Strategic Impact of End of Support of Windows XP on Banks...

© 2013 Ascentius Consulting

Navigating the Future

Strategic Impact of End of

Support of Windows XP on

Banks in India

© 2013 Ascentius Consulting 2

Preface

The financial intermediation role that Banks fulfill makes them a participant in virtually every

aspect of Indian economy, be it in the sphere of investments, commercial transactions or

individual lives. As an institution that touches upon millions of lives every day, individuals

across the length and breadth of this nation partake banking services satisfactorily and with a

smile.

For an institution of this magnitude, resilience and reliability are intrinsic to its very nature and

Indian Banks have fulfilled this mandate very well. In an ever-changing world, new drivers &

restraints arise and new risks sweep Banks in waves. But Banks have held on to their ground

and successfully managed risks in all their dimensions.

A new risk arises on the firmament. For Banks, whose entire structural edifice is built on

Information Technology, the termination of extended support for Windows XP is an event of

major significance, particularly given that PC’s with Windows XP are strewn across thousands of

Bank Branches in metro, urban, semi-urban and rural branches. This event has given rise to IT

risks and concomitantly, operational risks and reputational risks for Banks.

The objective of this report is to bring together the strategic implications and busine ss risks that

Banks face in light of expiration of support of Windows XP. Our research suggests that that while

all Banks are aware of the event leading to termination of extended support to Windows XP,

many Banks that have not paid sufficient attention to addressing the risk emanating from this

event. Our research further suggests that Banks that have not addressed the risk are likely to

face scenarios ranging from service disruption to denial of service in Bank branches. The

outcomes will range from customer dissatisfaction, delays in availing banking services, denial of

service for customers, inconvenience to Bank employees, missed revenue opportunities for

Banks and in the worst case, financial losses.

Ascentius’ report brings considerable attention to the problem and Banks can treat this report as

an opportunity to inform themselves on the origination of risk, the analysis of risk, implications

of risks and strategies that can lead to cessation of risk.

Finally, we appreciate the positive response, useful data, information and insights we received

from numerous respondents in India’s leading Banks and IT System Integrators who manage IT

for Banks as part of outsourced contracts. We will like to sincerely thank all who assisted us.

Before concluding, I will like to emphasise that while this research is funded by Microsoft, our

work remains truly independent, objective and neutral.

Alok Shende

Principal Analyst & Managing Director

Ascentius Consulting


Table of Contents

Executive Summary 4

Risk Management Framework 6

Key Application Ecosystem at Bank’s Branches 9

Identification of Key Risk 12

Windows XP Risk Map 25

Risk Analysis 26


Execut ive Sumary

Indian Banks are firmly straddled on the engine of growth. With a theme of soft economy in the

background, Banking Credit in India has grown over 18% CAGR over the past 5 years. And Banks

branch are growing at a healthy 6% CAGR over past 4 years.

Even as Banks are making investment in infrastructure to enhance consumer footprint, the

quality of investments in the last 2 years is significantly different. There is a greater reliance on

alternative and low cost models. In addition to growing with the standard branch approach, new

innovations such as Business Correspondent Model, Ultra Small Branches and USSD based

Mobile Banking are now gaining traction.

The underlying theme across this new investment model is technology. And therefore it is more

pertinent then ever to understand the role of technology in Banks and how technology can

accord both resilience and risk for Banks.

Investment in IT started as a source to seek differentiation. And while Banks are identifying

unique sources of differentiation so as to compete in the marketplace, the broader role of IT has

shifted to as a cost of doing business rather than source of differentiation alone. As applications

have become core to business, IT is required to ‘keep the lights on’ for running the business. IT

has become so intrinsic that any deviation to this paradigm can potentially become an issue of

business risks for Banks.

The termination of extended support for Windows XP is one such risk that has risen up on the

firmament. Windows XP, the workhorse of Indian Banks is moving out of support from April 8,

2014. Given that there’s a large transactional IT infrastructure residing on Windows XP, the

arrival of this event is of significance to both the IT and Business Managers.

To shine light on this issue, Ascentius conducted research with India’s leading State owned

Banks to examine their state of readiness de-risk themselves from the hazard that will start

emanating once the Windows XP goes out of support. Given that this is an issue of mitigating

risks arising from lack of support, Ascentius employed Risk Management Framework AS/NZS

ISO 31000: 2009 framework. Some of the key highlights that emerge from Ascentius’ research

include:

While there is an adequate knowledge about the issue, there is only a small proportion

of Banks who have fully addressed all risks by graduating to a higher version of

Windows.

