Government to Establish Unified Cyber Incident Reporting Framework for Financial Sector by 2027

India's Financial Sector Prepares for Cybersecurity Overhaul

The Indian government is developing a comprehensive plan to create a unified cyber incident reporting and response mechanism across the country's financial sector. This move comes in response to growing concerns that cyber disruptions in one segment could quickly spread to banking, securities markets, and payment systems. The proposal aims to align banks, securities markets, and other financial institutions to common reporting standards and globally recognized cybersecurity practices, making cross-sector response easier during disruptions.

The plan is part of a broader financial sector cybersecurity strategy being drafted by an inter-ministerial group led by the Department of Economic Affairs. This group involves key stakeholders such as the Department of Financial Services, Ministry of Electronics and Information Technology, Department of Telecommunications, Ministry of Home Affairs, regulators, and cybersecurity agencies. The strategy seeks to address the "spillover risk" where disruptions in one part of the financial system rapidly spread to others due to deep operational interdependence.

Spillover Risk: A Growing Concern

Read also: Treasury Yields Experience Largest Increase in Two Weeks Following Release of Labor Market Data

The government is aware of the risks associated with spillover incidents. For instance, a cyber outage in the banking sector can impact the securities market, while a disruption in clearing corporations can affect multiple sectors. This interconnected risk makes cross-sector stress testing and coordinated response critical. The proposed strategy aims to tackle this risk by implementing common standards, shared response mechanisms, and internationally recognized frameworks.

Enhanced Preparedness and Shared Response

Banks, securities markets, and other institutions will be required to follow common definitions, reporting standards, and internationally recognized cybersecurity frameworks. The goal is to ensure that all entities speak the same language when it comes to cybersecurity. This move comes as the government expects artificial intelligence to significantly increase the speed and sophistication of cyberattacks, compressing the time institutions have to respond to vulnerabilities.

Advisories and Directions

Read also: US-Iran Tensions Spark Uptick in Oil Prices Amid Global Market Decline

The Indian Computer Emergency Response Team (CERT-In) has already issued advisories to corporations, individuals, and micro, small, and medium enterprises, warning that cyber vulnerabilities may need to be addressed in hours rather than weeks or months. CERT-In has directed corporations to use AI to counter AI-driven attacks, emphasizing the need for swift action to prevent cyber incidents.

Support for Smaller Institutions

Under the proposed framework, smaller institutions such as cooperative banks, payment banks, small finance banks, and regional rural banks may be encouraged to use shared cybersecurity infrastructure such as managed security centers and virtual cybersecurity operations centers. This move aims to enhance the preparedness and resilience of these institutions in the face of emerging cyber threats.