Data security, privacy prime banking security issues: DSCI-KPMG Study

Indian banks face data security, privacy, and regulatory challenges, reveals DSCI-KPMG banking security survey; channel proliferation a challenge.

External threats, increasing usage of online and mobile channels, as well as the dependency on third parties, is driving information security investments in Indian bank’s, according to the DSCI-KPMG Banking Security Survey 2010. The findings reveal that information security is now seen as a part of the service delivery in banking — an important hygiene factor, rather than a point of differentiation.

Information management is increasingly becoming the core of banking operations, with increase in the volume of non-currency financial transactions. “You can no longer separate banking and IT. While online transactions make up just 40% of volumes, they amount to no less than 90% of transacted value,” says Dr Kamlesh Bajaj, CEO of the Data Security Council of India (DSCI).

The 2010 DSCI-KPMG banking security survey data indicates that information security objectives continue to be confidentiality, availability and integrity of information, along with accountability and demonstrable assurance. While the survey reveals that Indian banks are deficient in areas such as card transaction security as compared to their global counterparts, data privacy and security are being driven by the Information Technology Amendment Act 2008 (ITAA 2008) and the Reserve Bank of India’s (RBI) stringent regulatory requirements regarding banking security.

Data security at the forefront

Of the surveyed respondents, 75% believe that external threats are a critical factor driving data security initiatives. Some of these external threats arise as organized opportunistic crime seeks to compromise banking networks (either for financial gain or identity theft). Online banking, ITAA 2008, and regulatory requirements were identified as significant factors driving change in banking security and privacy, said 70% of the respondents. For instance, Section 43A of ITAA 2008 mandates ‘reasonable security practices’ for protection of ‘sensitive personal information’ for all bodies corporate.

RBI regularly releases regulatory circulars and guidelines that banks need to adhere to. The need for 128-bit encryption is an example

Dr Kamlesh Bajaj, CEO, Data Security Council of India (DSCI)

Banking security initiatives seem to be focused on keeping continuous vigilance over vulnerabilities and new threats, with 100% of respondents attesting to this statistic. 65% of respondents take inputs from international standards (such as ISO 27001) for their security functions, with 40% believing that the security officer’s main function is to ensure compliance to these standards.


Although privacy is emerging as an issue in India, it remains to be reflected in the banking ecosystem -- almost 80% of banks lack a separate privacy team. At the moment, factors driving data privacy include customer awareness (60%), as well as associated direct or indirect financial loss (60%).

Indian banks seem to be taking note of global data protection regimes, with 32% identifying these as a critical factor, and a further 42% acknowledging their importance. However, as much as 42% of respondents do not seem to be well aware of privacy principles, or of data protection roles and entities.

Service delivery and regulatory requirements

The DSCI-KPMG banking security survey reveals that basic measures for card safety have not been implemented in Indian banks, with only 27% of respondents having PCI DSS certification. 77% of the respondent’s point-of-sale terminals merchants generate card records as plain text. 70% have databases that lack encryption for stored card information. Practices such as storing as well as printing of authorization information such as card verification value (CVV), card expiry date, and masking of primary account number (PAN) are not in sync with global banking security standards.

In a majority of cases, technology investment decisions for banking security are influenced by ITAA 2008. This indicates a strong clarity amongst respondents regarding applicability of ITAA 2008, with 84% implementing privileged access management and network access control. Additionally, in spite of most banks having established backup data centers, adoption of mature practices such as Run Book automation are still at a nascent stage.

Security governance

IT security and fraud management teams must start working very closely. Traditional systems must now migrate to the new setup where these two departments work together

Dr Kamlesh Bajaj, CEO, Data Security Council of India (DSCI)

Information security in banking is still perceived as an IT-centric function — leading to a lack of coordination with fraud management functions. Almost half the respondents choose to tackle fraud management with separate manpower. The existence of these two functions as separate silos suggests a significant gap in bank’s efforts to curb security breaches. A majority still use traditional methods of risk-based audits for tracking threats and vulnerabilities.

Lack of end-customer awareness is one of the biggest challenges that 89% of respondents believe they face, followed by an increase in the number of threats from insecure customer endpoints. Endpoint security is a concern, with channels largely using insecure systems. Lack of technical skills or inadequate funding are not issues hindering implementation of measures for banking security, the study reveals. Exposure to borderless cyberspace is exposing banks to organized new-age threats, respondents feel.

Read more on IT risk management