Will India’s CBDC i.e e-Rupee compete with UPI and Wallets?
The Reserve Bank of India (RBI) announced the launch of the first pilot for retail digital Rupee (e₹-R) on December 01, 2022. It has commenced the pilot in the wholesale segment from November 2022.
What is the Digital Rupee – India’s Central Bank Digital Currency (CBDC)?
The Central Bank Digital Currency (CBDC) can be defined as the legal tender issued by the Reserve Bank of India, according to the RBI. Touted as Digital Rupee or e-Rupee, RBI's CBDC is the same as a sovereign currency and is exchangeable one-to-one at par with the fiat currency, the regulator mentioned
Will the digital wallet in Retail with e₹ compete with UPI and the Wallets (Phonepe, Paytm, PPI Wallets)?
As we learn more on how the digital wallet application will function in the retail segment, how users can load/redeem digital rupee and how a transaction b/w two devices happen, it looks like this will play parallel to UPI and Wallets.
However, I wouldn’t be surprised if the e₹ digital wallet kill UPI and PPI Wallets in the longer run. Not sure about UPI but definitely it’s going to impact the Wallet instruments like PPI in the long run. Question is ‘Will wallet companies start providing digital wallet using CBDC’ or ‘Why should someone use a wallet when Digital Wallet with e₹ and UPI exist.
Difference between the use of UPI vs CBDC
Not sure if offline payments can happen directly b/w mobile phones for e-rupee transaction. Logically looks like it’s viable. NFC/Bluetooth communication between two devices should work.
Few questions that arise for the future:
1. Banks have been burning cash for building UPI services and not getting much in returns. Will e₹ application change the scene?
2. Can pre-paid wallets continue to have relevance over the digital e₹ wallet.
3. Privacy concerns have already been raised. Will transactions be private and the role of tech here?
4. The multiple and most futuristic use cases that can be developed and operated with CBDC?
As an IS auditor for financial institutions, will research and post on regulatory requirements, how the application works to controls that matter the most in having this implemented and integrated in the system, and risk factors to keep mind for CBDC in Digital Payment Security.
Overall, Digitalization in payments and banking is continuing to reach new heights and India is setting an example to the world!
We are a CERT-IN Empanelled cyber security company based out of Bangalore. Reach out to us to gain more insights into the Digital Payment Security Domain and for a free consultation!!!
An Account Aggregator (AA) is a Non-Banking Financial Company. These non-banking entities are regulated by the Reserve Bank of India (RBI). In order to perform the job of an account aggregator, these entities should obtain a license from the regulating body i.e., RBI. Such entities act as a bridge or a medium for transmitting the financial data between the data-requesting institution and data-providing institution also known as Financial Information User (FIU) and Financial Information Provider (FIP) respectively. This process of sharing the user data from FIPs to FIUs will only be carried out after explicit consent from the user. The AAs will never facilitate any kind of transaction involving money made by users or customers. The AAs will not be undertaking any other business other than the business of an account aggregator.
The RBI, being the regulatory body, has prescribed a Master Directive for AA (RBI/DNBR/2016-17/46 Master Direction DNBR.PD.009/03.10.119/2016-17), as AAs are involved in the transmission of users' financial data. It is necessary for all the entities carrying out the business of Account aggregators to be compliant with the Master Direction document which is considered a regulatory requirement.
What are the points that an Account Aggregator should be compliant with from an Information Security perspective?
As per the Master Directions defined by RBI, an Account Aggregator shall transmit the financial data about or of the user only after receiving formal consent from the user. The consent from the users can be obtained in electronic format by the AAs. AAs should store the consent obtained by the users for transmitting the financial data to the FIUs. The AAs shouldn’t store any other financial data other than the data for which the consent is received by the user.
The consent received by the AAs should include the Identity of the customer and optional contact information, the nature of the financial information requested, the purpose of collecting such information, if necessary the identity of the recipients of the information, URL or other address to which notification needs to be sent every time the consent artifact is used to access information, consent creation date, expiry date, identity, and signature/digital signature of the Account Aggregator and any other attribute as may be prescribed by the Bank at any point of time.
The latter-mentioned attributes should be displayed to the user at the time of receiving the consent form the user. The AAs Shall(Shall not), not request/access/store the user credentials of the users which may be manipulated/utilized for authenticating the customers to the FIP(s). The AAs should allow the customers/users to access the consents given by them and should be bestowed with the ability to revoke the consents provided by them for FIU(s) to access their financial information or parts of such information. Once the consent is revoked, a fresh consent artifact shall be shared with the FIP(s). An AA should have the request(s) and response(s) logs maintained by the FIP(s) recorded at the time of transmitting the data.
It is necessary for the AAs must enable secure data transfers of the requested data from the FIP(s) to its own systems and then to the FIU(s), to achieve such secure data transfer AAs shall employ the necessary IT framework and interfaces(s). The technology adopted by the AAs should be scalable to cover any other financial information or financial information provider as may be specified by the Bank in the future. An Account Aggregator is mandated to ensure adequate safety is built into its IT systems to protect against unauthorized access, data alteration/tampering, destruction, disclosure, or dissemination of records and data. An AA should adopt appropriate measures/controls for Disaster Risk Management and Business Continuity in order to provide a prolonged service to the customers/users without any disruptions. Information System Audit of the internal systems and processes shall be in place and shall be conducted at least once in two years.
An AA should constitute various internal mechanisms for reviewing, monitoring, and evaluating its controls, systems, procedures, and safeguards. The integrity of the IT systems should be maintained at all costs, and all necessary precautions should be taken to ensure that the records of the consents explicitly received by the users are not lost, destroyed, or tampered with. The account aggregator should establish a well-documented risk management framework which shall include a sound and robust technology risk management framework, strengthening system security, reliability, resiliency, and recoverability and deploying strong authentication to protect access to customer data and systems. AAs should formulate a Risk Management Committee consisting of not less than three members of its Board of Directors. AAs shall conduct a self-assessment of their existing outsourcing arrangements to validate the risk inherited from the outsourced vendor.
An Account Aggregator should not outsource any core management functions including Internal Audit, Strategic and Compliance functions, and decision-making functions such as determining compliance with KYC norms for opening deposit accounts, according to sanction for loans (including retail loans) and management of investment portfolio. The AAs are not permitted to outsource the service of an account aggregator from any vendor.
How can CyRAACS help an AA in achieving the above-mentioned requirements?
As prescribed by RBI, all AAs should comply with the master directions as prescribed by the regulatory body and the report must be submitted to the bank to obtain the license to perform the business of an account aggregator in India. This would call out the need for Subject matter expertise in Information Security to align the business controls to be in adherence with the regulatory requirements. Such firms/entities are assisted by CyRAACS (Cyber Risk Advisory and Consulting Service) in achieving information security compliance with the necessary documents as regulated by RBI.
