A parliamentary panel on Thursday expressed concern over mushrooming of cyber crimes and increasing data vulnerability, and suggested that the government should come out with a framework to deal with such risks.
The Standing Committee on Finance recommended setting up of Cyber Protection Authority (CPA) and advocated that the CPA engage ethical hackers to test ecosystem participants.
To enhance the prevention and detection of fraud in the banking sector, the committee headed by Jayant Sinha strongly suggested the establishment of a Central Negative Registry and that the CPA should maintain this registry.
Noting that current compensatory mechanism for victims of cybercrime in the financial sector has limited scope and coverage, the panel said financial institutions must play a supportive role as there is a fiduciary relationship between financial institutions and their customers.
The process of filing a compensation claim is complex and time-consuming, placing the burden of proof on the victims to establish the connection between the cyber crime incident and the resulting financial loss, which is particularly challenging due to the traceability issues associated with cyber crimes.
The committee strongly believes there should be an automatic compensation system as devised by RBI and it should be the financial institution’s sole responsibility to immediately compensate the hapless customer, pending further investigation and final traceability of funds, the report said.
This proactive approach aligns with the principle of safeguarding customer interests and ensuring rapid resolution in cases of cybercrime in the financial sector, it said.
Observing that India is indisputably one of the best regulated and safest digital financial ecosystems in the world, the panel expressed concern over the mushrooming of cyber crimes and increasing data vulnerabilities even as digitisation has rapidly expanded across the country.
Within a few years, it is likely that a billion Indian citizens will be conducting hundreds of billions transactions online mediated entirely through large-scale, pervasive computer networks, systems, and algorithms, the panel said.
Simultaneously, it said, criminals are getting more and more innovative and difficult to track since they can now utilise powerful new technologies and operate in lightly policed or hostile jurisdictions.
These new and threatening technologies include generative artificial intelligence (Al), chatbots, and quantum computing, which raises the threat level exponentially.
To maintain its status as one of the world’s best digital financial ecosystems, India should consider evolving its cyber security policy framework across five major dimensions to establish a more dynamic and proactive regulatory framework.
It should empower a centralized authority for cyber security which can work with all digital ecosystem participants in India and around the world; formulate fairer and more responsive consumer grievance redressal and compensation mechanisms: strengthen central and state cyber security enforcement capabilities; and achieve closer global cooperation with other leading countries.
Working simultaneously across all these 5 dimensions will ensure that India develops the world’s most innovative, secure and resilient digital financial ecosystem.
The panel said cyber security regulations will have to evolve rapidly to take into account various technological developments and to stay ahead of bad actors.
There have been challenges in exerting sufficient control over third-party service providers, including Big Tech and Telecom companies on cyber security matters. Secondly, downtime in critical payment systems is able to disrupt customer services, which is not currently regulated.
Besides, it said, there is no clear process to either continuously whitelist or blacklist apps and maintain a central registry of apps that have the ability to tap digital payment and settlement systems.
“Today’s regulatory frameworks are focused mostly on fire-fighting, but they need to be much more dynamic in anticipating and dealing with emerging threats and vulnerabilities of the digital financial ecosystem,” it said.
Specific threats today include misuse of SMS templates, telemarketer verification lapses, insufficient maker-checker processes, weak security controls in fund transfer systems, and vulnerabilities in ATM channel communication.
The situation is exacerbated by limited coordination among different agencies and inadequate incident response as well as enforcement mechanisms.
The committee, therefore, to strengthen cyber security measures, mitigate vulnerabilities, and ensure the integrity of the financial sector’s digital infrastructure recommended some concrete measures including regulation of service providers, maker-checker processes and ATM Channel security.
During the committee hearings, RBI provided evidence that Big Tech companies have refused to make various modifications to their mobile operating systems to make the OTP based two-factor authentication protocol even more secure.
It underlined the importance of the enforcement system in addressing cyber fraud and stressed the importance of local police to take effective action against cyber crimes.
The committee further said that promoting supervisory cooperation and knowledge exchange with global regulators will facilitate a collective response to the exponentially growing cyber threats.
The panel, therefore, strongly urged the government to adopt and go beyond global best practices — in short to develop ‘next practices’ based on India’s specific needs and requirements.