There is a large segment of State owned Banks that have embarked on the journey to

move away from Windows XP, but may still be left with approximately 20% to 30% of

their base on Windows XP even after April 2014. These Banks may inadvertently take up

considerable risk exposure.


From a technology risk perspective, with no free new patches, hot fixes, free support

options, Windows XP will become zero day forever. Cyber criminals will focus on

Windows XP to identify new sources of vulnerability and are likely to focus on targets

with significant monetary potential.

CERT India has written an advisory note for Windows XP users to immediately plan for

upgradation to the latest available OS according to their requirement. Leading anti-virus

software companies indicated that they cannot guarantee that they will be able to

prevent threat activity involving unpatched exploits from their Windows XP PC’s

The penetration of Windows XP is particularly higher in semi urban and rural branches.

Lacking support at these locations, there is a non-trivial likelihood for customers to face

delays, service disruptions and denial of service in conducting banking transactions.

New business opportunities such as financial inclusion and MGNREGA payments are

becoming important source of income for Banks in rural markets. Banks are likely to

loose on leveraging these emerging business opportunities because Windows XP PC’s

are unlikely to support the current edition of biometric hardware, card encoders and

software that has been written for latest technology.

In the worst case scenario where sources of hazards impact with full force, Indian

Banking industry will be exposed to loss of income to the range of INR 330 Crores over 3

days period.

Furthermore, the waiting time for the Metro & Urban Bank branches is expected to rise

to more than 30 minutes for average transactions.

Should Banks turn the wheels in motion and accelerate their decision making cycle, there is still

time to mitigate risks. The scope of latency in decision-making is low because the time it takes

from decision to implementation is 4-6 months.


Risk Management Framework

The risk management process Ascentius followed in course of this research is based on the

AS/NZS ISO 31000: 2009 framework.

Source: AS/NZS ISO 31000:2009

The key steps in the risk management process are as follows:

Establish the Context

Before one begins to consider risk management, it is necessary to identify the strategic and

organizational context under which an organization operates.

The organization’s goals, objectives, values, policies and strategies and how one contributes to

these are also important considerations. These considerations help define the criteria by which

Risk Assessment

Establishing the Context

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

Co

mm

un

ica

tio

n &

Co

nsu

lta

tio

n

Mo

nito

ring

& R

ev

iew


decisions are made on the acceptability or otherwise of risks, form and basis of controls and

management options available.

Identify risk categories

Organizations have an obligation to identify risks and ensure that all the appropriate people in

the organization are made aware of them. Once identified, preventive measures can be taken and

put in place to control the risks.

It is critical in the identification of risk, that two key elements of actual or potential exposure are

identified, namely:

— The cause of an exposure

— The effect of the exposure. The effects may include financial impact, impact on staff, and

other stakeholders, impact on reputation and probity, impact on operational

management and impact on the delivery of programs

The most commonly used method of identification is an effective interview program. An effective

interview program should detect most emerging risk issues.

Analyse risks

The data collected from the identification phase has to be analyzed so that decisions can be

made about evaluating, prioritizing and treating the risks. It helps separate the minor and major

risks as well as those risks that fall in between.

Likelihood and consequences

Organizations would have some systems already in place to manage and control risks. These

systems will have to be identified and should form the basis of risk analysis.

Risk analysis is a study of likelihood and consequences.

— What is the likelihood of an incident occurring?

— If an accident occurs, what would be the magnitude of its consequence?

The level of risk created by the incident is determined by analyzing the combined impact of

likelihood and consequences.

Evaluate risks

Having analyzed the risks, evaluating and prioritizing these risks would be fairly

straightforward. The results of the analysis are evaluated. This evaluation will generate a list of


risks into categories of low, medium and high risks. This list will create an order of priority so

that an occupier can make decisions about how best to treat these risks.

Monitor and review

Risk management is ongoing. Risks change in a changing environment. Good risk management

places emphasis on monitoring and reviewing all current organizational plans, strategies

systems and controls.


Key Appl icat ions Ecosys tem a t Bank’s Branches

From our research on IT at the branch level, applications can be broadly classified under two

categories. The first tier exclusively comprises of Core Banking Solution (CBS) – the centralized

web-based application that is hosted in Banks Data Center and that can be accessed at the Bank

branch level over Web Browser. The second tier comprise of host of applications that provide for

many critical branch level functions. Many of these applications are working as stand alone

applications but as Banks realize benefits of centralized data center, many of these local

applications are likely to be hosted in the Data Center in the future.

