Cyberattacks have the potential to cripple any organization.However, the implications of a successful cyber attack in the banking and financial services industry (BFSI)can be much more significant than in other sectors. This is due to the sensitive nature of the information financial services organisations manage. Personal data is often shared with organisations across many industries, and while unlawfully obtained data can be used maliciously to negatively impact an individual (for example, identity fraud), it often doesn’t pose an immediate threat to a person’s life. However, with access to people’s personal financial information, cybercriminals can wreak havoc.
Data breaches existed long before computing became commonplace, as individuals and companies maintained records and stored personal data as part of running their businesses. Since the turn of the millennium, the advancement of technology and the proliferation of electronic data throughout the world have made investing in cybersecurity technologies a top priority on the BFSI agenda. With the BFSI sector experiencing unprecedented levels of cyber-attacks, it’s imperative they make cybersecurity a strategic priority. Incidentally, the scale of attacks on the banking sector is increasing every year. In India, over 2.9 lakh cybersecurity incidents related to digital banking were reported in 2020. According to the CERT-In, the national nodal agency that has been created to monitor and respond to cyber breaches, a total number of 1.59 lac; 2.46 lakhs and 2.9 lac cyberattack incidents related to digital banking were reported during 2018, 2019, and 2020, respectively. These incidents involved website hacking, network scanning and probing, phishing attacks, and malware insertion. With the large-scale adoption of digital payments in India over the last 5 years, consumers are at an increased risk of financial losses as the number of cyber breach incidents has also gone up considerably.
Leading organisations are continuing to work on ensuring defenses are impenetrable and processes leave little room for data leaks caused by human error. The major challenge BFSI organisations face today comes with the introduction of open banking; just as they got their data into “virtual vaults”, open banking meant data was to be opened and free-flowing between BFSIs and approved Thirty Party Providers (TPPs).
The open banking challenge
For banks and fintechs, the introduction of open banking provided a significant cybersecurity the challenge to overcome—make data available and shareable, without compromising cybersecurity, ensuring data integrity, accountability, and visibility to customers.
At the heart of open banking are application programming interfaces (APIs), which allow BFSI organisations to connect with approved TPPs, to offer Account Information Services (AISP) – providing access to personal data, Payment Initiation Services (PISP) – providing direct access to funds, or both. Ultimately this allows BFSIs to expand the depth of their services and allows new market entrants to be underwritten by the services of incumbent organisations.
While the APIs are beneficial from an open banking standpoint, as they enable greater collaboration, they do create complexities from a cybersecurity perspective. Traditionally, banks and other BFSI organisations have been responsible for their own cybersecurity, however with open banking, there’s a larger ecosystem involved. For example, Bank A deals with Fintech B, which deals with a few other organisations. If there is one weak link in that entire network, it poses a risk to all connected businesses. So rather than just focusing on their own cybersecurity, organisations today are required to be responsible for the entire ecosystem—much of which they have limited to no control or visibility over.
The risks of open banking in the Indian context are being noticed by government authorities too, who have cautioned the banks about the key risks. Recently, the Reserve Bank of India highlighted that open banking may potentially pose significant risks and concerns around financial privacy and data security, customer liability, cybersecurity and operational risks. If a fintech or a third party has a vulnerability, it is near impossible for the ombudsman to monitor in case of fraud unless it is brought to their notice. As open APIs provide unhindered access to customer data, it exposes financial institutions to risks, and data theft which is difficult to control.1.
The next normal
Open banking has vastly changed the game for BFSIs in how they approach and secure customers’ data. To add to the relatively new challenges of open banking, such organisations are also navigating the “next normal”, which sees employees continuing to work remotely post-pandemic. With the sudden acceleration in digital channels, organisational CISOs must not only be agile but also vigilant about possible data breaches. This can be only achieved by deploying the latest cybersecurity technology and automating routine processes to avoid human error. The best possible solution is endpoint security.
The FSI industry will always be targeted by cybercriminals due to the nature of the information it manages. As such, it’s important it continues to prioritize cybersecurity and understand the challenges in being cyber resilient, while complying with open banking legislation.
Views expressed in this article are the personal opinion of Monica Hovsepian, head of worldwide FSI strategy at OpenText.