The Reserve Bank of India has slapped a $1 million (U.S.) penalty on Yes Bank for failing to promptly notify the central bank of a 2016 data breach of its ATM network, The BankInfoSecurity reports. This is reportedly the first such penalty imposed on a bank.
Many security practitioners are praising RBI for issuing the penalty, saying it calls attention to the importance of timely breach notification.
"Normally organizations in India take regulatory compliance lightly due to laxity of regulators. Any regulator is supposed to take care of the interests of various stakeholders," says Rakesh Goyal, managing director at Sysman Computers, a CERT-In empaneled auditing firm. "It's a good sign that RBI, as a regulator, is showing a stick to law breakers. This will work in the interest of bank customers, government and society."
The Yes Bank incident, affecting 3.2 million debit cards, was the largest breach ever reported in the Indian banking system. While the debit card data was compromised between May 21 and July 11 last year, it was not until September that Yes Bank got to know about this large-scale data breach of its ATM network managed by Hitachi Payment Services.
RBI issued the $1 million penalty in exercise of powers vested in RBI under the provisions of Section 47A(1)(c) read with Section 46(4)(i) of the Banking Regulation Act, 1949, taking into account failure of the bank to adhere to certain directions issued by RBI.
According to RBI notification rules, banks must report breaches within two to six hours of discovery even if a third party is responsible for the incident. "A cybersecurity incident involving ATMs of the bank was not reported by the bank within the prescribed timeframe. Based on the inspection report and other relevant documents, a notice was issued to the bank advising it to show cause as to why penalty should not be imposed on it for non-compliance with directions issued by RBI," Jose J. Kattoor, chief general manager at RBI, says in a statement. "After considering the bank's replies, oral submissions made in the personal hearings, and also the additional information and documents furnished, RBI came to the conclusion that the aforesaid charges of noncompliance with RBI directions were substantiated and warranted imposition of monetary penalty."
Hitachi, which managed the Yes Bank ATM network, acknowledged in February that debit card data had been compromised between May 21 and July 11 of last year.
"The malware, being sophisticated in its design, had been able to work undetected and had concealed its tracks," Hitachi says in a statement provided to Information Security Media Group. "While the behavior of the malware and the penetration into the network has been deciphered, the amount of data breached during the compromise period can't be ascertained due to secure deletion by the malware.
"Despite following adequate security measures and adopting the standards of internationally accepted best practices in the business, we confirm that our security systems had a breach during mid-2016. The group has further enhanced our infrastructure and will continue to undertake all mandatory and regulatory security measures as needed," Hitachi says.
Some security practitioners are calling on RBI to not only issue penalties for tardy breach notification but also penalize organizations for failing to meet security standards.
"Since this was a first incident of this magnitude, I am sure this will establish the expectations from RBI, says Dharshan Shanthamurthy, CEO at SISA Information Security, which did the auditing for Hitachi in this incident. "However, in my opinion, if RBI starts penalizing banks for not meeting certain essential payment security standards (PCI DSS, PCI PIN, PA-DSS), it would give better results in improving the security posture including their breach reporting capabilities."
One important lesson from the penalty in Yes Bank incident is that security remains the responsibility of a bank even if it has outsourced functions, such as managing its ATM network, to a third party. "An organization can outsource technology or operations but not accountability of that function," Shanthamurthy says.
Goyal notes that bank's customers aren't aware of the outsourcers the organization uses, so the bank has to bear responsibility. "If the bank sub-contracted a task, it is their internal decision for various reasons, which may include consideration of cost, expertise, number of people, etc."
The CISO of an insurance firm, who asked not to be named, notes: "In this case Yes Bank is dealing with the public's money. And this is where I feel the third-party contracts need to be foolproofed. Organizations have to ensure that they work with the right partners. Did Yes Bank have any review of the contract? Hopefully the incident has been an eye opener for others."
Although the banking industry in India has a reputation of being more mature than other sectors when it comes to security, the sector invests less in detection technologies than other industries do. "Most banks in India invest a huge sum of money in cyber compliance, but not much is being invested in detection. So hopefully the breach penalty will change the scenario," the insurance company CISO says.
Banks find it challenging to report breaches within six hours of discovery. "There is a challenge in reporting on time," the insurance company CISO says. "When a breach is detected, organizations need some time to do a basic investigation to analyze if it's a false positive or a real breach. All these things are a priority as well. I feel the time to report a breach to RBI [should] be extended a bit."
Some security experts suggest that Yes Bank should ask Hitachi to pay the cost of the penalty. But Goyal says it could prove difficult for the bank to demand payment.
"If the agreement between them has a clause that any penalty and/or damages and/or other cost due to any specific cyber breach incident will be fully/partly paid by Hitachi, then Yes Bank can claim it from Hitachi. Else, the bank has to pay from its profit," Goyal says.