A priori, all banking applications have direct dependencies on branch level PC’s. So even while

CBS is hosted on a centralized Data Center, it is accessed at the branch via a PC. Another

distinguishing aspect of branch level applications is that while the set of applications are

common across all Banks that participated in this research, owing perhaps to common business

processes, they manner in which these applications have been implemented varies. At one end

are Banks that have rich client software install on the PC’s. There are other set of Banks that

have hosted branch level applications on servers. And lastly, there are Banks that have

implemented hybrid model in which some level of data processing happens on the local branch

PC and the balance on Bank’s Data Center. Any vulnerability stemming from lack of support for

branch level PC’s has a potential to directly violate IT assurance and translate into

inconvenience for customers.

Some of the key branch level software includes:

Queue Management System

Given the rising turnout of customers at peak banking hours, managing customers experience

while they avail banking services is of utmost importance to Branch Managers. The Queue

Management System helps Retail Bank customize their client’s individual experience when

visiting the branch. Queue management systems help manage tokens ranking for a banking

service and thus enable a stress-free waiting period for customers.

Self-update Kiosk

A self-service kiosk at a Bank branch enables a customer to update their passbook by

themselves, without having to wait at the counter for having their passbook printed. It

essentially comprises a comprehensive solution for Bar Code-based printing that is integrated

with the Core Banking System of the Bank. The application also provides for printing of the Bar

Code from individual terminals at branches based on the account number.


Cheque Truncation System (CTS)

The Cheque Truncation System (CTS) enables faster clearing of cheques. CTS eliminate the need

to move the physical instruments across branches, except in exceptional circumstances. This

results in effective reduction in the time required for payment of cheques, the associated cost of

transit and delays in processing, etc., thus speeding up the process of collection or realization of

cheques.

Credit Rating system

With the adoption of Basel II norms, credit risk management pervades all aspect of lending and

income-producing activities of the Bank. Credit Risk is the primary financial risk in the banking

system and encompasses consumer credit as well as business loans, new loans as well as existing

loans, priority sector as well as non-priority sector.

The Bank’s Credit Rating System helps in monitoring credit worthiness and credit quality on a

continuous basis to ensure the quality of advance assets.

Loan Origination System

Bank branches host of loan products including, car loans, commercial vehicle loans, inventory

finance, home loans, education loans, personal loans, salary overdraft, loan against property,

loan against shares among others.

Loan Origination System (LOS) facilitates the process of consumer availing loans. Once the

consumers applies for a new loan from the chosen product areas, LOS accomplishes all tasks

from capturing customer detail, verification, incorporating credit scores from third parties such

as Cibil and Banks internal credit ratings. The system helps Bankers to arrive at an approve-

reject decision and if the loan is approved, a floor for interest rates and discounts that can be

offered to the clients.

Human Resource Management Solution (HRMS)

An HRMS solution deployed at the Bank branch level enables employee self-service by providing

functionalities like viewing leave records, printing of payslips, booking of Bank’s guest’s house

and electronic submission of various applications, etc. on-line. At a broader level the application

helps improve efficiency of the Bank’s existing systems, practices and procedures. Therefore, in a

sense, the HRMS solution is a ‘hybrid’ system wherein some of the modules are ‘localized’ at the

branch level while the rest are ‘centralized’.

A brief summary of Applications and the concomitant impact of hazard is as follows:


Application Key Function Key Stakeholders Impact of Hazard

Queue Management System

Manage customer experience

Customers Long Queues, Denial of Service, Chaos.

Self-update Kiosk Provide Self service & Convenience to customers

Customers Long Queues. Denial of Service. Chaos.

Cheque Truncation System

Obviates the need to move the physical instruments across branches.

Branch Management & Customers

Delay in loan processing & approvals. Loss of Customers

Credit Rating system Manage financial risks for loan approvals & outstanding loans

Branch Credit Management & Customers

Delay in loan processing & approvals. Loss of Customers.

Loan Origination System

Process loans Branch Management & Customers

Delay in loan processing & approvals. Loss of Customers.

Human Resource Management Solution

Employee records and self service

Branch Management & Employees

Inconvenience to employees. Employee dissatisfaction

Source: Ascentius Analysis


Idendt i f i cat ion of Key Risks

Risk management, by its very nature, is at the very heart of banking industry and Bankers are at

the middle of the risk-return conundrum. While the scope of risk management in Banks is all-

pervasive, risks can be broadly categorized under three categories:


Among all the different risks listed above, Operational Risk and Reputational Risks assessment

play an exceptional role in each organization. The key reason for this is that these two aspects

impinge upon and integrate all different functional areas within an organization and thus have a

potential to integrate how risks pan out as well.

In this section we therefore look into the critical Operational and Reputational risks that the

Bank branches are likely to be exposed to due to the termination of extended support for

Windows XP from April 8, 2014. First, we briefly describe the nature of risks and then go to

analyze the impact of them in detail.

