'Hacking of an ID or an account will have the same impact on a user in a city and one in a small town.'
'Security is like a railroad, you create it to last for every customer.'
The threat of cybercrime has become a real concern for the financial world, with attacks increasing rapidly.
While traditional banking players have been tackling this menace, the fast-growing digital lending segment that wants to capture the next 500 million customers onto digital platforms is also realising the importance of cybersecurity.
Panellists at the Business Standard BFSI Insight Summit session, In a digital lending world cybersecurity threats are rising, welcomed the fact that the Reserve Bank of India's recent guidelines on the digital lending segment also focused on tackling cybersecurity.
Participants in the discussion included Rajsri Rengan, head of development, banking and payments, India and Philippines, FIS; Ranjeeth Bellary, partner, Forensic and Integrity Services, EY; Akshay Mehrotra, co-founder and CEO, Fibe (formerly EarlySalary); and Anuj Kacker, co-founder of Freo, a neo-bank, and executive committee member of the Digital Lenders Association of India.
The panellists tackled issues like approaches to handling cybersecurity within organisations, whether the size of a company matters in matters of security, the convergence of fintech firms and banks, and how the RBI's digital lending guidelines change the landscape.
The RBI recently unveiled cybersecurity guidelines, which also apply to the digital lending segment. Is cybersecurity still a top-down approach in India, or is this changing over time?
Ranjeeth Bellary: Statistically, cybercrime today is the largest in terms of monetary value.
It has surpassed illegal drug trafficking, which used to be the top crime in terms of value.
Also, the pandemic and the resultant lockdown boosted cybercriminal activities further.
There is an individual responsibility, too, to avoid getting duped by cyber criminals.
We have to make sure we take care of our data as much as possible.
When it comes to organisations, other than compliance-related issues, companies also realise that they have to protect customer data.
Banks are much more evolved from this perspective.
Security is a much more regulated industry in India.
From the banking side, we've seen a lot of good security practices adopted, especially among fintechs.
The top-down approach is definitely preferred, but at the same time, the bottom-up approach is also required, as they have to educate the end-users and ensure that, apart from putting security practices in place, customers are also well aware about security threats.
Rajsri Rengan: A recent study says that financial institutions are 300 times more vulnerable to cyberattacks than any other industry, and the cost of remedying a cyberattack in the financial services industry is 40 per cent more than in any other.
It's a no-brainer, because one of the main reasons why a malicious attacker enters our system is for financial gain.
Growing cyberattacks across the finance world as well as businesses in general are making senior executives more aware of the need for security.
In fact, our chief security officer recently remarked that earlier he would meet the board of directors of the company probably once a year for 20 minutes, but now the amount of interaction that we see with the board is 30 minutes every month.
Cybersecurity is something that is playing on the minds of everyone.
We have a lot of responsibility to protect our systems, adopt a more disciplined approach, and hence protect our clients and end-users.
We follow a very disciplined and global approach.
We have a global information security office. That provides thought leadership and direction.
Our strategy is built on four important pillars -- protect, detect, respond, and communicate.
As a global fintech, we take a bottom-up approach, and these are based on three important foundational aspects -- people, process and technology.
Do new-age fintechs have a different view towards cyber threats?
Anuj Kacker: I don't think there is much of a difference between large companies and small ones.
Every fintech firm wants to be a bank, and banks want to be fintechs.
How can you then treat customer security differently? The cornerstone of the RBI guidelines is customer protection and data privacy, apart from other things.
At Freo, we take every kind of precaution, measures, products, technology, and try to secure it.
Of course, there will be breaches, as you have seen across the globe, but I would argue that fintechs are probably better suited at present because our systems have very little manual work.
Focus on security is in-built in tech businesses or new-age firms.
At Freo, security is part of the entire structure.
Akshay Mehrotra: Our approach is slightly different. Fibe is already a mid-sized NBFC.
We have all the regulations applicable to a mid-size company, but the moment you look at your topline and think of becoming the next big player, your technology platform and game is two notches above.
Then it is all about how I will manage customers with a much larger manual? How will I bring protection for them?
Second, we believe that every three years technology changes, and we have to discard what we have built from the ground up.
In fact, as of today, we rolled out our version 3, where we discarded every piece of railroad tech that we have built so far.
