The Unprecedented pandemic outbreak, ‘Novel Corona 2019’ has made overwhelming impacts on our lifestyles, modus operandi of businesses and many other aspects. This calls for an inevitable need for top notch UI/UX in consumerization of the B2C technology.

The urgency to have technology which can effectively replace physical presence- the human touch and feel, has put exorbitant pressure on enterprises to fast track and widen the scope of their digitization roadmap.

The need for this phase shift got its due realization when RBI the Indian banking regulator, issued a circular on Jan 9, 2020, allowing banks to accept digital video-based customer identification and onboarding process, V-CIP (video KYC).

Being a witness to Information security paradigm shifts for past 20 years, I cannot help but think about what is in here for hackers/wrongdoers?’ Obviously, with the increase in the ‘attacking surface’ the chances of system exploitation rise exponentially.

Hence, the most effective way to secure a system is to understand the underlying technology and adopt most effective, time tested ‘assessed-risk’ approach.

In this series, we are detailing the important considerations the consumers of V-CIP, banks and other financial institutions, should make while inculcating it in their business processes:

1. Data Privacy (Loose lips/systems, sink/leak ships/information)

With various regulations being enacted the importance of data privacy is getting realized in India. Section 43A of IT Act defines personal and sensitive information, Personal Data Protection bill (PDP) of 2018 and Section 8A of AADHAR act elaborate roles and responsibilities of various actors:

• Data Fiduciary: Determines purpose and means of processing personal data
• Data Principal: Person to whom the data is related
• Data Processor: Processes personal data on behalf of data fiduciary

Which establishes banks and all other financial institutions as referred in RBI’s guidelines as Regulated Entity (RE) as data fiduciary.

Whilst incorporating V-CIP is need of the hour, RE should make themselves well assured of the following:

• Where does the customer personal data reside? Most of the V-CIP providers have hosted their IT infrastructure on public clouds, which means scrutinizing the regulatory requirements of live and backup data residence is very important.
• How access management is enforced? ‘need to know, and least privilege’ is the second most consideration for RE. Data being on cloud and V-CIP providers being startups having single person bearing various roles makes assurance on access controls enforcement important for RE.
• How is the data life cycle enforced? Start from first-time data storage to how it is being processed and security of the channels it uses to get transmitted, and then how it is backed up, frequency of backup, storage location and how the V-CIP provider is destructing the data, How RE is accountable to ensure these follow various applicable regulatory provision.

2. Vendor Risk Assessment (‘Wise enemy is better than foolish/vulnerable friend’)

Meagre questionnaire-based methods of assessing vendor risks may not be enough in current technology dependence times. These risk assessments need a facelift and to be robust enough to assure the Regulated Entity (RE) the probable exposure while it contracts any of the V-CIP providers.

Contactless assessments, phishing tests, internal and external penetration testing need to be conducted by RE on the V-CIP providers to assess focus areas of improvements.

3. System Availability (‘Friend/system in need is friend/system in-deed’)

First, it is important to incorporate technology to ensure BAU to bridge the gaps introduced by social/physical distancing norms making it more important to ensure the availability of the technology and necessary processes during the times of need.

Regulated Entity (RE) need to assure themselves on the following important questions

• How will the technology work in various scenarios? Pandemics, epidemics, city-wide natural calamities, national/international restrictions
• Who and how will technology interact with necessary systems? Most important, while planning technology advancements is ‘integration’ points in various scenarios of unavailability
• Resilience in the processes? It is important to understand what trade-offs the process can withstand without impacting the core business objectives and customer servicing

Security programs at Happiest Minds

Complete Exploit Assess and Negate (CLEAN) program

• Phishing handling and defense building lifecycle which includes regular, automated, and customized phishing simulations and user awareness sessions
• 360⁰ VAPT lifecycle management
• Vulnerability prioritization based on the availability of its exploit code
• Thick and thin client-based apps vulnerability assessment and penetration testing (VAPT)
• Mobile application VAPT
• ‘Contactless’ tests done to generate end to end external cyber risk scoring based on its performance on various parameters like IP reputation, Email reputations and others

Regulatory Compliance Assurance (RCA)

• RBI, IRDAI and SEBI mapping with ISO 27001 and PCI-DSS
• Data privacy requirements of guidelines of AADHAR (UIDAI), Personal Data Protection bill 2018 and IT Act
• IRM/DRM framework using applicable regulatory guidelines and digital security standards from CIS and NIST

Business Resilience Assurance Program (BRAP)

• Ensures technology systems and relevant support services available in times of pandemic and cyber outbreaks
• The Pragmatic program takes a holistic approach from documentation to implementation

Conclusion: Technology adoption has benefits which come with word of caution and as the saying goes ‘Devil lies in detailing’. Technology increases the attack surface and slight miss in the adoption lifecycle may lead to severe monetary and reputational impacts. Happiest Minds is specialized security services provider and our expertise can be leveraged for securing digitization initiatives of enterprises.

Read complete blog