The process of change in the object clause of NBFC is almost similar to the normal private limi...
An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC. Non-Banking Financial Company (NBFCs) may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations whose responsibility is to ensure implementation of IT Policy NBFC to the operational level involving IT strategy, value delivery, risk management and IT resource management. To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available. NBFCs must have a board-approved IT Policy with the following basic creeds –
Formulating a Board approved IT policy NBFC – The policy shall be in line with the organizational objectives.
Develop an IT organizational structure – The structure shall be commensurate with the size, scale, and nature of business activities carried out by the NBFC.
Designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations – The responsibility of such officer shall be to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.
Formulate periodic assessment of the IT training requirements – To ensure technical competence at senior/middle-level management and to ensure that sufficient, competent and capable human resources are available.
NBFCs are required to lay in place a cyber-security policy illuminating the strategy comprising a suitable approach to battle cyber threats gave the level of complexity of business and acceptable levels of risk, duly approved by their Board. NBFCs must appraise the structural measures so that the security concerns are valued, obtain adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action.
Read Also: Importance of Cyber Security for NBFC.
A vulnerability can be defined as an inherent configuration flaw in an organization’s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such a strategy may clearly be communicated in the Cyber Security policy.
The capability & adherence to cyber flexibility framework must be assessed & measured through the development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The alertness amongst the stakeholders including employees may also form a part of this assessment.
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond/ recover/contain the fallout. NBFCs are predictable to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services, crypto ware, destructive malware, business email frauds containing spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.
It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized. NBFCs should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of their cyber resilience objectives, and require and ensure the appropriate action to support their synchronized implementation and testing.
A Digital Signature Certificate authenticates an entity’s identity electronically. It also provides a high level of security for online transactions by ensuring absolute privacy of the information exchanged using a Digital Signature Certificate. NBFCs may consider the use of digital signatures to protect the authenticity and integrity of important electronic documents and also for high-value fund transfer.
NBFCs should undertake a comprehensive risk assessment of their IT systems at least on a yearly basis. The assessment should make an analysis of the threats and vulnerabilities to the information technology assets of the NBFC and its existing security controls and processes. The outcome of the exercise should be to find out the risks present and to determine the appropriate level of controls necessary for appropriate mitigation of risks. The risk assessment should be brought to the notice of the Chief Risk Officer (CRO), CIO and the Board of the NBFC and should serve as an input for Information Security Auditors.
NBFCs that are already using or intending to use Mobile Financial Services should develop a mechanism for safeguarding information assets that are used by mobile applications to provide services to customers. The technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to-end encryption.
NBFCs using Social Media to market their products must be well equipped in treating social media risks and threats. As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks.
Human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness program. The program may be periodically updated keeping in view changes in information technology system, threats/vulnerabilities and/or the information security framework. There needs to be a mechanism to track the effectiveness of training programs through an assessment/testing process. At any point in time, NBFCs need to maintain an updated status on user training and awareness relating to information security.
Recommended Article: What are the Regulatory Requirements of Non-Banking Financial Company in India?.