CyRAACS will assist an AA in fulfilling the requirements set by the regulator by ensuring compliance readiness. CyRAACS provides internal audit services to AAs, supported by a team of trained professionals in providing an unbiased observation to the AAs by assessing their IT systems, applications, or processes in scope and ensuring adherence to the regulatory and statutory requirements. CyRAACS also assists an AA in assessing the security of their applications and web applications through vulnerability assessment and penetration testing, which provides the AA with an overview of the risks and vulnerabilities that need to be rectified in the application's development phase. CyRAACS will also offer a source code review of the applications in scope to ensure application quality assurance from the source code perspective.
How does an Account Aggregator work?
The Process flow of an AA is exhibited below the Flow chart.
The AA process flow is as defined in the below steps:
Step 1: The user registers with an Account Aggregator application providing his details.
Step 2: The user registers with a Financial Information User (FIU) to receive a particular service.
Step 3: The user links his Account Aggregator with the FIU application.
Step 4: The Account Aggregator authenticates the linking via OTP.
Step 5: Once the Account Aggregator is linked to the FIU application, The list of linked Bank accounts i.e., the Financial Information Provider (FIP) of the respective user is fetched by the Account Aggregator.
Step 6: The user Selects the specific FIP from the list of FIP fetched.
Step 7: An Authentication is done by the FIP via OTP to verify the user prior to sharing data.
Step 8: The User Review the Type of Financial Information to be shared, the purpose of sharing, and the duration of data being shared by the FIP to the FIU.
Step 9: Once the user accepts and proceeds, the requested financial data is shared by the FIP in an encrypted form to the aggregator which in turn is shared with the FIU.
List of Account Aggregators:
AAs with An Operating License:Account Aggregators who have received In-Principle approval from RBI are listed below.
The below picture depicts the AA ecosystems as of August 2021.
Keep Your Data Secure with CyRAACS Cyber Security Solutions. Our experts offer tailored solutions for businesses of all sizes. Contact us today!
APIs are the backbone of the internet, powering the applications and services that we use every day. With the rise of the API economy, there are now more APIs than ever before, and they are handling sensitive data. This makes API security more important than ever.
What is an API?
API is an acronym for “Application Programming Interface”. An API is an interface that allows two pieces of software to communicate with each other. It is a set of subroutine definitions, communication protocols, and tools for building software.
What is API Security?
API security is the process of securing APIs from unauthorized access, use, or modification. It includes both the security of the data and code that make up the API, as well as the security of the API itself. APIs are increasingly being used by businesses to allow third-party access to their data and functionality. This can be done for a variety of reasons, such as allowing partners to integrate their systems with yours or allowing developers to build applications on top of your data.
However, this also opens the possibility for security breaches, if the APIs are not properly secured, then malicious actors can get access to sensitive and personal data. API security is important because it helps to protect sensitive and personal data.
The Importance of API Security
As per the Gartner Report – Predicts 2022, by 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools. The report also states to further improve API security posture by developing a security strategy for threat protection, API security testing, and API access control that leverages newer approaches and vendor solutions.
9 Most Common API Security Threats and Vulnerabilities are:
Injection flaws
Broken authentication and session management
Broken access controls
Security misconfiguration
Sensitive data discovery
Insufficient supply chain security
Insufficient security controls
Lack of data security controls
Exposure of API keys and secrets
API Security Best Practices
While a breach of an API can lead to data loss, downtime, and loss of customers, the right API security solution will help you secure your APIs and prevent breaches. As per multiple industry surveys, for about 83% of companies, the question is not if a data breach will happen, but when. Usually more than once. When detecting, responding to and recovering from threats, faster is better. Organizations using AI and automation had a 74-day shorter breach lifecycle and saved an average of USD 3 million more than those without.
Not only are these breaches costly, but they're also becoming more sophisticated. API security is important because APIs are increasingly how businesses share data and connect with customers, partners, and employees. A breach of an API can lead to data loss, downtime, and loss of customers. That's why it's important to adopt best practices for API Security.
Best Practices for API Security
Here are some of the best practices for API security:
Use HTTPS for all API communications
Use API keys and secrets to authenticate and authorize access to your APIs
Use digital signatures to ensure data integrity
Use encryption to protect sensitive data
Implement rate limiting to protect against denial-of-service attacks
Monitor your APIs for suspicious activity
Keep your API software up to date
Ensure that your API keys are well-protected and not easily guessed
Do not use easily guessed or easily guessed words as part of your API key
Use a strong hashing algorithm to protect your API keys
Use SSL/TLS to protect your API keys in transit
Use a strong password for your SSL/TLS private key
Use a firewall
Use a strong authentication method. This could be something like OAuth or two-factor authentication.
Implement rate limiting, this will help to prevent denial of service attacks and ensure that your API can’t be overloaded by requests.
Use a good API gateway
Use Service Mesh Technology - The benefits of using a Service Mesh are many, but some of the most notable benefits are improved performance, scalability, and security.
Adopt a zero-trust philosophy – ensure every user, device, and service is verified before being granted access to data or systems.
Conduct Security Testing for APIs periodically, APIs should be tested against OWASP Top 10 for API Security
Conclusion
In this day and age, data is everything. Businesses rely on data to make decisions, large and small. This data is often stored in databases, which can be accessed by applications through an API.
An API can be used to access sensitive data; when you have an API, you are essentially sharing your data with the world. This means that you need to be sure that your data is safe and secure. Otherwise, a malicious actor could gain access to it and use it for nefarious purposes.
Cybersecurity is at the forefront of technological colloquy, as information is the nucleus of the technological revolution, and the one who possesses information reigns supreme over the others. This information can be accessed and utilized against the owner of the said information by miscreants who would most likely profit from such actions. Although there are sundries of laws that prosecute such miscreants, it is the age-old saying that comes to mind that proves preventing a possible threat facilitated by a vulnerability in the system is better than mitigating its after-effects- “Prevention is better than cure”.
It is imperative to understand the distinction between a cyber-attack and a cybersecuritythreat. A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. Whereas a Cybersecurity threat is a potential negative action or event facilitated by a vulnerability that results in an undesirable impact on a computer system or application.
There are millions of cybersecurity threats that people encounter on a daily basis whilst going about their day, it is estimated by a Clark School study at the University of Maryland that there are 158,727 attacks per hour, 2,645 attacks per minute, and 44 attacks every second of every day on average across the global spectrum. In fact, there would have been 189 attacks across the world by the time you read this sentence. These attacks are caused by exploiting vulnerabilities in the system and these weaknesses are termed threats. By the end of this article, you will have an introductory ode to the world of Cybersecurity threats, their inhibition, and mitigation.
The following are the main cybersecurity threats faced by individuals and organizations:
Malware- intrusive software that is designed to damage systems it finds itself in.
Phishing- a technique for attempting to acquire sensitive data through fraudulent solicitation.
Password Attacks- refers to any of the various methods used to maliciously authenticate into password-protected accounts.
