Tag Archives: fintechsecurity

Fintech Security & Compliance — Part 1

Fintech Security & Compliance — Part 1

image created using wordclouds

Fintech is one of the most happening sectors in India & world over with a wide array of services being delivered in lending, insurance, payments, stocks and mutual funds. While founders, product and engineering managers are busy in building the products and delivering them to the people in a rapid and scalable way, there is one huge challenge they must overcome. And that’s the Cyber Security aspect of it. I have had the opportunity to architect and implement controls around these requirements in the last few years and would like to share some thoughts here.

In India, Fintech regulators are:

  • Securities & Exchange Board of India (SEBI)
  • Reserve Bank of India (RBI)
  • Insurance Regulatory and Development Authority of India (IRDAI)

Each of these regulators have their own cybersecurity requirements and these span across multiple domains of cybersecurity like IT Governance, Information Security Audits (IS Audits), IT Outsourcing, IT Risk Management, Business Continuity Management (Good luck on a single region currently offered by the leading cloud vendor in India 🙂 ), Policies, Physical & Environment Security and etc

Apart from these, compliance with PCI DSS/PA DSS is a common requirement for all the fintechs handling credit card transactions. When it comes to PCI DSS, the magnitude of security requirements vary based on the volume of transactions. There are Four Merchant levels starting with Level 4 wherein a merchant handles 20,000 plus transactions and compliance requires that you fill a Self Assessment Questionnaire to Level 1 where 6 million plus transactions are handled annually. Level 2 and 1 have very comprehensive requirements to fulfil and are audited by a third-party.

Not all the Fintechs have the license to operate independently and they leverage the agreements with Banks/Financial institutions to offer the services. It would be surprising to know that banks themselves can offer most of the services which fintechs are offering. The key underlying factor here is Technology, which perhaps banks are yet to come to terms with. When it comes to security requirements and compliances, banks pass on these to the partnering fintechs. So multiple audits in a year are not unheard of in the fintech space.

RBI has Master Directions for entities operating in the banking/non-banking space covering Lending, Loans, Prepaid Payment Instruments, Non-Banking Finance Company (NBFC), Peer to Peer Lending companies, Full fledged banks, Payments Banks and so on.

IRDA has two two major cyber security requirements and one of them is meant exclusively for insurance offered on e-com channels like web/mobile/app channels called ISNP — Insurance Self Networking Platform. As most of the new-age insurance companies are ecom based, they are forced to comply with both (there is some overhead here).

IRDA’s requirement has a cybersecurity checklist with 307 controls and also mandates a Chief Information Security Officer (CISO) to be appointed by the insurance company! While these may be easier to implement for a legacy company with the monolithic architecture, startups usually find these difficult and herein lies the challenge.

SEBI’s framework for Stock Brokers and Depository participants is published here — What I found cool about SEBI’s directives on Cyber Security in comparison to RBI and IRDA is its forward looking approach and in sync with current demands and realities. For example they suggest using Bcrypt / PDKDF2 for hashing passwords, usage of passphrases vs complex passwords:

Also has a reference to Crypto Shredding, must confess I did not know such a terminology existed:

It makes me wonder if the major innovations in the fintech space in India is in the segment operated by the SEBI for reasons like these.

I am thinking of writing in detail about the challenges in complying with the security directives by the regulators in coming writeups but for now will focus on what this augurs for cybersecurity professionals in startups/fintechs.

There is going to be a huge demand for not just Developers, Product Managers, Architects, Data Scientists, but also Cyber Security professionals. When I say Cyber Security, it does not just limit to Pentesters / AppSec / Network / Cloud Security professionals. I see a demand for Data Privacy, Compliance and Legal folks who can understand, interpret complex regulations from the Regulators like RBI, SEBI & IRDA and help implement them in a creative, scalable and rapid way. I am currently working for an emerging Fintech company and a good chunk of my time is spent with the Legal team apart from the engineering folks in interpreting and helping fit newer technologies and controls around regulations, compliances, working on contracts, assessments, Third Party Risk management and etc

As a cyber security professional, I wouldn’t have expected to work this closely with the legal team, but no complaints and am beginning to see things from multiple perspectives! Remember that most startups live by the mantra:

“It is better to ask for forgiveness than permission”

At the end of the day, it’s all about solving problems.

If you have any questions, comments, feel free to post them here and I will try to answer them.

