By Harun R Khan, Former Deputy Governor, Reserve Bank of India
For the financial sector specifically, there is a need to look into the extant IT environment,
since there is a feeling that the IT infrastructure at most financial firms is fragmented and inconsistent.
The financial sector industry rests on trust and credibility, and increasing cybercrime is threatening this basic premise. According to a report released by the British Bankers’ Association (BBA) in association with PwC, ‘defending and countering cyber-attacks whilst keeping up-to-date with evolving regulations and policy is a complex challenge’.
As you know, cyber crimes are getting sophisticated and nuanced. Their perpetrators could be broadly categorised as ‘organised cyber criminals’ and ‘enemy state agents’. Motives could be anything ranging from corporate espionage to intellectual property rights to siphoning off funds. In all these, if we look at it seriously, the primary weapon is exploiting vulnerabilities. While they cannot be easily wished away, the only way corporates can tackle this is to be “proactive” about their “cyber resilience”.
In the case of a data theft last year at one of the global investment bank, what was disturbing was not the security breach per se but the fact that the hackers were inside their systems for close to two months before being noticed! Corporates need to put in place a robust business continuity management (BCM) plan (which is the broad theme of the last session of this summit) and perform business impact analysis. No corporate can afford to brush these off as trivial non-operating activities since the potential risks involve not only monetary loss but also reputation and legal risk which can simply demolish established businesses.
A survey indicates that 41% of economic crime was committed by employees within an organisation. How do we address this? Can we seriously think of examining the incentive-compatibility structures at our companies? Since risk is inherent in every business, in the absence of appropriate incentive compatibility structures, we may encounter behavioural patterns leading to decision making processes that de-risk the individual rather than taking the optimal decisions that would benefit the organisation. Such behavioural patterns may lead to functional paralysis and at times, to explosive business disruptions within the organisation.