DDoS- is a category of malicious cyber-attacks that are employed in order to make an online service, network resource, or host machine unavailable to its intended users on the Internet.
Man in the Middle- An attack in which an attacker is positioned between two communicating parties in order to intercept and/or alter data traveling between them.
Drive-by download-Unintentional download of malicious code to your computer or mobile device that leaves one susceptible to a cyberattack.
Malvertising- attack in which perpetrators inject malicious code into legitimate online advertising networks.
Rogue Software- is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that installs malware on their computer.
Malware
Malware is an all-encompassing term for a variety of cyber-attacks including Trojans, viruses, and worms. Malware is simply defined as code with malicious intent that steals data or destroys something on the system it is hosted on. The purpose of malware is to intrude on a machine for a variety of reasons. From the theft of financial details to sensitive corporate or personal information, malware is best avoided, for even if it has no malicious purpose at present, it could well have so at some point in the future. Downloading infected files as email attachments, from websites, or through filesharing activities and OS vulnerabilities. Clicking on links to malicious websites in emails, messaging apps, or social network posts are popular proliferation method.
Prevention
Use secure authentication methods
Use administrative accounts only when necessary
Update software consistently
Adhere to the least-privilege model. Adopt and enforce the principle of least privilege: Grant users in your organization the minimum access to system capabilities, services, and data they need to complete their work.
Implement email security and spam protection
Mitigation
Steps for mitigation of malware once the system is affected as stated by ncsc.gov.uk :
Immediately disconnect the infected computers, laptops, or tablets from all network connections, whether wired, wireless, or mobile phone-based.
In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery.
Safely wipe the infected devices and reinstall the OS.
Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you're connecting it to are clean.
Connect devices to a clean network in order to download, install and update the OS and all other software.
Install, update, and run antivirus software.
Reconnect to your network.
Monitor network traffic and run antivirus scans to identify if any infection remains.
Phishing
Phishing is when attackers send malicious emails, communications, or messages designed to trick people into falling for a scam. Typically, the intent is to get users to reveal financial information, system credentials, or other sensitive data.
Types of phishing attacks:
Spear Phishing -A Spear Phishing attack occurs when a phishing attempt is crafted to trick a specific person rather than a group of people. The attackers either already know some information about the target, or they aim to gather that information to advance their objectives.
Whaling- Whaling is targeted to specific individuals such as business executives, celebrities, and high-net-worth individuals.
Smishing- Phishing is done by dint of SMS messages.
Vishing – Phishing is done by dint of phone calls and verbal solicitation under falsified pretenses.
Prevention
Regular Security Awareness & Phishing Training
Internal Phishing Campaigns and Phishing Simulations
Using anti-phishing software
Follow safe Internet practices and protocols and exercise general caution
Password Attack
A password attack refers to any of the various methods used to maliciously authenticate into password-protected accounts. These attacks are typically facilitated through the use of software that expedites cracking or guessing passwords.
There are three common methods employed to authenticate passwords:
Brute force attacks- A script/ computer program is used where the most possible password combination is surmised based on trends and known information.
Dictionary attacks- A script is used to cycle through the combination of common words used in passwords, and the most likely combinations are preferred here, unlike brute force attacks where a large repository of combinations is tried.
Key Logger attacks- A program tracks all of the user’s keystrokes and the passwords and login IDs are stored, involves installing malware onto the system that tracks the user’s keystrokes.
Prevention
Updating passwords according to the latest password policies.
Using Alpha-numeric characters, and using security questions.
Using multi-factor authentication for logins.
DDoS- Distributed Denial of Service
DDoS Attack, also known as a "Distributed Denial-of-Service (DDoS) Attack," is a type of cybercrime where the perpetrator overwhelms a server with internet traffic in an effort to prohibit users from accessing linked websites and online services. This attack preliminarily focuses on disrupting the service of a network, and usually involves sending a high volume of data through the network until it gets overloaded and no longer functions.
Prevention
Keep up with regular software updates, online security monitoring, and data flow monitoring, to monitor unusual traffic.
DoS attacks can be perpetrated by simply cutting a table/dislodging a plug that connects your website to the internet, hence physical monitoring is encouraged as well.
Man in the Middle
An attack in which an attacker is positioned between two communicating parties in order to intercept and/or alter data traveling between them. One major occurrence of Man in the Middle attacks is active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
Methods involved in Man in middle attacks:
Attack on encryption: Bypassing SSL/TSL protocols between client and server.
HTTPS Spoofing: Creating fake HTTPS by spoofing the address of a legitimate website
SSL Hijacking: Hijacking a user’s legitimate session and feigning to be the user
SSL Stripping: Involves reducing the security of a website’s connection so as to access client and server communication
Interception: The communication protocol layers are used to intercept the conversation between two nodes on the internet.
IP spoofing: When a cybercriminal spoofs the IP headers of the TCP packets transferred between two devices that trust each other, they can redirect the traffic to their chosen location.
ARP Spoofing: ARP spoofing allows an attacker to send a phony address resolution protocol (ARP) message via a local area network (LAN) to deceive the server into trusting it, ultimately misdirecting all the traffic to their device.
Automatic Proxy Discovery Attack: A web proxy is established in enterprises where security is a primary concern. All the web traffic passes through the proxy server after a thorough inspection of all the application layers for possible threats. WPAD (web proxy auto-discovery) is a protocol designed to assist clients in discovering the proxy automatically.
DNS Spoofing: Replacing a legitimate IP address in a DNS server’s records. By doing this, the attacker can misdirect site visitors’ clients to a fake website instead of the real one.
BGP Misdirection: BGP misdirection is an attack where a cybercriminal redirects internet traffic to a malicious route by spoofing the IP prefixes.
Prevention
Use of VPN
Use only secure connections
Opt for endpoint security
Multi-factor authentication
Drive-By Download
A drive-by download is when malicious code is unintentionally downloaded into a computer or mobile device, exposing users to various hazards. The malicious code is designed to download malicious files onto the victim’s PC without the user being aware that anything untoward has happened. A drive-by download abuses insecure, vulnerable, or outdated apps, browsers, or even operating systems.
Prevention
Website owners can prevent drive-by downloads by doing the following:
Keep all website components up to date. This includes any themes, addons, plugins, or any other infrastructure. Each update likely has new security fixes to keep hackers out.
Remove any outdated or unsupported components of your website. Without regular security patches, old software is perfect for frauds to study and exploit.
Use strong passwords and usernames for your admin accounts. Brute force attacks give hackers an almost instant break-in for default passwords or weak ones like “password1234.” Use a password generator alongside a password manager to stay safe.
Install protective web security software on your site. Monitoring software will help keep watch for any malicious changes to your site’s backend code.
Consider how your advertisement use might affect users. Advertisements are a popular vector for drive-by downloads. Be sure your users aren’t getting recommended suspect advertisements.
