NBFC

Importance of Cyber Security for NBFC

Information is an asset to all NBFCs and Information Security (IS) denotes to the protection of these assets in order to achieve organizational goals. The purpose of Information Security (Cyber Security for NBFC) is to regulator access to sensitive information, safeguarding use only by legitimate users so that data cannot be read or compromised without proper authorization. Non-Banking Financial Company (NBFC) must have a board-approved IS Policy with the subsequent basic views:

Confidentiality – Ensuring access to sensitive data to authorized users only.

Integrity – Ensuring the accuracy and reliability of information by ensuring that there is no modification without authorization.

Availability – Ensuring that uninterrupted data is available to users when it is needed.

Authenticity – For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. In this article we described about Importance of Cyber Security for NBFC.

Details of Information Security Framework for NBFC

The IS Policy must provide for an IS framework with the following basic views:

• Identification and Classification of Information Assets. NBFCs shall keep a complete inventory of Information Asset with the distinct and clear identification of the asset.
• Segregation of functions – There must be a separation of the duties of the Security Officer/Group (both physical security as well as cybersecurity for NBFC) dealing exclusively with information systems security and the Information Technology division^[1] which actually implements the computer systems. The IS function must be sufficiently resourced in terms of the number of workforces, level of skill & tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there should be clear segregation of responsibilities relating to system administration, database administration and transaction processing.
• Role-based Access Control – Access to information should be based on well-defined user roles (system administrator, user manager, application owner, etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be a clear delegation of authority for the right to upgrade/change user-profiles and permissions and also key business parameters which should be documented.
• Personnel Security – A few authorized application owners/users may have intimate knowledge of financial institution processes and they pose a potential threat to systems and data. NBFC should have a process of appropriate check and balance in this regard. Personnel with privileged access to the system administrator, cybersecurity personnel^[2], etc. should be subject to rigorous background check and screening.
• Physical Security – The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. NBFCs should have a secured environment for the physical security of IS Assets such as the secure location of critical data, restricted access to sensitive areas like data center
• Maker-checker is one of the important principles of authorization in the information systems of financial entities. For each transaction, there must be at least two individuals necessary for its completion as this will reduce the risk of error and will ensure the reliability of the information.
• Incident Management – The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analyzing and responding to information security incidents.
• Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating the audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.
• Public Key Infrastructure (PKI) – NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication, and non-repudiation.

Cyber Security for NBFC

NBFCs should have a cyber-security policy clarifying the approach comprising an appropriate approach to combat cyber threats given the level of difficulty of business & acceptable levels of risk, duly approved by their Board.

NBFCs should review the organizational arrangements so that the security concerns are appreciated, receive adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action. Cyber Security for NBFC must be a top priority task for management.

A vulnerability can be well-defined as an inherent configuration flaw in an organization’s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization.

Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk & cost associated with the vulnerabilities. NBFCs may plan an approach for managing and eliminating vulnerabilities and such a strategy may clearly be communicated in the Cyber Security policy.

The adequacy of and adherence to cyber resilience framework should be assessed and measured through the development of indicators to assess the level of risk/preparedness.

These pointers would be used for comprehensive testing through independent compliance checks & audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment.

Cyber Crisis Management Plan (CCMP)

A Cyber Crisis Management Plan (CCMP) must be instantly evolved & must be a part of the overall Board permitted strategy. CCMP must report the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment.

NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond/ recover/contain the fallout. NBFCs are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.

Thus, NBFCs would take essential preventive & corrective measures in addressing several kinds of cyber threats including, but not limited to, denial of service, distributed denial of services, ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, visiting frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

Risk Assessment Exercise

NBFCs should undertake a comprehensive risk assessment of their IT systems at least on a yearly basis. The assessment should make an analysis of the threats and vulnerabilities to the information technology assets of the NBFC and its existing security controls and processes.

The outcome of the exercise should be to find out the risks present and to determine the appropriate level of controls necessary for appropriate mitigation of risks.

The risk assessment should be brought to the notice of the Chief Risk Officer (CRO), CIO and the Board of the NBFC and should serve as an input for Information Security Auditors.

NBFCs that are already using or intending to use Mobile Financial Services should develop a mechanism for safeguarding information assets that are used by mobile applications to provide services to customers. The technology which is used for mobile facilities must ensure confidentiality, integrity, authenticity & must deliver for end-to-end encryption.

NBFCs using Social Media to market their products should be well equipped in handling social media risks and threats. As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks.

Conclusion

Human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness program.

The program may be periodically updated keeping in view changes in information technology system, threats/vulnerabilities and/or the information security framework.

There needs to be a mechanism to track the effectiveness of training programs through an assessment/testing process. NBFCs require maintaining an updated status on user training and awareness relating to information security.