that makes it necessary to test our applications every day.
Sovon says "automation is the new way of life from a security perspective. It is important to continuously scan all your applications for any vulnerabilities etc. This continuously testing is difficult to do manually, so automation is the only way."
Relevance Of Attack Surface Monitoring
Aseem mentions, attack surface monitoring for any security organization is a good starting point. Because a lot of our attack surface is unknown, it’s not visible. And there is a big chance of finding loopholes when your attack surface is not visible to you. With so many things going on in an organization at the same time, one wrong click can compromise your customer data. So knowing your attack surface is paramount.
While RBI has mandated VA/PT for banks, it’s more of an inside-out approach, where you are trying to find your vulnerabilities. It is also important to know how vulnerable is your organization to hackers. Which is what makes red teaming important. Today there are tools to make red teaming more accessible.
The discussion came to a close, by mutually agreeing that this RBI mandate is one of the most elaborative and instructive mandates to date.