4 NBFC CISOs share their expertise on cyberthreats, the solutions offered by cybersecurity companies, rising costs and evolution of internal cybersecurity team:
- Mohit Kalra, CISO, ORIX Leasing and Financial Services
- Venkata Ramana Ratnakaram, CISO, Spandana Sphoorty
- Bhavik Dedhia, CISO, GIC Housing Finance
- Harish Kumar Arora, CISO, Aye Finance
Part 1
Types of cyberattacks that are the biggest threats to NBFCs
Mohit (Orix): Customer information or PII (Personally Identifiable Information) leakage is the biggest threat that every NBFC or BFSI sector firm faces. When an end user who takes a loan or a lease or opens a bank account, he/she shares his KYC documents and that’s where responsibility of protecting the same comes into the picture. We have seen in many case studies that PII leakage can lead to both qualitative damage and quantitative loss to any organization and it is quite difficult to regain the market trust. Irrespective of whether you are operating in B2B or B2C segment, any news on data breach can trouble you in big way.
Venkata (Spandana): The NBFC sector faces the following significant threats from various cyberattacks, listed here in order of reducing severity. Phishing and social engineering attacks exploit human vulnerabilities to gain access to sensitive information. Ransomware attacks encrypt data and demand ransoms, causing operational disruptions. Data breaches and insider threats compromise sensitive financial information. Distributed Denial of Service (DDoS) attacks can cripple online services. Man-in-the-Middle (MitM) Attacks divert money during payments. Insider threats can do a variety of harm. Malware, including spyware and trojans, infiltrates systems, stealing or damaging data. Credential stuffing exploits weak passwords to gain unauthorized access. Advanced Persistent Threats (APTs) involve prolonged, stealthy access to networks. Robust cybersecurity measures are essential to mitigate these evolving threats.
Bhavik (GICHF): The NBFC sector in India is increasingly targeted by sophisticated cyberattacks due to vast amount of sensitive financial and personal data it handles. Ransomware attacks remain one of the most pervasive threats, causing significant operational downtime and potential data breaches. These attacks have evolved from simple encryption schemes to sophisticated, multi-stage operations involving data exfiltration and double extortion tactics. A recent report by Cybersecurity Ventures projected ransomware damages to cost the world $265 billion annually by 2031 as ransomware perpetrators progressively refine their malware payloads and related extortion activities.
Supply chain attacks have become more prevalent. As NBFCs often rely on third-party vendors for various services, attackers may target these vendors to gain access to the NBFC’s network. Securing the supply chain has become critical to preventing these types of breaches.
Phishing and social engineering attacks have become highly targeted, leveraging social media and other public information to craft convincing messages and deceiving employees.
Advanced Persistent Threats (APTs) are a growing concern. These are prolonged and targeted cyberattacks where an intruder gains access to a network and remains undetected for an extended period, often to steal sensitive data or disrupt operations. APTs frequently use sophisticated evasion techniques and custom malware.
Insider threats, both malicious and inadvertent, pose significant risks, especially with the increased adoption of remote work. Employees with access to sensitive information can intentionally or unintentionally compromise data security.
Harish (Aye): The 4 biggest threats are data breaches, ransomware attacks, phishing and insider threats. Data breaches involve unauthorized access to sensitive customer information such as personal data, financial records, or intellectual property and can result in significant financial losses, reputational damage, and legal implications for NBFCs. Ransomware encrypts a company’s data or systems, rendering them inaccessible until a ransom is paid. NBFCs are vulnerable to ransomware attacks which can disrupt operations, lead to financial losses, and cause data breaches if sensitive information is compromised. Phishing attacks involve fraudulent attempts to obtain sensitive information such as login credentials or financial details by disguising as a trustworthy entity. Social engineering tactics manipulate individuals within NBFCs to divulge confidential information or perform actions that compromise security. Insider threats can come from current or former employees, contractors, or business partners who misuse their access privileges to steal data, commit fraud, or disrupt operations. NBFCs need robust access controls, monitoring systems, and employee training.