#fintech #cybersecurity #fintechsecurity #RBI #SEBI #IRDA #PCIDSS

SEBI & MCA are causing a massive Personally Identifiable Information Leak

NOTE: I had published this article first here on Medium

I think when it comes to Privacy for Indian Citizens, the old adage “choosing between the Devil and the Deep Blue Sea” seems to hold true.

On one hand our Government is stripping privacy of citizens part by part by linking Biometrics with everything ranging from Airport to Stadium entry.

On the other hand we have to deal with sheer incompetency shown by the same Government Agencies that are supposed to keep the above data secure, are instead leaking them left, right and centre!

Here is what happened: SEBI and MCA in their eagerness to solve the fraudulent issues surrounding unclaimed/unpaid dividends relating to stocks and mutual funds had mandated that the investor details be put on the websites of all the listed companies and Mutual Fund Houses.

There are about 5800 Publicly traded companies at the BSE and almost every one of them have put a Spreadsheet or PDF document containing the following data accessible to the Public without any authentication or checks of any sort.

· Name of the Investor

· Address

· Name of Mutual Funds

· Amount

· Demat Numbers

· Folio Numbers

Full name and address together constitutes Personally Identifiable Information (PII). Some companies have also listed the Demat Account Numbers in addition to these Personally Identifiable Information. As these include financial information, it could be further classified as Sensitive PII. If you have ever traded for stocks on invested in mutual funds but have not received the dividends, chances are your PII may be put on website for everyone to see on the internet. Caveat: The above data is for those investors, whose bank details are not updated with the fund houses/publicly traded companies for them to transfer this money.

In my estimate, there are more than a million records of PII out there is public.

One of the file I downloaded had about 25000 entries. Yes, Personally Identifiable Information (PII) of 25,000 investors spread across not just India but different parts of the globe. This above file was for just 2015–16, all the publicly listed companies host these data from 2009! Another file from a different publicly traded company included 1100 page PDF with rows of information containing addresses, Folio numbers, Demat account numbers with names!! Here are some samples:

http://www.sonata-software.com/sites/default/files/Details%20of%20Unpaid%20Interim%20Dividend%202016-17.pdf

https://www.nmdc.co.in/Docs/Investors/Dividends/NMD_DIV23.pdf

http://3i-infotech.com/content/investors-2/details-of-unclaimedunpaid-dividend-with-the-company/

Background: The first of the notifications was made by Ministry of Corporate Affairs (MCA), Gazette of India G.S.R. 352(E) dated May 10, 2012

The Ministry of Corporate Gazette of India G.S.R. 352(E) dated May 10, 2012, notifying the Rule “Investor Education and Protection Fund (Uploading of information regarding unpaid and unclaimed amounts lying with Companies) Rules, 2012”. As per this Rule, companies have to identify and upload details of unclaimed dividend on their website.

SEBI notified a similar one in 2016 via SEBI/HO/IMD/DF3/CIR/P/2016/84 which makes it mandatory for all publicly traded / Mutual Fund houses to publish the list of the following details on their website:

“AMFI shall also provide on its website, the consolidated list of investors across Mutual Fund industry, in whose folios there are unclaimed amounts. The information provided herein shall contain name of investor, address of investor and name of Mutual Fund/s with whom unclaimed amount lies.”

I sent out emails to many of these publicly traded companies. Except for one, nobody bothered to respond. Even when they did respond, they mentioned that they are complying by the MCA diktat.

But the most callous response was from CERT-in. CERT-IN manages the Cyber Swachta Kendra which our minister launched with much fanfare and media blitz. Their response is above and you can make your opinions on how secure India’s infrastructure is going to be.

Probable Mitigation:

Instead of publicly listing the address, Demat IDs etc of people, these companies can send out the notifications to these investors. While researching on this topic I came to realise that there have been cases of some intermediaries transferring the unclaimed/unpaid dividends to themselves and it is scary to say the least. The sophistication and the amount of fraud is of unthinkable proportions. Some of the fund management companies transferred the amount to their friends, relatives while others showed it in P&L results!!

The public disclosure of addresses without the consent of the end users is violation of their privacy.

Every individual ranging from top ranked bureaucrat to minister needs to learn a lesson or two on Privacy. What is appalling is that none of the 5800 odd listed companies seem to have opposed this stupid directive. Everyone of them has complied by putting PII of its investors out there on public. I don’t know how their overseas clients are going to judge them on this.

#dividendleak #privacy #india #unclaimeddividends #millionrecords