Select Your Location
An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC. Non-Banking Financial Company (NBFCs) may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations whose responsibility is to ensure implementation of IT Policy NBFC to the operational level involving IT strategy, value delivery, risk management and IT resource management. To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available. NBFCs must have a board-approved IT Policy with the following basic creeds –
Table of Contents
Formulating a Board approved IT policy NBFC – The policy shall be in line with the organizational objectives.
Develop an IT organizational structure – The structure shall be commensurate with the size, scale, and nature of business activities carried out by the NBFC.
Designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations – The responsibility of such officer shall be to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.
Formulate periodic assessment of the IT training requirements – To ensure technical competence at senior/middle-level management and to ensure that sufficient, competent and capable human resources are available.
NBFCs are required to lay in place a cyber-security policy illuminating the strategy comprising a suitable approach to battle cyber threats gave the level of complexity of business and acceptable levels of risk, duly approved by their Board. NBFCs must appraise the structural measures so that the security concerns are valued, obtain adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action.
Read Also: Importance of Cyber Security for NBFC.
A vulnerability can be defined as an inherent configuration flaw in an organization’s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such a strategy may clearly be communicated in the Cyber Security policy.
The capability & adherence to cyber flexibility framework must be assessed & measured through the development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The alertness amongst the stakeholders including employees may also form a part of this assessment.
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond/ recover/contain the fallout. NBFCs are predictable to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services, crypto ware, destructive malware, business email frauds containing spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.
It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized. NBFCs should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of their cyber resilience objectives, and require and ensure the appropriate action to support their synchronized implementation and testing.
A Digital Signature Certificate authenticates an entity’s identity electronically. It also provides a high level of security for online transactions by ensuring absolute privacy of the information exchanged using a Digital Signature Certificate. NBFCs may consider the use of digital signatures to protect the authenticity and integrity of important electronic documents and also for high-value fund transfer.
NBFCs should undertake a comprehensive risk assessment of their IT systems at least on a yearly basis. The assessment should make an analysis of the threats and vulnerabilities to the information technology assets of the NBFC and its existing security controls and processes. The outcome of the exercise should be to find out the risks present and to determine the appropriate level of controls necessary for appropriate mitigation of risks. The risk assessment should be brought to the notice of the Chief Risk Officer (CRO), CIO and the Board of the NBFC and should serve as an input for Information Security Auditors.
NBFCs that are already using or intending to use Mobile Financial Services should develop a mechanism for safeguarding information assets that are used by mobile applications to provide services to customers. The technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to-end encryption.
NBFCs using Social Media to market their products must be well equipped in treating social media risks and threats. As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks.
Human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness program. The program may be periodically updated keeping in view changes in information technology system, threats/vulnerabilities and/or the information security framework. There needs to be a mechanism to track the effectiveness of training programs through an assessment/testing process. At any point in time, NBFCs need to maintain an updated status on user training and awareness relating to information security.
Recommended Article: What are the Regulatory Requirements of Non-Banking Financial Company in India?.
Experienced Finance and Legal Professional with 12+ Years of Experience in Legal, Finance, Fintech, Blockchain, and Revenue Management.
Black money has been the subject of heated political debate in India for a long time. Successiv...
The Apex Court pronounced a judgement in the case titled Tata Motors Vs The Brihan Mumbai Elect...
Since economies are moving towards digitalisation and making it feasible to conduct transaction...
The Alternative Investment Funds (AIFs) Pro-rata and Pari-Passu Rights Proposal Consultation Pa...
The Financial Action Task Force, i.e. FATF (the Force), is the global money laundering and terr...
Advance tax refers to the payment of the tax liability before the end of the relevant financia...
On 11.12.15, the Hon’ble Delhi High Court (HC) pronounced a landmark judgement in the case ti...
Money laundering can be defined as the process of illegal concealment of the origin of money ob...
Every assessee in India is obligated to file an income tax return and make the timely payment o...
In the recent past, India has seen burgeoning demand for internet and smartphones. The rapid ri...
Are you human?: 4 + 4 =
Easy Payment Options Available No Spam. No Sharing. 100% Confidentiality
Change management is a vital issue of MFIs in today's business environment, which changes constantly. Change has be...
03 Nov, 2017
NBFC, an acronym used for Non-Banking Financial Company, is a financial institution that offers various banking ser...
23 Nov, 2016
Red Herring Top 100 Asia enlists outstanding entrepreneurs and promising companies. It selects the award winners from approximately 2000 privately financed companies each year in the Asia. Since 1996, Red Herring has kept tabs on these up-and-comers. Red Herring editors were among the first to recognize that companies such as Google, Facebook, Kakao, Alibaba, Twitter, Rakuten, Salesforce.com, Xiaomi and YouTube would change the way we live and work.
Researchers have found out that organization using new technologies in their accounting and tax have better productivity as compared to those using the traditional methods. Complying with the recent technological trends in the accounting industry, Enterslice was formed to focus on the emerging start up companies and bring innovation in their traditional Chartered Accountants & Legal profession services, disrupt traditional Chartered Accountants practice mechanism & Lawyers.
Stay updated with all the latest legal updates. Just enter your email address and subscribe for free!
Chat on Whatsapp
Hey I'm Suman. Let's Talk!