Leveraging RBI Compliance Towards Meaningful Data-Centric Security
Introduction
In 2020, ransomware cases grew by 150%, and in March of 2021, data breaches affected over 20 million records. Data breaches and ransomware attacks are becoming more common and more devastating, and with 63% of data breaches in 2020 being financially motivated, banks have become valuable targets. Recent changes in banking, such as a shift to digital financial records, mobile banking, and reliance on cloud storage, have heightened the risk and exposure resulting from financial data breaches.
Earlier this year, the popular Indian mobile payment service MobiKwik suffered a data breach that resulted in 8.2 terabytes of customer information being published on the dark web for anyone to access. The leaked information included customers' names, addresses, credit card numbers, bank account information, and the know your customer (KYC) documents of 3.5 million users. Businesses use KYC documents to properly identify their customers; they often include a photo of the customer in conjunction with a government-issued ID and other information a company would want to know about a customer. Due to the high value of this information, it is clear to see why a hacker or malicious actor would want to target a bank with a data breach; what is less clear is how banks can best protect themselves.
Importance of Data-Centric Security
The Reserve Bank of India (RBI), India's banking regulatory body, has recognized the banking industry's need to adapt to changes in technology. Today's enterprise security strategy is highly perimeter-centric and not aligned to the data, which is crucial to the business. It is recommended organizations should take on a data-centric model of cybersecurity. Data-centric security is an approach that prioritizes the protection of the data itself, opposed to just the security of networks, infrastructure, and the perimeter, which is followed by a majority of organizations today. Data-centric security allows organizations to take a business-aligned approach to security by relating security directly to the business critical data they are required to protect, which is often targeted by adversaries. This approach will help financial institutions implement meaningful controls to build a resilient security and privacy program, reducing the impact in the event of data breaches or ransomware attacks.
RBI has issued a framework to ensure cybersecurity preparedness by prioritizing sensitive data. These guidelines were first issued in June of 2016 and recently updated on December 31, 2019. Indian banks can meaningfully comply with RBI requirements while effectively protecting their most important and sensitive data by adopting a data-centric approach.
The Core Themes of RBI Cybersecurity Guidelines
RBI requires that Indian banks put an extra emphasis on protecting sensitive information. Sensitive information and KYC documents consist of credit card numbers, aadhar card numbers, voter ID cards, PAN, and other forms of highly personally identifiable information (PII). With financial institutions collecting and processing personal information in tandem with financial information, a lot of highly sensitive data is created.
Data that contains identifiable information which is linked to financial information is a highly sought-after target for hackers and other nefarious actors. A data breach of a financial institution can reveal a person's name, address, social security number, and banking credentials. Victims of this sort of data breach become highly susceptible to identify fraud, phishing scams, and financial theft.
This heightened risk and level of sensitivity in the data are precisely why the RBI gives extra attention to protecting sensitive information in a cybersecurity and data management solution. This obligation also creates a unique challenge for banks since they are required to locate and protect all sensitive data. But this may raise the question, "How do I know which data is sensitive, when I don't even know what data I have?"
How TurtleShield Helps
Since it is almost impossible to protect what's important, when you don't even know what data you have, the first step to safeguarding sensitive data is discovery. TurtleShield, Ardent's data privacy solution, utilizes machine learning and artificial intelligence to create a global map of organizational data, subject to security and privacy regulations. TurtleShield uses our patent-pending oil drilling approach to discovery, where we only dig where needed, reducing discovery time and cost. This approach also grants companies the ability to reach data sources that were unreachable with their current toolkit, which often leads to non-compliance.
This process not only cuts down on discovery time but allows businesses to meaningfully discover and identify sensitive data, which enables banks to give that extra level of protection to the data sets that matter the most. Outside of data discovery and identification, TurtleShield also assists with financial institutions' requirement to run risk assessments. TurtleShield can help banks gauge the amount of risk they are taking based on the amount of sensitive data a bank collects and shares with partners, vendors, and other third parties.
Often businesses will use separate and distinct silos of information for various business purposes. This practice heightens the challenge of understanding the full scope of data being transferred to and from an organization. TurtleShield creates a data map based on data sharing so that businesses can take action on it. By prioritizing and identifying sensitive data, banks can create a strategic data-centric approach to security. This approach will protect banks from threats such as data breaches and ransomware attacks, rendering them futile.
Adopting a data-centric security model will have banks protecting the information that matters the most. PII and sensitive data are not only valuable to the company that utilizes it, but that information is highly sought after by malicious actors. Utilizing TurtleShield and a privacy-by-design approach puts PII and sensitive data at the forefront of the protection plan. Honing in on highly valuable data leads to enhanced security and a better response in the event of a data breach or ransomware attack.
About Ardent Privacy
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information visit https://ardentprivacy.ai/and for more resources here.
Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.