Which means that the new platform is far more stable, it's meant to handle maybe 20x customers, and take us to the next three years' growth.
It's also meant to be far more secure.
This also means that we are not stopping at an ISO certification or being PCI-compliant.
As a digital lender I do not need to be PCI-certified -- it's required for banks.
But we thought we needed to have it, because we impact more people than a traditional institution does.
We have now done four million loans, and we have 20 million people registered on the platform, which is more than most banks in the country do.
My app on the Play Store is little more than 20Mbps, but underlying are products that have terabytes of data and we strive to give customers a seamless experience.
We work with many banks and they see us at their level, which changes the way the ecosystem gets built.
Bellary: The way start-ups look at technology and its adoption is centred round customers.
That's how they are able to build their business.
I would say fintechs are far ahead, because they have to ensure that the customer is satisfied -- that the customer experience is not getting hindered by any issue.
Fintechs are more adept at adopting cybersecurity practices.
Having said that, large organisations, depending on which industry they are in, are adopting cybersecurity as well as training their employees in the do's and don'ts.
Are the RBI's recent guidelines for the digital lending segment more prospective or prescriptive?
Mehrotra: It's actually much beyond that. This is the first time guidance is proactive and shows how to build the business with the right manual. It's come a little early.
It offers a clear path to growth, removing any ambiguity on how to build a company in this space.
It also lays out clear pathways on how to structure your organisation.
Whenever the regulator lays out clear paths, we have seen those markets expanding dramatically.
We saw that when UPI came up with very clear systems with NPCI-backing.
What is becoming important is that regulations are very progressive, while fintechs find it tough, because a lot of compliance work comes in.
But what is left is a very clear black and white product.
It's also given access to much larger capital pools and co-lending opportunities.
I think the industry is set to grow and become $1 trillion in size.
This is achievable within the next three years.
How is compliance seen among digital lenders, and what best practices are followed in this space, especially in view of rising cybersecurity threats?
Bellary: It's very sector-driven. Sectors like the banking sector are already highly regulated.
So it's not for them to be compliant. The challenge arises for small companies or MSMEs, who find it a bit challenging to comply with a lot of different regulations.
Hence we need to have clear guidelines in terms of what regulation needs to be followed. The greater the clarity, the less it looks like a burden.
Compliance can never be a burden for the business side, as it ensures a better customer experience.
Rengan: From an engineer's point of view, it's challenging.
The technology keeps changing and new aspects keep emerging, regulations change and customer expectations are also very volatile.
So, it does create some amount of friction in the system. But security is non-negotiable.
We have 330 million people on the mobile banking network already.
When the next 500 million come in, what will be your focus for these new users -- ease of access or cybersecurity, and how do you make sure these two are balanced?
Mehrotra: Hacking of an ID or an account will have the same impact on a user in a city and one in a small town.
The reputational risk that one suffers is equal in both cases -- whether one customer is hacked, or a million customers' data is breached.
Security is like a railroad, you create it to last for every customer.
Bellary: It's not about how you are able to build both.
One is accessibility, the second is security.
You need security embedded in your overall organisational strategy.
Technology is something which can play a greater role here.
Kacker: You cannot delineate the two. You cannot compromise on one for the other.
We as businesses cannot differentiate between customers, whether they are from a metro or from a smaller city.
Rengan: Digital adoption is here to stay, cloud migration will continue, and cyberattacks are also here to stay.
When businesses take one step forward, the attackers take 10 steps ahead.
Cybersecurity is not threat elimination, it is about measured risk-taking.
How well can you learn from what has happened and how can you harden your processes and controls, so that you recover faster when something happens? Whether it is the next 500 million coming into the biggest digital adoption world, cybersecurity should be part of this.
With security threats rising, what are the three most important factors that you look for while maintaining the security of the applications and the lending process?
Mehrotra: There are two tactical parts. One is the note-points which are open to anyone in the network externally.
You spend a fair amount of time to plug in your note-points.
Second, most of the time, we forget that employees have access to some data.
How do you eliminate personally identified information data from your internal system completely? Third, as you build an organisation in the beginning, you may also work with third-party vendors.
How you plug your system with third-party players is also important.