Risk of Bottlenecks in Leveraging New Business Opportunities

The connotation of risks is not limited to hazards that have potential downsides alone.

Incidences that limit access to market opportunities and that stifle revenue upside equally come

under the purview of risks and Banks duly acknowledge the same in terms of their risk

management framework.

New opportunities are opening up for retail Banks. However, for Banks monetization strategy to

derive fruitful results, a robust IT infrastructure at branch level is a sine qua non. Ascentius

evaluates three major opportunities where Banks are likely to experience challenges in light of

IT infrastructure that relies on Windows XP.

Reputation Risks Operational Risks Banking Risks

Credit Risk Liquidity Risk Market Risk Macroeconomic Risks Foreign Exchange Risk

Legal Risk Political Risk Valuation Risk Loss of New Business

Opportunity IT Risk Compliance Risk

Damage to Customer Relationship

Negative Media Coverage

Litigation Negative Brand

Perception


New Aadhar Based e-KYC Norms

RBI through its recent order (RBI/203-14/263, UBD.BPD (PCB) Cir. No. 15 /14.01.062/2013-14,

dated September 17, 2013) has permitted Banks to leverages Unique Identification Authority of

India (UIDAI) data for authenticating customer credentials for electronic know-your-customer

(e-KYC) process. This paperless process, as it turns out, is of immense benefit both to customers

as well as Banks. Customers can employ e-KYC as a valid means to authenticate for banking

services like Account Opening, buying insurance, Mutual Funds, DMAT accounts and other

financial products.

Banks are required to employ UIDAI-approved biometric scanning devices to match customers

biometric scan with corresponding records stored in UIDAI Central Identity Data Repository.

Many of the new biometric scanning devices do not support Windows XP and hence, Banks with

Windows XP in Bank branches will be constrained to continue with the manual , translating into

higher transaction costs for Banks as well depriving the convenience of E-KYC to new customers.

Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA)

Attending to the financial needs of bottom of pyramid customers is not only a regulatory

requirement but also more importantly, a significant growth opportunity for Banks.

Furthermore, this opportunity space will fill-up very fast. Not only one Bank is vying with

another bank for the same set of customer but equally, telecom operators are also vying, with

mobile services, for the same customers.

Banks have an inherent advantage in this race for bottom of pyramid customers. MGNREG Act

mandates a single branch to hold all accounts of Blocks/Panchayat and beneficiaries in a block.

With the integration of Aadhar Card and Biometric authentication, Banks will be able to support

real time transactions and thus eliminate fake attendance and corresponding fake payments.

For Banks to leverage these opportunities, Banks will need to set up biometric readers and

software in the rural branches. Volumes are likely to be high since there are 15,000 MNREGA

workers on an average in each block, with 1-2 Bank branches per block.

Mandate for Financial Inclusion

“Swabhimaan” - the financial inclusion campaign launched by Government of India in 2011 is

running on full speed. Different Banks are at varying degrees of implementation of the program

for Financial Inclusion, particularly in the rural areas. While Branch level innovations such as

availability of a Basic Savings Bank Deposit Account is the first step towards financial inclusion,

enhancing banking outreach to the remote corners of the country is an equally important

dimension.


Banks are deploying technology to enhance customer outreach. Banks have started deploying

smart cards, biometric authentication and mobile technology to help customer transact and

extend banking services similar to Bank Branches.

Downside Risks for Revenue Growth - Lack of Capability to Support

At the branch level and particularly in the semi urban and rural branches, the deployment

density of Windows XP PC’s is relatively high. Current edition of Biometric hardware, Card

Encoder and software may not work on Windows XP PCs, the primary reason being the device

drivers have not been optimized to work on Windows XP. Furthermore, newer applications that

meet emergent needs may not support XP, leaving Banks out from realms of innovations.

Possibility of biometric devices not working at all, low productivity resulting in long waiting

time for consumers and service disruptions resulting in denial of service are most likely

consequences.

Risk of Damage to Customer Relationship

One of the prime goals of public institutions is to ensure friction free availability of their services

and mitigation of transactions cost for their consumers. The risks emanating from end of

extended support for Windows XP are likely to impact both these aspects for customers.

Customer Service

When customers come in to the branch, they hope to complete their transactions within

expected period. To ensure lower latency for banking transactions, applications and PC uptime

are key elements of the puzzle.

Core Banking Software (CBS) is hosted on Bank’s Data Centers and there are no direct

vulnerabilities. However, at the branch level, customer transactions that rely on CBS may be

affected because the underlying Windows XP PC can potentially turn vulnerable post expiry of

Windows XP. Similarly, local branch level applications like Queue Management Applications or

Loan Origination Software that operates on Windows XP PC’s may turn vulnerable once the

extended support for Windows XP expires.