Endpoint users can prevent drive-by downloads by doing the following:
Only use your computer’s admin account for program installations. Admin privileges are necessary for drive-by downloads to install without your consent. Since this setting comes default on your main account, use a secondary non-admin account for daily use.
Keep your web browser and operating system up to date. New patches help seal gaps in their defenses where drive-by-download code could burrow in. Do not wait or delay — install these updates as soon as they release.
Be wary of keeping too many unnecessary programs and apps. The more plug-ins you have on your device, the more susceptible you are to infection. Only keep the software you trust and use often. Also, remove any older apps that no longer receive updates.
Use an internet security software solution on all your devices. Products like Kaspersky Security Cloud automatically keep your malware definitions up-to-date to spot the latest threats. They also can scan websites proactively to block known compromised sites.
Always avoid websites that may contain malicious code. Sites that offer file-sharing or mature content are common points of infection. Only visit mainstream sites you normally use or at least well-established sites to improve your chances of staying clean.
Carefully read and examine security popups on the web before clicking. Scammers use deceptive popup ads on desktop and mobile browsers that look like legitimate alerts. To avoid being linked to an attack site, watch for typos, odd grammar, and grainy images.
Use an ad-blocker. Drive-by download attacks often use online ads to upload infections. Using an ad blocker can help reduce your exposure to this type of attack.
Malvertising
Malvertising, often known as malicious advertising, is a relatively recent cyberattack method that involves embedding malicious code in online advertisements. These infected ads are typically delivered to customers through reliable advertising networks, making them difficult for both internet users and publishers to detect.
In a malvertising attack, harmful code is injected into networks of trustworthy internet advertising. Users are often redirected to fraudulent websites using the code.
Malvertising is typically confused with ad malware or adware—another form of malware affecting online advertisements.
Malvertising involves malicious code which is initially deployed on a publisher’s web page. Adware, however, is only used to target individual users.
Malvertising only affects users viewing an infected webpage. Adware, once installed, operates continuously on a user’s computer.
Prevention
How can end-users help mitigate malvertising?
Antivirus software can protect against some drive-by downloads or malicious code executed by malvertising.
Ad blockers offer good protection against malvertising, because they block all ads, together with their malicious elements.
Avoiding the use of Flash and Java can protect users from many vulnerabilities that are commonly exploited by malvertising.
Updating browsers and plugins can prevent many malvertising attacks, in particular those which operate before the user clicks the ad.
How can publishers help mitigate malvertising
Carefully vet ad networks and inquire about ad delivery paths and security practices.
Scan ad creative intended for display to discover malware or unwanted code.
If possible, enforce a policy of only showing specific file types in an ad frame (JPG, PNG, etc) without allowing JavaScript or other code.
Web Application firewalls can help protect against some malvertising threats, by using a signature, behavioural, and reputation analysis to block malicious code execution or requests arriving from non-trusted sources, along the ad delivery chain.
Rogue Software
Rogue security software is a type of malicious software and online fraud that tricks consumers into thinking their computer has a virus and tries to persuade them to pay for a phony malware removal program that in fact installs malware on their computer. Mobile applications known as "rogue apps" are created to spoof well-known businesses in order to obtain illegal access to data that may be used to carry out fraudulent operations.
Prevention
Practice online skepticism. Be aware that rogue security software does exist on the Web, and be vigilant about avoiding it. These programs are designed to appear genuine – meaning they may mimic legitimate programs, use false awards and reviews to rope you in, or employ other deceptive tactics. It’s also a good idea to familiarize yourself with common phishing scams and to be cautious of links in e-mail messages and on social networking sites.
The banking sector has been at the heart of the Indian economy contributing to more than 40% of the GDP and lending or credit is what fuels the Indian economy contributing more than 60% of the GDP. Digital lending is the new buzzword in banking, where people mean different things. So let us understand what RBI has mandated in its guidelines on Digital Lending.
What is Digital Lending?
Before we understand what digital lending is, let us understand what lending is. Simply put, lending is when a lender provides funds to someone who wants to borrow it (usually at a fixed interest rate) and the borrower agrees to pay back the borrowed amount with interest. It's essentially trading future income for current access to money.
Banks are in the business of collecting our deposits and lending them to those who want to borrow. However, there are many who find it difficult to access loans from banks for various reasons. Maybe they don't have an established credit history, maybe they don't live in regions where the bank operates, or the bank deems the interest too high to provide a loan, etc. So, there is a gap that banks cannot reach and as a result, many digital lending platforms have emerged to serve this segment.
What does the Reserve Bank of India (RBI) think of these digital lending platforms? That's an important question for a startup. Any guidance from RBI on matters such as these is valuable since we will have to first understand it and then live with the regulations at the time of scaling the business.
So, let us see what RBI has to say on digital lending in the guidelines on Digital Lending issued on 2nd September 2022.
What does RBI think of digital lending?
The purpose of the guideline ( Number CRDIR/DGL-19/02.01.002) is to inform applicants proposing to set up non-bank digital lending platforms about the criteria the Reserve Bank would use to assess their proposals.
The guideline is interesting as it shows the thinking perspective of RBI to explain its views and concerns. Let us try to summarize the key pointers from the guideline.
The guidelines released for public consultation cover all commercial banks, primary (urban) co-operative banks, state co-operative banks, district central co-operative banks, and non-banking financial companies. RBI guidelines on digital lending aim to protect consumers.
Digital lending entities should refrain from accessing and mining the customer’s phone address books, SMS, MMS, call log history, installed apps, accounts’ social feeds, bookmarks, etc. * The entity should not use personal identifiers such as Aadhaar number, PAN, etc for its own purposes. * It should not even ask for such information or documents.
The borrowers need to be informed about their data being stored, either centrally or locally. The details must include some time limit for storing the data, any restrictions on how they are used, or how it's used, whether it is destroyed at a specific time frame, which security mechanisms are in place in case of any breach, etc. The borrower must also be informed about these details at all times on the website as well as in the app.
Key Fact Statements for digital lending products are standardized. The borrower should be informed about the all-in origination cost of the loan. They should also be a part of the Key Facts Statement.
Interest/charges that are levied on the borrower, if any, i.e. part of the total funds disbursed by the lender, shall be clearly disclosed in the key facts. This shall also be done on an annualized basis.
Any fees charged by the regulated entities in this standard must be paid by the lending service provider in full, and cannot be charged to the loan applicant.
The Key Fact Statement will contain details of all the various elements of the loan such as the annual percentage rate, the recovery mechanism, details of a grievance redressal officer, and the cooling-off/look-up period. The cooling-off/look-up period is the amount of time given for the repayment of the debt.
You are charged only the charges mentioned in your Key Fact Statement, which you will find in your offer document.
Borrowers along with their transaction details, loan contracts, account statements, policies, etc. shall receive the information pertaining to their loans through electronic mail/SMS on the successful execution of their transactions.
A list of digital loan service providers engaged by a bank or an NBFC should be publicly unveiled by them on their respective websites.
