The Mega Data Breach. What should “Other” Banks and FinTech Companies do?

The Mega Data Breach of 32 lakh debit cards in India is reported to have affected 19 Banks directly. It is presumed that these are the banks whose debit cards passed through the poisoned switch maintained by NPCI to route the ATM/POS requests. Also they maybe the Banks who are using the HITACHI ATM/POS systems suspected to have the vulnerability.

All these banks will be expected to cancel their current set of cards issued to their customers and replace them with new Cards just as what SBI has done. The total estimated number of cards considered compromised is 32 lakhs. So far about 1000 frauds appear to have been registered and they should be handled by the individual Banks as “Charge Backs” to the card without any legal struggle.

While the affected Banks try to tackle their problem as above, there are “Other” Banks who may have issued debit cards but are not in the list of the 19 Banks directly involved. Additionally there are a number of other FinTech Companies who process debit card and credit cards of their customers. An incident of this magnitude is considered as an “Environmental Development” warranting a self audit of their systems and procedures to identify if they are equally vulnerable to such attacks and if so what should be done to mitigate the risk.

Every such organization should therefore call for an “Introspection” of their systems starting with a “Board Meeting” and  “Top Management Meeting”. The Board needs to take note of the developments and the perceived threat to the company and suggest the operating executives to take such actions as may be necessary to report back to the Board and appraise them of the risk exposure and countering plans. The Executive team needs to also meet and review all their systems and where necessary trigger some pro active measures to reduce the possibility of similar risks materializing in their environment.

These meetings and the actions taken need to be documented as part of the “ITA 2008 Compliance” program of the Company.

For the Directors, it is essential to protect their interests to ensure that necessary instructions are passed on down the line. It is also important for the CEO to ensure that the risks escalate to him personally. If by any misfortune a fraud occurs in the company which could have been reasonably prevented from the lessons drawn from this mega breach but was not taken, then the Officers in Charge of the Business, The CEO, The Directors may all have to shoulder the vicarious liabilities.

To mitigate the adverse consequences of such liabilities, they need to show “Due Diligence” and conduct of this “Review meeting in the light of the Mega Card Data Breach” is considered a critical step.

I suggest all company directors to take note of this suggestion and act.

Naavi

Related Articles

Let RBI Show Who is the Boss

RBI Cannot Remain silent… and so also NPCI,CERT and Ministers of HOME,IT and Finance

Challenge to Mr Urjit Patel… Don’t let down Indian Baking system

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.