Both of these strands have a direct impact on the branch level performance indicators. Potential

impact are likely to cause denial of service to banking customers as well as result in delays in

approval of consumer and business loans, both portending negatively on customer satisfaction

as well revenue growth.


Customer Process IT Asset Frequency Value Impact KPI

Token for Transaction

Queue Management System + Branch PC

High - Denial of Service CSI

Deposits CBS + Branch PC High Medium Denial of Service CSI

Withdrawal CBS + Branch PC High Medium Denial of Service CSI

Account Information

CBS + Branch PC High - Denial of Service CSI

Passbook Updation

CBS + Branch PC High - Denial of Service CSI

Loan Request Loan Origination System + Branch PC

Medium High Delays RG + CSI

CSI: Customer Satisfaction Index, RG: Revenue Growth


Potential losses from outage will vary depending on the length of outage. Branches that have a

mix of Windows 7, Windows 8 and Windows XP PC’s will be able to transfer workload to secure

PCs. For Bank Branches that are relying entirely on Windows XP, the potential losses will rise

exponentially.

According to data points available to Ascentius from public sources including RBI and primary

research interviews, total vulnerable Branches that have 40% penetration of Windows XP PC’s is

close to 34115 Bank branches.

PSU Banks # of

Branches Annual Businesses

in INR Lakhs % of XP

PC’s Vulnerable Branches

PC per Branch

Worst Case Scenario

Rural 8552 50 70% 5987 4 Outage +DOS

Semi- Urban 18445 70 60% 11067 6 Outage +DOS

Urban 22518 90 40% 9007 7 Outage +Delays

Metro 20137 120 40% 8055 10+ Outage +Delays

Total 69652 34115

Source: RBI & Ascentius Analysis

We present two scenarios. The first scenario consists of Bank branches that have a mix of

Windows XP along with Windows 7 & 8. The second scenario consists of set of Bank branches,

particularly in Semi-Urban & Rural locations, that have higher mix of Windows XP PC’s.


Scenario I

In case of the first category, where the proportion of Windows 7 & Windows 8 PC’s is relatively

higher than Windows XP PC’s, any materialization of risk for Windows XP PC will lead result in

their outage. Thus, the branch will have lesser number of PC’s available to service same volume

of customers. At peak hours, the waiting time will stretch. According to industry estimates, the

median waiting time for Banks is close to 5-15 minutes. Secondly, 54% of FTE time in a Branch

goes towards servicing customers.

Source: BCG & Ascentius Analysis

Under normal circumstances, where the triad of Banking staff, IT infrastructure and pace of

customer walk-ins are optimized and working in synch, the system is in steady state. However,

once the hazard is actually established and the availability of Windows XP PC’s goes down , it is

likely to throw the smooth running system out of gear.

Waiting time for customers even in normal hours will extend. In the peak hours, there are likely

to be non-linear cascading effects leading to long queues and extended waiting hours.

23

54

23

0

10

20

30

40

50

60

70

80

90

100

% o

f B

ran

ch F

TE

PSU Branch Time Allocation

Back Office Service Sales

26

65

9

0

20

40

60

80

100

% o

f B

ank

s

Wait Time in Branch

2-5 Mins 5-15 Mins >15 mins


Ascentius estimates that the waiting time for the Metro & Urban Bank branches is expected to

rise to more than 30 minutes for average transactions.


Scenario II

The other risk that will enact, particularly in Semi-Urban & Rural branches, will the risk of denial

of services. Penetration of Windows XP is these branches is at an average 60% of all PCs. At

extreme end, there are Bank branches that have close to 80%- 100% of Windows XP based PCs.

Many of the semi-urban and rural branches conduct high volume of transactions. Volume of

transactions can go as high as 1000 transactions in a day, particularly because Government is

transferring subsidies such as MGNREGA and Aadhar based transactions through Banks.

# Of Vulnerable Branch

Daily Business in INR Crores @293 days

Potential loss of income (INR Crores) with 30%

Vulnerable Branch

Semi Urban Branch 5987 0.24 793

Rural Branch 11067 0.17 306

Potential Opportunity Lost INR 1100 Crores/Day

Estimated Loss with 10% leakage INR 110 Crores/Day

Estimated loss over 3 days INR 330 Crores


Excluding Sundays and scheduled holidays in a year, there are close to 293 banking days in year.