Details of the nodal Grievance Redressal Officer (G.R.O.) should be displayed on the bank, NBFC, Lending service provider, online lending app, or key facts sheet.
If the borrower is unhappy with the resolution offered by the bank regarding the dispute, then he or she can direct their complaint toward an external and independent ombudsman. The complainant can lodge a complaint in the Home Loans Complaint Management System (HCM-2) under the Reserve Bank of India-Integrated Ombudsman Scheme (RBI-IOS). For NBFCs that are not covered under the regulatory purview of RBI, the complaints may be lodged as per the guidelines prescribed by them.
Now that we are well into the digital age, it has become essential for banks and NBFCs to understand the economic profile of their customers before extending any loans with a robust and comprehensive set of data in place.
One shall not automatically receive a credit increase unless explicit consent of the borrower is tagged and documented in order for there to be an increase.
During a cooling-off /look-up period, the borrower shall be given an explicit option to exit a digital loan by paying the principal and the proportionate APR without any penalty during this period. The loan contract shall have a minimum period of 3 days, and a maximum period of 1 day, for a minimum tenor of 7 days and a maximum tenor of 12 days.
The borrower shall be provided with options for giving or denying their consent to a specific use, limiting the disclosure to third parties, retaining personal data, and requesting deletion when the data is no longer needed.
Explicit consent will be taken before sharing any personal information with any third party, with exceptions as stipulated by law.
The banks and NBFCs should ensure that all lending activities, irrespective of the credit facility to any NBFCs and individuals have done through their Digital Lending Apps and/or supported apps of Lending Service Providers are reported to Credit Information Companies (such as CIBIL), irrespective of loan tenor.
Any extension of credit from a bank, NBFC, or Lending Service Provider which is provided by a merchant over a digital device, needs to be reported to credit information companies. In case of any discrepancy, report the same to CIBIL Limited.
The regulated entities shall ensure that all these loan-related transactions, such as repayment, collection, etc., are done directly by the borrower in a regulated entity’s bank account or through any other suitable alternate mechanism.
All disbursements shall be made into the account of the beneficiary except for the disbursals covered exclusively under statutory or regulatory mandate (of RBI or of any other regulator), the direct flow of money between regulated entities force-lending transactions, and the disbursals for non-withdrawable end use, provided: The loan is disbursed directly into the bank account of the beneficiary, or The repayment beings from its account.
Regulated entities shall ensure that the disbursement of the loan is made only to a third-party account belonging to the Borrower. To ensure that this is done correctly, regulated entities may opt for third-party KYC of the account and card details, as offered by such service providers.
On June 20th, RBI issued a direction disallowing non-banking Prepaid Payment Instruments (PPI) from loading credit lines on the PPI. This bans PPI wallets from being loaded with credit lines/credit cards.
What is BNPL?
BNPL is short-term financing for consumers who can buy products and get short-term credit and pay later for the credit taken. Well, isn’t that what credit cards are used for as well? The concept of BNPL is similar to that of credit cards wherein a consumer makes a purchase through a credit line and the payment is done later- quite literally “Buy Now, Pay Later”. The BNPL market has grown a massive 539% in 2020 and 637% in 2021.
BNPL vs Credit Card
Credit Cards are given to individuals with a minimum average income of INR 1-3 lakh per annum. Eligibility for a credit card is based on multiple parameters age, salary (ability to repay), type of employment, and credit score. RBI has definite directions for the issuance and operations of credit cards.
There aren’t instruments to finance instant loans without an elaborate process. This is where BNPL comes in. Unlike for credit cards, BNPL issuers do not require credit score and other stringent checks prior to onboarding. This makes credit more accessible. While cursory checks are being done on the spending pattern of customers, it taps on the customer’s ability of immediate spending.
Another difference is that credit cards require a joining and/or an annual fee, while BNPL cards do not levy any such charges/hidden charges on the consumers. That means that all is great if consumers pay their bills on time, however, failing so, the issuer will charge a delay fee. Additionally, the BNPL service is fast and easy to set up as the approvals are almost instant and offer easy repayment options with EMI.
In the past month, the number of credit cards issued was recorded as 15 Lakh, while 20 Lakh BNPL accounts have been opened. This jump seen in the BNPL market made the traditional credit card issuers jittery. The credit card market is currently operated by major banks in the country.
What’s RBI saying and how is it impacting BNPLs?
While all seemed to be a fairy tale and a bed of roses for consumers and BNPL entities with heavy investments flowing into the market, the Reserve Bank of India (RBI) threw a bombshell that may have put BNPL entities in the backfoot. The RBI notification restricts non-banking Prepaid Payment Instruments (PPI) from loading credit lines on the PPI. This bans PPI wallets from being loaded with credit lines/credit cards through financing done by NBFCs.
So why does this development impact BNPL companies?
Most popular BNPL players operate using banks’ license/banks’ NBFC license. Alternatively, banks hold PPI license. On the PPI wallet, a credit line was given which was not in line with the PPI directions from RBI.
The main concern that RBI has raised is the lack of clear guidelines/regulations around BNPL. The main focus with which RBI has been operating in the protection of consumers. While consumers seem to be enjoying it, BNPL as a business does not seem viable unless properly regulated over and above the credit card market.
Unlike concerns raised by some on RBI’s stand, the regulatory body has indeed mentioned BNPL in their
“Payment Vision 2025” was released in June 2022. As per the vision document,
BNPL should be:
Economically viable,
Socially Useful, and
Regulated, and processes around BNPL should be looked at.
The Current Market: Its Ups and Downs
What’s driving BNPL?
An increase in spending from consumers is something that is encouraged by the nation as such. This is enabled by helping consumers purchase upfront and pay later with no cost EMI.
Merchants are benefiting the most as there’s a drastic increase in order values. BNPL companies directly pay merchants a part of the order value.
Instant access to credit.
The repayment tenure can be chosen by the customer.
Ease of onboarding and use.
Quite a positive right?
But here’s the catch! BNPL is risky lending and there has been a rising trend of defaults accounting for about 18-19% of delinquencies. One main reason that can be attributed to this trend is the provisioning of BNPL cards to Millennials and GenZ as several of them are unemployed, are studying, or are employed but do not have the ability to repay (as per stats in the US BNPL market). This in turn creates a debt trap for consumers as they tend to pay back the existing loans with further credit lines, while the expenses continue to pile up. India is a savings-based economy, contrary to other countries such as the USA, which is credit based.
On the contrary, below are the downsides of BNPL:
Increase in buying that you don’t need, with money you don’t have.
42% of consumers have made a late payment in the last 1-3 years.
People don’t realize that they are getting into debt traps.
The impact on credit score for issuance and repayments is a grey area. The question that arises is whether credit lines are extended to risky or ineligible consumers.
Currently, BNPL cards are given to consumers who may not be eligible for a credit card which could result in the company extending the services to potential defaulters who may not be able to make the payment on time or who have a history of defaults.
Consumer protection for repayment is not regulated.