Part 2
Evolution of threats from individual hackers and organized gangs
Mohit (Orix): Script kiddies are becoming organized and result oriented; they mean business now. With the readily available outsourcing services such as Ransomware as a Service or other means of initiating a targeted attack, this industry is growing, and hackers are putting efforts while doing detailed reconnaissance by making use of free-flowing information available on social media and newsgroups. To protect ourselves, we need to be ahead of the game.
Venkata (Spandana): In the past 2 years, individual hackers have leveraged more advanced tools and Ransomware as a Service (RaaS), targeting remote work vulnerabilities and cryptocurrencies. Organized cybercriminal gangs have become more collaborative, focusing on targeted ransomware attacks with double extortion tactics, and exploiting supply chains. They employ advanced techniques like zero-day exploits and AI. Both groups have increased attack frequency and severity, emphasizing data theft and extortion, and exploiting global events. Improved evasion techniques have made detection harder, necessitating stronger, proactive cybersecurity measures.
Bhavik (GICHF): In the last 2 years, the cyber threat landscape has evolved significantly as both individual hackers and organized gangs have increased their sophistication. They are leveraging advanced tools and techniques, including AI and ML to automate attacks and evade detection. These technologies allow attackers to analyze vast amounts of data quickly, identify vulnerabilities and launch more effective attacks.
There is now more collaboration among individual hackers and organized cybercriminal gangs, leading to the sharing of tools, techniques, and strategies, making attacks more sophisticated. One notable development is the professionalization of cybercrime, with criminal organizations operating like legitimate businesses. They offer services such as Ransomware-as-a-Service (RaaS) which allows even novice hackers to launch ransomware attacks using rented tools from more experienced cybercriminals. Recruiting talent through dark web job postings has significantly increased.
Organized gangs are increasingly focusing on high-value targets and conducting extensive reconnaissance to tailor their attacks. These targeted attacks often result in higher ransoms and greater data theft. They are also using zero-day exploits more frequently, taking advantage of unpatched vulnerabilities before they are publicly disclosed and patched by vendors.
The motivations behind cyberattacks are also shifting. While financial gain remains a primary motive, we are seeing an increase in hacktivism and politically motivated attacks. These attacks aim to disrupt operations or make political statements, particularly targeting financial institutions.
Harish (Aye): In the last 2 years, the threats from individual hackers and organized gangs have evolved in several significant ways. First, hackers, both individual and organized groups, have adopted sophisticated techniques and often collaborate to enhance their capabilities. This includes sharing tools, tactics, and even selling access to compromised systems on the dark web. Second, there is a noticeable shift towards targeting critical infrastructure sectors such as healthcare, energy, and financial services, aiming to disrupt essential services and extort significant ransoms from organizations vulnerable to downtime. Third, ransomware attacks have escalated dramatically, with organized gangs developing more advanced ransomware strains and tactics. These attacks often involve not only encrypting data but also threatening to leak sensitive information if ransom demands are not met, exacerbating the impact on victims. Fourth, hackers are increasingly target supply chains to gain access to multiple organizations through interconnected systems. By compromising suppliers or service providers, attackers can infiltrate their primary targets more effectively and cause widespread disruptions. Fifth, both individual hackers and organized groups continuously exploit software vulnerabilities, leveraging zero-day exploits or known weaknesses in outdated systems, to gain unauthorized access, steal data, or deploy malicious software without detection until damage is done.
Part 3
Transformation of solutions offered by cybersecurity companies
Mohit (Orix): One of the most significant drivers of change in the cybersecurity industry is the widespread adoption of cloud computing and the Internet of Things (IoT), with the usage of AI and Gen AI. Cybersecurity companies are aware of the fact that IT and InfoSec leaders are inclined towards SaaS based security tools with minimal efforts from their teams. Even while selecting any application, leaders want 24×7 MSS kind of support for all the operational issues. Collaborative approach and knowledge sharing among vendors is also seen in threat hunting process. Other aspect which is taking the front seat and giving an edge over competition among service providers is accreditation / certifications of related industry and compliance to regional regulations.
