.svg)
A major technology provider hit by a ransomware attack last week is back online again, after being briefly cut off from India’s retail payment system.
C-Edge Technologies, a provider of infrastructure and other services to Indian financial institutions, is back online after being “temporarily isolated” by the regulator.
Last week, the National Payments Corporation of India (NPCI) confirmed that it has re-established connectivity with C-Edge after its affected systems were given the all-clear.
On August 31, C-Edge reported the attack and shut down its systems while a security review was carried out by an independent auditing firm.
One day later, the auditor confirmed that C-Edge had taken steps to limit the spread of ransomware through its systems, and the firm was allowed to reconnect its clients to NPCI payment systems.
C-Edge, a joint venture of Tata Consultancy Services and State Bank of India (SBI), is a provider of core banking and digital payment solutions to cooperative and rural regional banks in India.
When news of the ransomware attack reached the NPCI, the regulator said it shifted to a “war footing” and worked with C-Edge to restore connectivity to its clients as quickly as possible.
During the period of isolation, customers of the banks serviced by C-Edge were unable to access any payment systems.
But within 24 hours, the NPCI confirmed that the rest of C-Edge’s infrastructure was “clean” and had not been affected by the ransomware attack.
“The impact was limited to C-Edge systems hosted in their data centre, and not on any of the cooperative banks or regional rural banks’ own infrastructure,” the regulator said.
“The services of co-operative banks and regional rural banks, which were dependent on C-Edge, have now been restored.
“With this, respective banks shall be able to offer a full range of services seamlessly to their customers, as it was before.”
In the aftermath of the attack, C-Edge said the security breach was the result of a supply chain attack targeting specific servers hosting application software for one of its clients.
Sources who spoke with Vixio said the attack posed a moderate threat to India’s payment systems, given the large number of financial institutions that C-Edge serves.
However, the total number of customers at these financial institutions, and the total number of transactions they generate, are relatively small.
It was, therefore, possible to cut off C-Edge for one day and not cause systemic disruptions, they said.
A lesson in operational resilience
The successful ransomware attack on C-Edge underscores the importance of operational resilience at third-party vendors — a priority area for the Reserve Bank of India (RBI).
In April, the RBI issued new guidance to all regulated entities on operational risk management and operational resilience.
In an introduction to the guidance, the RBI said that, until recently, the main operational risks faced by regulated entities stemmed from rapid adoption of new technologies for the provision of financial services.
However, the threat landscape has now changed. Following the COVID-19 pandemic, which accelerated the shift towards virtual working environments, the main threat now faced by the financial sector is its “growing reliance” on third-party providers, the regulator said.
The RBI’s guidance states that regulated entities should perform risk assessment and due diligence checks on all third-party technology providers, and that these providers should have “at least” an equivalent level of operational resilience.
Boards of directors and senior management are responsible for understanding third-party risks and devising a third-party risk management policy.
This should include appropriate business continuity plans, including contingency planning procedures and exit strategies, to maintain operational resilience in the event of failure or disruption at a third party.
One of the RBI’s proposed continuity solutions during an outage is to “bring the services back in-house” — an option that does not appear to have been available to the banks affected by the C-Edge outage.
The C-Edge outage took place only two weeks after the global outage of Microsoft’s cloud systems, caused by a failed update to a CrowdStrike tool.
Although India’s payments sector was mostly unscathed by the Microsoft outage — only ten banks and non-bank financial companies (NBFCs) were affected — regulated entities were reminded to ensure preparedness for future disruptions.