The business model is quite ambiguous for BNPL players. Also, as mentioned above, there isn’t a mechanism in place currently to link BNPL defaults to the credit score. Above this, BNPLs adopting AML and Fraud Risk mechanisms within their system is not transparent.
BNPL Stats across the Globe
BNPL has seen a 39% growth across the globe.
It is predicted that 3% of e-commerce reviews will be from BNPL by 2023.
According to The Electronic Transaction Association, the BNPL market has a 30% penetration for Gen Z and Millennials in 2021, rising to 40% by 2025. While only 6% of Baby Boomers chose BNPL in 2021. By 2025 that is expected to increase to 15% for the older generation (YPPs, 2021).
More than half (57%) of people say they regretted making a purchase through BNPL because the item was too expensive.
31% of buy now, pay later users have made a late payment or incurred a late fee. Over one-third (36%) of BNPL users say they are at least somewhat likely to make a late payment within the next year.
Recently, OpenPay, a BNPL company in Australia paused operations in the USA due to defaults and rising interest rates. Klarna, another fintech in BNPL has lost its valuation from $45 Billion to $6.5 Billion in the last round of funding and another Australian BNPL firm has lost its valuation to $300 Million from $9 Billion.
Conclusion:
Fintechs and BNPLs shouldn’t worry yet as it’s a wait-a-watch game with RBI. The aura in the market is that the central bank will issue new guidelines for the BNPL segment that will not only regulate the sector but also reshape it all together with a focus on consumer protection, risk management, and overall security.
The Indian Fintech and BNPL spaces are nascent and not very mature. The regulator has put in some basic controls at this point in time to ensure that the consumer is not affected by a debt trap, at the same time realizing that for having a spending economy, these kinds of instruments are necessary. The balance may tilt from one side to another every now and then, but at this point, we are poised for some more interesting creative fintech instruments coming in with the regulator constantly on the catching-up game.
The cyber security threat landscape is rapidly evolving. Increasingly sophisticated attacks, multiple threat actors, strict regulations on security and privacy, and new-age trends on BYOD, remote working and growing adoption of cloud, and digital transformation initiatives are just some of the varied challenges that Information Security teams face. And the lack of adequate skilled resources compounds these challenges to manage various security responsibilities.
As news comes in every week of more cyber-attacks, Chief Information Security Officers (CISO) are searching for solutions and measures to improve their organization’s cyber security posture. Often, solution providers pitch various solutions/technologies to solve these challenges. Information Security teams assure that these solutions, with built-in next-gen features, can flag attempts to disrupt business, prevent attacks and minimize impact.
Data Leakage issues? Data Leakage Prevention is the solution you must look at.
Endpoint issues? Endpoint Detection and Response is a must-have.
DDoS attacks? DDoS mitigation solutions are available.
Access Control and Privileged Access issues? IAM and PIM solutions should be implemented.
But multiple studies and industry surveys over the years have shown that procuring and implementing a solution does not mitigate the threat on its own. Often these implementations face challenges like high costs, lack of skilled resources to manage the solutions, poor or inadequate configuration of policies, absence of integration with other solutions, insufficient supporting workflows, and processes, and so on.
So, if just buying a solution and implementing is not enough, where does one start? The answer is Security Architecture Review — an activity that can help organizations understand their security threats and identify which solutions can mitigate these risks. The complex nature of the IT infrastructure of organizations today means that a thorough review is needed to identify the critical security risks and the solutions to address them.
Security Architecture Review is a holistic review of security that covers networks, Data, Applications, Endpoint, Cloud, etc. It identifies gaps in your Architecture, Policies, and Controls that may put your critical assets at risk from attackers.
So, what does a Security Architecture Review involve?
Study the organization’s Business, IT, and Security
Security Architecture Review begins with a study of the Business and IT environment of an organization and the key security and privacy requirements that are mandated by clients and regulations like GDPR, CCPA, PCI DSS, etc. Organizations wanting to adopt best practices can look at information security and data privacy standards and frameworks like NIST 800-53, ISO 27001, CSA STAR, etc.
Identifying security and privacy risks is the next critical step as Information Security teams need to know what assets, applications, and processes need stringent controls and monitoring.
Assess the current Security Architecture
The next step is to study the existing architecture for network and security, understand cloud adoption, study existing solutions for security for design and implementation effectiveness, and identify gaps. We also recommend assessing the configuration of key solutions to understand the implementation effectiveness and identify any gaps.
Understand gaps across Security Domains
After studying architecture, it is important to assess the current solutions implemented and their design effectiveness as per the security domains such as Access, Patch, Monitoring, etc. This helps in identifying the solutions that address various security and privacy risks.
Build the Future State
After identifying the gaps, it is important to identify the right solutions to mitigate the gaps and address critical risks. Again, the solutions must address a few key criteria–risk mitigation, compliance management, integration with other solutions and interoperability, monitoring capabilities, and the ability to provide detailed reports as per organizational policies.
While identifying solutions, one must also consider the state of the infrastructure–On-prem, cloud or hybrid. One must also look at security components that are provided by Cloud Service Providers.
The end-state architecture must comprise solutions that offer protection from critical risks, integrate with other solutions deployed to provide relevant alerts and minimize the impact of any attack. Finally, one must also fortify the Information Security team with Subject Matter Experts (SMEs) who will manage the solutions.
Benefits and Outcomes of Security Architecture Review
Baseline Information Security Posture
Future state definition for Security Architecture
Adherence to Compliance Requirements
Cyber Advisory on security controls required for emerging technology via cloud/cloud migration
Conclusion
No matter how secure your organization’s cyber defenses maybe, a Security Architecture Review (SAR) can identify potential vulnerabilities and recommend countermeasures. The process begins with an assessment of your current state of security, followed by the development of a roadmap for improvement.
A SAR is especially important in the current environment, where cloud security services are becoming more popular. By definition, the cloud is a distributed system that spans multiple data centers and devices. This makes it more difficult to secure and increases the risk of data breaches.
Fifteen years ago, cloud infrastructure was a new and untested concept. Today it is the dominant form of data storage and computing services. With this shift, cybercriminals have also found ways to make their attacks more effective for smaller organizations. To prepare for the coming year, we have compiled 5 benefits of cloud infrastructure security in 2022.
Top 5 Benefits of Cloud Infrastructure Security 2022
Comprehensive Security for All Devices
It is important for all internet-connected devices to be secured by the most advanced cybersecurity solutions. The rise in smart home IoT devices has created more potential points of vulnerability for security breaches. The cloud moves changes data from a centralized data center to a decentralized storage service, which is considered a key differentiator when it comes to network security. Cloud infrastructure security providers must have the ability to not only protect corporate networks but individual users as well, with a focus on privacy and control.