Venkata (Spandana): The most meaningful transformation in cybersecurity solutions is the shift towards proactive and adaptive security measures. This includes the integration of AI & ML for real-time threat detection and response, Zero Trust architecture for enhanced access control, and extended detection and response (XDR) systems that provide comprehensive visibility and protection across an organization’s entire IT environment.
Bhavik (GICHF): Several key transformations are significantly shaping cybersecurity today. Artificial intelligence and machine learning have become crucial for advanced threat detection, enabling faster and more accurate identification of anomalies by automating data analysis. Innovations such as Secure Access Service Edge (SASE) are revolutionizing cloud security by integrating networking and security services into a unified, cloud-delivered platform, which is especially important for supporting remote work and modern digital infrastructures. Privacy-enhancing technologies are gaining traction for their role in safeguarding personal data and ensuring compliance with stringent regulations. Behavioral analytics is another innovative area. By analyzing user behavior, these solutions can detect anomalies that might indicate insider threats or compromised accounts. Additionally, Zero Trust Architecture is increasingly central to security strategies, promoting a rigorous ‘never trust, always verify’ approach to access requests, which strengthens overall security by continually validating users and devices. These advancements reflect a broader trend towards more integrated, intelligent and adaptive cybersecurity solutions to address evolving threats and protect critical assets.
Harish (Aye): The most meaningful transformation in solutions offered by cybersecurity companies in recent years can be summarized in five key points. First, cybersecurity companies have increasingly integrated AI & ML into their solutions to enhance threat detection and response capabilities by analyzing vast amounts of data in real-time to identify patterns indicative of malicious activity. Second, there has been a significant move towards Zero Trust Architecture (ZTA), where trust is never assumed and strict access controls are enforced based on identity verification and device security posture. Third, cybersecurity solutions have evolved to address the unique challenges of securing cloud environments. This includes offering cloud-native security tools that provide visibility, control, and protection across multi-cloud and hybrid cloud infrastructures. Fourth, Endpoint Detection and Response (EDR) solutions have become crucial in protecting endpoints such as laptops, desktops, and mobile devices. These solutions not only monitor for suspicious activities but also enable rapid containment and remediation of incidents to minimize damage. Fifth, cybersecurity companies now leverage comprehensive threat intelligence feeds and platforms to enhance their detection capabilities. This includes gathering and analyzing global threat data to anticipate emerging threats, enrich incident response workflows, and provide proactive defences against evolving attack vectors.
Part 4
Cybersecurity cost vis-à-vis business volume and IT budgets
Mohit (Orix): More than the volume of business, it is the regulations specific to that industry or region which is increasing the cybersecurity cost. Though the exact rules are waited for DPDP Act, gap analysis has already been performed by organizations and budget allocated for implementation. Other than that, RBI is giving more importance to cyber security and outsourcing, and releasing related guidelines, which is adding to cost factor. Data classification and various security tools preventing data leakage, along with the efforts from skilled subject matter expert adds up to the budget, and I think it will continue to grow.
Venkata (Spandana): Cybersecurity costs have increased significantly, often outpacing the growth of business volumes and IT budgets due to rising threats and compliance demands. This trend is expected to continue as cyber threats evolve and organizations invest more in advanced security measures. Future trends may see costs stabilizing with increased automation and more cost-effective, scalable cybersecurity solutions becoming available.
Bhavik (GICHF): Over the past few years, the rising threat landscape has necessitated higher investments in security technologies, skilled personnel and advanced threat intelligence. The complexity and frequency of cyberattacks require continuous updates to security infrastructure and constant vigilance. Today, we face more sophisticated and frequent cyberattacks than ever before, necessitating a proactive and multi-layered defence strategy. Traditional methods are no longer sufficient, and advanced technologies like AI and ML are essential for real-time threat detection and response. Organizations are significantly increasing their cybersecurity budgets to stay ahead of potential threats, viewing it as an investment in the safety and trust of their customers and the stability of their business operations. Spending has seen substantial increases in key areas such as advanced threat detection and response, employee training and awareness, compliance with regulatory requirements, endpoint security for remote work, and bolstering incident response and recovery capabilities. Looking ahead, cybersecurity spending is expected to continue rising.