Per day Business Rural branch is estimated at INR 17 Lakhs and for the semi-urban is estimated

at INR 24 Lakhs per day. Assuming 30% of the vulnerable bank branches go down owing to

26

65

10

9

90

0

20

40

60

80

100

Pre Hazard Post Hazard

% W

aiti

ng

Tim

eWait Time in Branch

2-5 Mins 5-15 Mins >15 mins


actualization of hazard on Windows XP PC, the vulnerable branches are estimated to be 5116

Bank branches. Should the hazard materialize and affect with a rate of 30% of Branches Banks

will be forgoing an opportunity of conducting businesses worth INR 1100 Crores per day.

Assuming the systems come back in 3 days, customers will return to conduct banking

transactions. However, even if 10% of the customers find alternative non-banking channels for

conducting financial transactions over 3 days, the loss of income is estimated to be INR 330

Crores.

Vulnerabilities at Banking Customers End

Owing to the convenience and popularity of online banking, there is a large swathe of Ind ian

consumers who access their online banking account and conduct banking transactions from

their Windows XP PC. Upon termination of extended support for Windows XP, these PC’s will

potentially stand vulnerable to be exposed to cybercriminals. The worst -case scenario entails

possibility of customers account details being stolen by cybercriminals who then can use this

information to transfer money out of these compromised accounts.

To indemnify themselves, Banks should evaluate issuing advisories that educate their customers

to both protect themselves as well as avoid being a victim of such vulnerabilities.

IT Risks

There are broad spectrums of technology risks that Banks face in light of termination of

extended support for Windows XP.

Vulnerability on account of End of support of Windows XP

With the end of support for Windows XP, Windows XP is likely to turn into a beehive of

vulnerabilities that cybercriminals will find easy to exploit. The reasons are two fold :

New Patches as Signal for Vulnerability

As Microsoft notifies new patches for Windows 7 and Windows 8, it simultaneously sends out

signals about vulnerability that may find existence in Windows XP.

This risk is in particularly accentuated because Microsoft releases security patches regularly,

with an unintended consequence of leaving a trail for cybercriminals to pursue. From a risk

origination perspective, it will be easy for cybercriminals to track the open vulnerabilities and

exploit them.


New World, New Threats

Windows XP was conceptualized for a world where Firewall was enough to protect system and

programs. However, the world has changed much beyond the original conception. The newer

versions of Windows support features that are in consonance with sophisticated level of threats

that are in vogue today. Key features include:

Protected View to help protect the computer

— Files from potentially unsafe locations are opened in Protected View. By using

Protected View, the user can read a file and see its contents while reducing the

risks.

No Auto Run

— Many malware have used the Auto Run feature in Windows XP to run and spread

viruses. This feature has been disabled Windows 7 onwards.

SmartScreen

— SmartScreen Filter can protect user from downloading or installing malware.

Hardening applications and default setting

— Hardening feature in Windows 7 deny and deter hackers with layers of protection.

Windows Defender

— Protection against spyware and malware

Windows User Account Control

— User Account Control (UAC) can help users prevent unauthorized changes to

computer

AppLocker

— AppLocker provides administrators with the ability to specify which users can run

which specific applications.

Windows XP lacks many of these features that are considered as default in Windows 7 &

Windows 8.

Termination of ISV’s and Hardware Companies Support for Windows XP

ISV’s and Hardware vendors follow planned obsolescence cycles. Many ISVs and Hardware

manufacturers (including PC’s, Printer’s, Smart Card Readers and other long tail of devices) are


expected to both stop testing new features as well as supporting critical applications that work

on Windows XP.

Computer Emergency Response Team-India (CeRT-IN) has flagged this issue in the Advisory

issued in July 2013

In sum, the implication is that many of the applications and IT hardware that Banks have

deployed in branches may not be supported by the vendors themselves, as a result of which

many customer facing operations at Bank branches may not be able to fully function at the

expected benchmarks.

Antivirus Support

From our conversation with many Banks, there is a modicum of assurance that Banks will be

able to protect their Windows XP PC’s with Anti Virus software and hence there is no urgency to

invoke the PC refresh cycle or OS Upgrade. Simultaneously, there is a belief that because at the

level of Bank branches, Windows XP PC’s are connected to LAN with no exposure to Internet,

hence there’s a little risk for PC’s to be infected with viruses.

However, both of the arguments are not borne by facts.

“The software vendors and hardware manufacturers will stop support for Windows XP on their new versions and models…. It is recommended that all the users and organisations using Window

XP OS in their environment should immediately plan for upgradation to the latest available OS according to their requirement and test software applications well before April, 2014."