Easier to Scale
Companies are realizing the benefits of cloud infrastructure. They are quicker to scale, cheaper to maintain, and more flexible. Many organizations are considering adoption due to these reasons. One thing to keep in mind is that all companies face new security threats as they move their operations into the cloud. If you don't already have a robust cybersecurity strategy in place, now's the time to make sure you're covered before jumping ship.
Cost-Efficient
Cloud Infrastructure Security 2022 may be the best option for companies looking to cut costs while simultaneously improving their existing security measures. Public cloud computing has become an increasingly popular alternative to on-premises private cloud deployments. Public cloud deployments offer several benefits over on-premises deployments, including lower upfront costs, elastic scalability, and the ability to scale up and down as needed.
Improved Disaster Recovery Processes
Disaster recovery processes have improved dramatically in recent years with the advent of cloud infrastructure security services. These services are cost-effective for businesses that are looking to grow, improve their customer retention rates, or want to reduce their capital expenses. These services affect all levels of the cloud infrastructure from firewalls and network security to data storage and encryption. In particular, the availability and affordability of cloud infrastructure security services have allowed companies to focus on their core business.
Increased Innovation and Collaboration
Economic growth has seen many benefits since the introduction of cloud infrastructure. One of the most prominent advantages is that it has helped to create jobs in the technology sector, which in turn has created more competition in an industry with high barriers to entry. Cloud data storage has allowed organizations to save money on hardware and operating expenses, while also allowing them to access their information anywhere they need it.
Conclusion
Cloud infrastructure security is a complex and diverse field. The number of IT professionals who specialize in cloud infrastructure security is growing at an exponential rate, but the demand for qualified talent outpaces supply. It's important for organizations to make sure they have a comprehensive understanding of what cloud infrastructure security entails and how it can add value to their company.
Cloud security services are very important for businesses that want to keep their data safe. There are many cloud security companies in Bangalore that can help you with this. Cloud computing allows you to store your data in the cloud and access it from anywhere. This is very convenient, but it also comes with some risks. It’s important to make sure that you choose a reputable cloud security company that will keep your data safe.
Executive leaders of organizations and board members are ultimately responsible for ensuring the long-term security of their organization, and it helps in mitigating cyber risks. As board members realize how critical risk and security management is, they ask leaders more nuanced and complex questions. Interest in security and risk management (SRM) is all-time high at the board level. In 2019, Gartner conducted the security and risk survey and realized that four out of five respondents noted that security risk influences decisions at the board level.
The Gartner research helps security and risk management leaders analyze five categories of questions that should be prepared to answer at any executive or board-level meetings. Here are those questions.
The Trade-Off Question
The Landscape Question
The Risk Question
The Performance Question
The Incident Question
Decipher Complex Board Questions
Let’s discuss each of these in detail.
The Trade-Off Question - Are we 100% Secure?
The trade-off question is that the security and management risk leaders struggle a lot. The question "Are we secure?" needs improvising and is generally asked by the board members who are uneducated and unaware of the impact of security risks on the business. In this scenario, it is impossible to prohibit 100% of the incidents. The CISO's responsibility is to help identify and evaluate the potential risks for an organization and allocate resources to manage them.
According to Gartner's report, a security and risk management leader in response to this question might say,
"It is impossible to remove all resources of the information risk considering the evolving nature of the cyber threat landscape. My responsibility is to work with other aspects of the business to execute controls for managing security risks that can prevent us from improving operational efficiency and brand image. There is no such thing as 'perfect protection' in security. We have to reassess continually how much risk is appropriate as the business grows. We aim to develop a sustainable program to balance the requirements to protect against the needs to run a business”.
The Landscape Question - How bad is it out there?
Most of the board members want to know their security compared to peer organizations. They read threat reports and blogs, listen to the broadcast, and even are forced by the regulation to understand such things. Gartner recognizes the need to discuss this landscape. Leaders need to avoid trying to quantify risks to possible extent and attaching certain budget figures to the mitigation cost depending on something external. Moreover, when benchmarks give some material for conversation, they must be a negligible factor in the decision-making process.
Here are some responses that security and risk management leaders can give while discussing the wider security landscape.
External Events
Responses
Our primary competitor experienced a public, successful attack.
We have a similar vulnerability that can facilitate the attack, and we are addressing that weakness. Enhanced monitoring abilities have been implemented.
There is an increased number of attacks against the electricity grids in three of the national presence points.
We don't expect to become a direct target. Business continuity plans are being tested and updated to overcome the prolonged outage.
We fall under the scope of the new EU General Data Protection requirements.
We have conservative and cautious privacy practices in place.
The Risk Question - Do we know what our risks are?
A risk outside the tolerance needs an antidote to bring it within tolerance. It does not require dramatic changes in a short time, so beware of overreacting. In the Gartner report, they present a way to defend the risk management decision, and you can change it according to your organization's risk tolerance.
One of the most common issues encountered in the report is that the evaluations are subjective and depend on flawed methodology. Security leaders must have evidence to support the evaluation, even when they are not called to present it. Another aspect that needs to be considered is whether to depict the typical outcome or the worst. For instance, most incidents in mild outcomes are within the ability of most companies to absorb. However, there is an infrequent incident that can result in a catastrophic outcome.
The Performance Question - Are we appropriately allocating resources?
Security is always a moving target. The security team needs to demonstrate their behavior to ensure the organization stays safe. It is particularly important to figure out if the resources are allocated appropriately and where the money is spent. The original strategy proposal should have margins for errors concerning the deadline and the budget. As far as there are overruns within these margins, they must be noncontroversial.
There may be valid reasons even if the overruns are outside the margins. The balanced scorecard approach is a way to understand how security contributes to business performance. In this approach, the top layer defines the business aspiration, and organization performance against those aspirations is expressed using a traffic light mechanism. However, it's not the only way. Some organizations have different types of dashboards to discuss business performance.
The Incident Question - How did this happen?
An incident is unavoidable, and treatment is a blessing in disguise. Security and risk management leaders should be aware that in some scenarios, incident details may have been tightly controlled (such as sensitivities associated with the incident). Using the fact-based approach and explaining your knowledge will eliminate the mystery and give confidence that you have control over the incident. Acknowledging the incident provides details on the business impact, outlines the flaws or gaps needed to work out, and offers a mitigation plan.
Decipher Complex Board Question
There are usually no deterministic answers to the board question, and responses are generally more about showing options for sponsorship instead of a definitive course of action. The options can vary based on the context of the discussion, the maturity of the board, the communication skills of the SRM leader, and the frequency of reporting. However, understanding and answering board questions require everyone to understand their roles. Therefore, the SRM leader should know that the board is interested in facilitating the business goal. Any query that may seem immature, ignorant, or complicated has a purpose behind it.
Wish you all a very happy 2021 and be a year filled with success, good health, and happiness to you and all your loved ones. With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that are looming in front of us. Here are a few thoughts and considerations for the unenviable role of the CISO for a great start to 2021!
