How can security architecture be central to operational efficiency and transparency?
MALCOLM GOMES: The notion of zero trust has been around for a while. It started with NIST (National Institute of Standards and Technology) in the US. At this point, regulators have not mandated it. But it has crept into the thought process of organisations. It is also a space where, what zero trust architecture is, tends to get slightly different answers. It could span everything from how systems are engineered and set up. It could span how integration with third parties happens and how data is shared. The concept is of all-pervasiveness in a bank, or an enterprise across the value chain.
What happens to implementation of systems related to cyber-security?
MAHAVIR JINDAL: In a financial services business, operations have to run in a zero- trust environment. The belief is that threat vectors are evolving at such a rapid scale that zero trust capabilities need to be taken to the next level, and at Amazon this has been absolutely paramount. One way this is implemented is through data. Any data exchange, whether with an external partner or an internal partner, happens in a zero trust environment, which means there is an exchange of keys. Any data, whether static or in motion, is always encrypted at Amazon.
While a decent job is being done, there is concern about the pace at which threats are evolving. For example, there was a case involving a video call through a deep fake a couple of years back, where an entity lost $25 million. That is the kind of pace at which evolution is now required. While there is a good foundation, there is still a long way to go to address the emerging threat vectors.
DEEP NARAYAN MUKHERJEE: With a ZT-like architecture, even in cases of exfiltration, where an external entity using malware has infiltrated the organisation, any attempt to move data out would be stopped. There are trade-offs in the speed of internal transactions, but this remains one of the best practices when the objective is to limit the impact of a cyber attack.
Beyond just KYC, what more should companies do?
GOMES: The KYC process has existed for a very long time and has been discussed extensively. What is now being seen are newer trends such as tampered documents. Many of these upstream issues, if not handled correctly, lead to downstream challenges. On the infrastructure side, changes are emerging alongside the advent of the Data Protection Act. Questions around how customer data is received, stored, retained, and shared with employees and third parties are beginning to reshape enterprise practices. There is growing focus on ensuring data is purged once a specific task is completed.
What areas would require further investment?
MAHAVIR JINDAL: What is being realised is that KYC is only a gating criterion and is never going to be sufficient. There is a need for more tools that allow continuous monitoring. From a customer protection lens, the focus is on making rapid investments in the ability to continuously monitor accounts at risk, and protect customers when an emerging threat is detected. Another key area requiring investment is the risk created by AI. One growing concern is zero-click threats. As AI systems are now being used at scale, it is critical that outputs generated by these systems protect the organisation and operate within strong guardrails.
A third concern is customer fraud. Passwords are increasingly ineffective, and OTPs are being compromised at scale. Driving adoption of authentication mechanisms that are resistant to man-in-the-middle attacks is becoming a key priority.
What have been the learnings from the past few years related to investments in cyber-security?
MUKHERJEE: It is difficult to generalise. There are many Indian organisations that, in letter and spirit, give a high priority to cyber-security and make what would be considered the right investments in infrastructure, people, and policies. Outside this pocket of excellence, however, there remains significant scope for improvement. This largely comes down to the payoff profile. When cyber-security is not invested in, or is only addressed at a bare minimum level, a compromise of customer data may not result in a meaningful loss for the organisation. This is where regulators need to play a significant role by imposing penalties that are sufficient to change that calculation. The objective should be to ensure that data breaches or cyber incidents carry a real downside. At the same time, there needs to be balance, avoiding excessive regulatory stringency that mandates an unrealistically high percentage of revenue towards compliance and risks destabilising organisations, or pushing them towards bankruptcy. Such calibrated nudging is still awaited.
In the age of AI and deepfakes, how can organisations and customers ensure awareness?
JINDAL: Customer awareness is not an easy area. AI tools are now commonly used on desktops and apps, yet the risks associated with their use are often not fully considered. Questions around what is being exposed, or shared are still not top of mind. Educating customers is therefore a long journey, but one that needs to begin now.
At present, the focus remains at a foundational level, with conversations centred on phishing, and how customers can protect themselves, along with encouraging adoption of two-factor authentication, which some customers still do not use. This makes customer awareness a long pole in risk mitigation.
 "(L-R) Malcolm Gomes, chief operating officer (COO), IDfy; Deep Narayan Mukherjee, partner, Boston Consulting Group; and Mahavir Jindal, COO, Amazon Pay India (Photos: Kamlesh Pednekar)")