“Most viruses, Trojan horses, and worms are activated when you open an attachment or click a link contained in an email message. If your email client allows scripting, then it is possible to get a virus

by simply opening a message. "

“After the official End of Support date from Microsoft goes into affect, Symantec Support may not be able to provide full threat resolution on XP systems due to a lack of Microsoft security patches. …we

cannot guarantee that we will be able to prevent threat activity involving unpatched exploits "


Furthermore, sharing data on USB drives is a fairly common practice in Banks, thus giving rise to

another possibility of a vector that can transport virus that will target Windows XP

vulnerabilities. And lastly, the internal LAN Network can serve as a network to propagate

viruses.

SI Partner Support

In our conversations with System Integration partners for Banks, there are two viewpoints that

have came into fore.

One set of SI recognizes the implications of end of support of Windows XP and deduce the impact

of the same on their practice. System Integrators in this category are categorical of what they

can offer and what they cannot.

At the other end of the spectrum are System Integrators who recognize the end of extended

support for Windows XP as a market opportunity that can be monetized. System Integrators in

this category are likely to purport that they have expertise in supporting Windows XP and they

will offer paid support services to Banks.

However, there is a need to shine light on this aspect. Key questions that Banks must elicit

answers from System Integrators include:

Will SI Partner offer services to maintain Windows XP at competitive prices or will they,

knowing Banks are at their mercy, charge opportunistic prices?

Since SI Partners do not have access to Microsoft Windows XP source code, how will

they be able to address vulnerabilities that stem at the level of Windows XP OS?

Banks have branches that sum to thousands of locations, both in urban centers and

hinterland. How will SI Partners be able to extend support at locations where they don’t

have presence?

“As part of the contract with Banks, we have a PC replacement policy at the branch level for events such as hardware failure. However, if the PC has Windows XP and if XP is out of

support from Microsoft, we won’t replace the PC. “

“We will also not offer paid support to our Banking clients for Windows XP PC post April 2014.”

India’s Leading Hardware Manufacturer & IT Outsourcing Partner for Banks.

2. For PCs that have Windows XP, will HP offer paid support after April 2014, when XP will no longer be supported by Microsoft? NO.the official End of Support date from Microsoft goes into affect, Symantec Support may not be able to provide full threat resolution on XP systems due to a lack of Microsoft security patches. …we cannot guarantee that we will be

able to prevent threat activity involving unpatched exploits"


In case of a increased likelihood of impact, speed to contain impact is of prime essence.

How will SI partners execute their containment tasks so that when the branch opens up

for business at 9:30 AM in the morning, it is up and running?

Will SI partners be able to guarantee Windows XP uptime for the contractual periods

and will they be able indemnify Banks for any losses should they be not able to meet

their commitments?

Our prognosis remains that none of the System Integrators are capable to meet the above five

criteria and Banks should have healthy dose of skepticism in accepting propositions offered by

System Integrators on this count.

While Microsoft does offer "Custom Support Agreement" for customers who may want to stay on

Windows XP post April 8 2014, this option is a very expensive proposition, thus rendering the

postponement beyond the stipulated period an unwise decision.

Execution Risk

In course of the research, Ascentius has identified a small set of State owned Banks that have

moved majority of the PCs to Windows 7.

A second segment comprises of State owned Banks that are on their way to move off Windows

XP by April 2014. The third segment comprises of a large number State owned Banks that have

embarked on the journey to move away from Windows XP, but may still be left with

approximately 20% to 30% of their base on Windows XP even after April 2014. Ascentius

estimates that the third segment of Banks will expose themselves to execution risks, unless they

take extraordinary measures to crank up their decision-making cycles.

There are primarily two upgradation scenarios; the first consists of OS upgrade on existing

Windows XP PC’s. The second scenario is that of PC refresh cycle. In both the scenario, we

consider a Bank that has 1000 Branches divided equally between urban, semi urban and rural

branches. The urban branches can have as many as 25 PC’s and the rural branches can have as

low as 2 PC’s

OS Upgradation Scenario

The OS upgradation process has to contend with the following constraints

There is no single SI who has a reach across these 1000 branches located in both cities

and hinterlands. The choice is between:

— Large SI partner’s who will have good project management skills to execute this

project but will result in longer elapsed time and higher costs


— Local or regional SI partner who will be more economical but carry large search

costs and considerable project management risks. Search costs include

administrative costs that businesses expend to identify, negotiate and select

vendors. Given that Banks will have to search for vendors across hundreds of

location, search costs will rise to that extent.

Bank branches work from morning 9:30 AM to 6:30 PM, six days a week. System

Integrators gain a very narrow window of time to accomplish the upgradation process.

OS Upgrade may require RAM upgradation

— For 64-bit Windows XP, the recommended memory was 128 MB of RAM. For

Windows 7, the recommended memory RAM is 1 GB of RAM.

— Upgradation processes may require upgrading of memory, taking data back up,

upgrade OS and then finally reload data.