Make the management part of your problem
Senior management does not know the technicalities of how the breach occurs, nor they should need to know. However, they should be clearly aware of the risks thereof. Ensure that the senior management/ board is completely up-to-date of all risks. Increase your frequency of meetings and provide a crisp update of the open risks and how you are working to mitigate them with clear established timeline and dependencies. Costs and budget overruns should be highlighted ahead of time. Bring in business-friendly and business-relevant cyber security metrics and report them periodically. This way the management is more forthcoming in providing the necessary authority and help prioritize your initiatives.
Get the Appropriate Budget
Budget definition and allocation on a percentage of IT spend, a percentage of cost of breach, a percentage of business growth YOY – various models exists. While each has its benefits and pitfalls, the budget should be commensurate with your risk appetite. Continuing from the point above on having the management ‘onboard’ on cyber security initiatives will pave a long way in ensuring that an appropriate budget is allocated. Let us understand one thing clear. The world expects ‘more’ with ‘less’
Clearly Identify your Security Partners
One of the top fields where the skills available and the market-needs gap is widening. It is expected that with the CAGR of 17% in cyber security (products and services), this area can become the CISO’s nightmare quickly. Relying on experts to do the job is also essential. This can be problem-solved by engaging the right eco-system partners to do your job. Security technologies, security governance, security operations are niche areas and picking the right partner will ensure that they stay with you and provide you the much-needed assurance and help address your problem by bringing in the right skills. Remember, it is not required to boil the ocean.
Evolve Your Security to Protect Your Remote Infrastructure
Secure your remote workforce by proactively protecting against zero-day malware and phishing, consider human and technological factors to avoid falling victim to phishing attacks. In response to the coronavirus pandemic, Gartner analysts observed a more than 400% increase in client inquiries related to remote access technologies for the months of March, April, and May in 2020, compared to the previous three months. Furthermore, a recent Gartner survey reveals that 41% of employees are likely to work remotely post coronavirus pandemic.
Continuous Monitoring for all Critical Assets
90% of breaches in cloud-based infrastructure were due to configuration-related issues. Periodic assessment ( like once a year, once a quarter) may not be sufficient in today’s scenario. The new buzzword is continuous monitoring. Continuous monitoring of critical assets would be an aid to enable rapid detection of compliance issues and security risks within the IT infrastructure that could lead to compliance violations. This would help understand real-time changes to the infrastructure and with a good threat intelligence feed it is possible to address zero-day attacks with much robustness with effective continuous monitoring.
In today's dynamic business landscape, organizations face an ever-increasing array of challenges, from regulatory compliance and cybersecurity threats to operational risks and data privacy concerns. To navigate these treacherous waters, companies must implement a holistic approach to governance, risk management, and compliance (GRC). This journey toward achieving effective GRC can be likened to setting sail […]
Information security is a critical concern for organizations in the digital age, as the proliferation of data and technology brings new vulnerabilities and threats. To safeguard sensitive information, organizations must conduct information security risk assessments. This comprehensive guide will walk you through the key steps and best practices involved in conducting an effective information security […]
1. Purchasing ISO 27001 document – Your organization must purchase the ISO 27001 document and understand how to implement a structed ISMS for your organization. This will help your organization to understand why the controls are necessary and how they can be implemented to mitigate risks. 2. Gap Analysis - Before ISO 27001 certification, a […]
In the age of digitalization, where personal data has become a valuable commodity, the need for robust data protection laws has become increasingly crucial. Recognizing this need, India has enacted the Digital Personal Data Protection Act, 2023 (DPDPA), marking a significant milestone in the country's data privacy landscape. This comprehensive law aims to empower individuals […]
Introduction The General Data Protection Regulation is a law that was enacted in 2018, it has transformed the way businesses worldwide handle and protect personal data. With stringent requirements for data privacy and security, GDPR compliance is essential for organizations that collect, process, or store personal data of individuals in the European Union (EU), also […]
Introduction In today’s ever-evolving cyber and risk landscape, information security has come to the forefront to combat the sophistication of cyberattacks and the constantly changing technology framework. Two widely recognized information security standards stand out in this arena: ISO 27001 and SOC 2. Both ISO 27001 and SOC2 provide companies with strategic frameworks and standards […]
Embarking on the journey of Governance, Risk Management, and Compliance (GRC) is a significant step for any organization in today's complex and highly regulated business environment. To thrive and ensure sustainable growth, businesses must proactively address governance issues, manage risks, and meet compliance requirements. In this article, we will guide you through the crucial steps […]
In the ever-evolving realm of cybersecurity, organizations face an unceasing challenge to secure their digital fortresses. A mid-sized financial services firm prides itself on its commitment to safeguarding customer data and financial assets. However, recent cyber threats have escalated, and the firm is keen to ensure that its cybersecurity defences remain resilient. In this scenario, […]
In today's digital age, where data is the lifeblood of business operations, protecting sensitive financial information has never been more critical. The Payment Card Industry Data Security Standard (PCI DSS) was established to ensure the secure handling of card data, and compliance with this standard is mandatory for any organization that processes cardholder information. Achieving […]
In the ever-evolving world of IT, security has become a necessity more than a precautionary decision or a luxury that most organizations overlook. With the ever-increasing sophistication of cyberattacks, businesses are constantly seeking ways to safeguard their sensitive information and protect their customers' trust. Two widely recognized information security standards stand out in this arena: […]
In today's dynamic business landscape, internal audit plays an even more critical role due to the complexities and the increased emphasis on cybersecurity. It goes beyond mere compliance and extends to strategic contributions for enhancing governance, risk management, and security. This comprehensive guide delves into the realm of internal audit, covering its definition, objectives, scope, […]
Regulated Entities (Res) outsource a substantial portion of their IT activities to third parties, which exposes them to various risks. RBI released a finalized version of Master Direction on Outsourcing of Information Technology Services on April 10, 2023.
The RBI announced the launch of the first pilot for retail digital Rupee (e₹-R) on December 01, 2022. It has commenced the pilot in the wholesale segment from November 2022.
In order to protect your business from common cybersecurity threats, it is important to be aware of the different types of attacks that exist and how to prevent them
With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that are looming in front of us. Here are a few thoughts
Global situations relating to the COVID-19 pandemic have impacted the business and has also impacted the work of auditors. The current situations challenge the conventional
According to the statistics 73.2% of the most popular WordPress installations are vulnerable till date. These can be identified using automated tools and can be exploited.
Blockchain is an emerging technology that is quite popular nowadays due to the popularity of cryptocurrency. The blockchain contains a list of records or blocks which are linked using
Malvertisements are a malicious advertisement distributed in the same was as a legitimate online advertisement. It is one of the common practices to use spread malware.
CyRAACS is a great place to work because every day provides an opportunity to learn something new, to mentor and to be mentored to achieve our client’s goals.
Company CIN: U74999KA2017PTC104449 In Case Of Any Grievances Or Queries Please Contact - Murari Shanker (MS) Co-Founder and CTO Email ID: [email protected] Contact number: +918553004777