Digital transformation is another factor. As businesses undergo digital transformation and adopt new technologies, the need for robust cybersecurity measures to protect digital assets has grown. Ultimately, investing in cybersecurity is not just about protecting data, it’s about safeguarding entire business operations.
Harish (Aye): Cybersecurity costs have generally increased significantly compared to business volumes and IT budgets over the past decade. Several factors contribute to this trend. First, the frequency, sophistication, and impact of cyberattacks have increased, necessitating more robust cybersecurity measures. Second, governments worldwide have enacted stringent data protection laws (e.g., GDPR, CCPA) and industry regulations that require organizations to implement comprehensive cybersecurity measures. Compliance with these regulations often involves additional costs related to cybersecurity audits, data protection measures, and incident response capabilities. Third, the rapid adoption of digital technologies, cloud computing, IoT, and remote work has expanded the attack surface for cyber threats. Fourth, there is a global shortage of skilled cybersecurity professionals, which drives up the cost of hiring and retaining cybersecurity talent. Organizations often need to invest in training programs, certifications, and competitive salaries to attract skilled cybersecurity experts. Fifth, modern cybersecurity solutions are increasingly complex and multifaceted, incorporating technologies such as AI, ML, behavioral analytics, and automated response capabilities, which require additional investments in training, integration, and ongoing maintenance.
Part 5
Evolution of the cybersecurity teams
Mohit (Orix): I will not talk specific to my organization, however, the general trend in small to mid-size NBFCs is to outsource the tasks requiring 24×7 monitoring and involving continuous configurations from skilled subject matter experts. Taking approval for increasing head count is difficult as compared to outsourcing a yearly/quarterly task. As automation penetrated the monotonous and repeated tasks of routine IT helpdesk taskforce as did cloud-based models of antivirus and patch management, the reduced cybersecurity team is now more focussed on business enablement, improving internal processes, managing vendors, audits and compliance work.
Venkata (Spandana): Over the last 3 years, the cybersecurity team at Spandana evolved by expanding staff, integrating AI-driven tools, emphasizing continuous training, and adopting a zero-trust model to enhance proactive threat detection and response. Over the last 3 years, our cybersecurity team has automated most SOC operations, now managed by a team of 3. We have supplement with additional resources from Big 4 firms and leading cybersecurity vendor partners as needed.
Bhavik (GICHF): In the past 3 years, many organizations have experienced a significant shift in their approach to cybersecurity. Previously, cybersecurity was often managed within the IT department without a dedicated CISO. Cybersecurity has now evolved into a distinct and essential function. This change reflects the increasing sophistication of cyber threats and stricter regulatory demands, recognizing cybersecurity as a critical business enabler rather than just a technical function. Today’s cybersecurity teams focus on proactive risk management, compliance, security operations and data integrity, working closely with IT, legal, compliance and business units to ensure security measures align with organizational goals and regulations. The role of the Information Security department has now become crucial, as it helps mitigate the potential damage a cyber-attack can inflict on a company’s reputation and operations. It ensures that organizations are not only prepared to respond to and recover from attacks but also capable of proactively safeguarding their digital assets, maintaining trust and ensuring the smooth operation of the business.
Harish (Aye): Over the past 3 years, the cybersecurity team at Aye Finance has undergone significant evolution to adapt to emerging threats and technological advancements. With increasing complexity and diversity of cybersecurity challenges we face, the team has grown in size and expertise, with additional hiring focused on specialized roles such as threat intelligence analysts, penetration testers, incident responders, and data privacy specialists.
Thanks to our investments in automation and orchestration tools, our team can respond more quickly to security incidents and focus on strategic initiatives rather than repetitive tasks. We work closely with IT, legal, compliance, and risk management teams to align cybersecurity strategies with business objectives, regulatory requirements, and operational priorities.
[email protected], [email protected]
Read more:
BAGIC navigates the influencer marketing landscape
