One of the major announcements in 2017 Budget was to establish CERT-Fin (computer emergency response team for financial sector) in India. This is the first time that cyber crime menace affecting the financial sector will be handled through a dedicated computer emergency response team. While exact structure and function of CERT-Fin are yet to be disclosed, it’s time to examine existing data breach reporting norms and the manner in which they will support this initiative.
In October 2016, almost 3.2 million debit cards, issued by major banks in India were allegedly compromised due to the presence of malware in affected ATMs. Website of a major depository in India was hacked in the same month. Reacting to the compromise of cards, issuing banks responded by blocking the cards and reporting the details to RBI. The depository reported the incident to CERT-in (Computer Emergency Response team under Ministry of Electronics and Information Technology) and later to Sebi. Public, who are the actual stake holders, whose money was in the banks and stocks were with the depository, probably got to see this only through the news reports. Regulators too were probably not informed in time.
It was due to the delayed reporting that RBI directed the banks to report such incidents in space of two to six hours. Sebi directed the depository to report any such breach within a reasonable time. Directions to inform the public however, are still missing.
Even this one sided reporting, almost neglecting the true owners of assets, i.e. the citizens, lacks any legislative sanction. This, however, is not how cyber incidents are reported and handled internationally. European Union in April 2016 adopted General Data Protection Regulation (GDPR). As per this regulation, failure to report within 72 hours of the breach could lead to fine up to 2 percent of the annual turnover of the entity involved. Almost all states in Unites states of America except Alabama, New Mexico, and South Dakota have security breach laws. Proposed CERT-Fin, to be effective, will require the backing of legally mandated data breach reporting norms for disclosure of security breaches both to itself, regulators and the public.
Besides making the reporting of security breaches mandatory, CERT-Fin will be best served if each reported security breach leading to loss of public money is also mandatorily reported to the Police. As of now in absence of any law requiring compulsory reporting, most such cases are probably neither reported nor criminally investigated. Most cases involving intricate technology details, enquiries end with detailed reports of internal/external auditors and technical committees.
Recently in an alleged misuse of High Frequency Trading option in one of the stock exchanges, probably only internal enquiries/audit by the exchange and the regulator were done. If a breach or misuse of resource provided wrongful advantage to some and wrongful disadvantage to others, it requires being criminally investigation. In cases like these, proposed CERT-Fin will possibly play a pivotal role in providing much needed technical support to investigating agencies.
Building this background of legislative framework for proposed CERT-Fin is also not too difficult. This can be achieved by amending the existing Information Technology Act, 2000. Section 43A of IT Act already provides for compensation to be provided for failure to protect data. Same section can be amended to include time frame in which a security breach has to be reported, both to the concerned regulator/law enforcement agency as well as to the concerned citizens. Punitive action in case of failure to report can also be included in the amendments.
With these changes in existing laws, proposed CERT-Fin will help not only in prompt disclosure of cyber security incidents to the public and regulators, but will also provide much needed technical support to financial institutions in case of future cyber incidents.
Updated Date: Mar 10, 2017 16:29 PM