From Ascentius’ conversations with India’s leading SIs, the estimated time for Bank with 1000

branches will take to upgrade from Windows XP to a newer OS is approximately- 4-6 months.

PC Refresh Scenario

Assuming the same Bank with 1000 branches spread equally between urban, semi urban and

rural regions, the problems that this Bank is trying to contend is as follows.

Depending on the distribution of Windows XP PC’s in Banks, PC refresh across 10000-25000 PC

will require a large financial outlay. Many Banks have not made a budgetary allocation for this

quantum.

From our research, the estimated elapsed time from initiating RFP process to fin al installation

and testing of PC acquisition can be in the range of 4-6 months.

In both the scenario’s, the time it will take to bring together a paradigm shift to a post Windows

XP world closely coincides with the April 2014 date that has been issued fo r termination of

extended support for Windows XP. Banks can use this window of opportunity to mitigate all

risks.

Compliance Risk

Under the tutelage of Reserve Bank of India, Banks have created an entire structural edifice in

meeting requirements for Information Security, Electronic Banking, Technology risk

management and cyber frauds. Based on COBIT architecture, IT risk management function

extends from IT Governance, organizational structure, process & procedures to finally, audits.


While Banks are cognizant about their exposure to compliance risk originating from end of

extended support for Windows XP, the bigger challenge is to turn the wheels in motion so as to

address the impulse that is leading to vulnerability. Should Banks fail to close the loop within the

prescribed time lines, they may have to bear denial of service in branches and in the worst

possible scenario, bear financial loses.


Windows XP Risk Map

The risks arising from termination of extended support to Windows can be plot on two

dimensions

The probability of risk may occur

The likely impact of the risk. In some instances, the impact may be in acceptance zone. In

other instances, the impact can have significant financial costs

The total risk that Banks take is a function of probability and impact. Banks can use the Windows

XP Risk Map to delineate, which risks are acceptable and which ones are not in conjunction with

the impact to arrive at their decision matrix.


* Lack of Antivirus support

* Lack of ISV support

* New Business Revenue Risk

* Compliance risks

* Disruption to customer service

* Loss of Income

* Vulnerabilities at banking customer end

* Upgradation Risk

Impact

Low Medium High

Lo

w

Med

ium

H

igh

Lik

elih

oo

d

* Vulnerability to PC infrastructure

IT Risks Analys is

The section presents IT Risk Analysis for the Bank Branches

R i s k A n a l y s i s

Rank Source/type of

Risk

Description Asset

Aff

ect

ed

Me

tric

s

Pro

ba

bil

ity

Imp

act

Tim

e t

o I

mp

act

Fin

an

cia

l

Se

ve

rity

Se

ve

rity

fo

r

Cu

sto

me

r

Re

pu

tati

on

al

Se

ve

rity

Co

ntr

ols

Ass

ess

me

nt

1 Technology Vulnerabilities of

Windows XP

All Windows XP Desktops and

laptops across the organization

To

tal

Ass

ets

,

Re

turn

on

Ne

t A

sse

ts

Hig

h

Hig

h

Imm

ed

iate

Hig

h

Hig

h

Hig

h

We

ak


2 Technology Termination of ISVs

and Hardware

companies support

for XP

Bar-code based printers in

Self-update Kiosks, scanners in

Cheque-Truncation Systems

(CTS) etc

Op

era

tin

g

Exp

en

ses,

Re

turn

on

Ass

ets

Hig

h

Hig

h

Imm

ed

iate

Hig

h

Hig

h

Hig

h

We

ak

3 Technology Antivirus support All Windows XP Desktops,

laptops and servers across the

organization

Op

era

tin

g

Exp

en

ses,

Pro

du

ctiv

ity

Me

diu

m

Lo

w

Ne

ar-

term

Me

diu

m

Lo

w

Me

diu

m

we

ak

4 Technology SI Partner Support All Windows XP Desktops and


Ro

I,

Em

plo

ye

e

Pro

du

ctiv

it

y, R

eso

urc

e

Uti

l.

Lo

w

Me

diu

m

Me

diu

m-

term

Me

diu

m

Lo

w

Lo

w

Mo

de

rate

5 Customer Customer Service Queue Mgmt Systems, Self-

update Kiosks, CTS, CRS

C-S

at,

rev

en

ue

/cu

sto

me

r

Me

diu

m

Hig

h

Ne

ar-

term

Hig

h

Hig

h

Hig

h

We

ak

6 Customer Vulnerabilities at

banking customer

end

N/A

C-S

at,

Re

ve

nu

es

Lo

w

Lo

w

Ne

ar-

term

Lo

w

Hig

h

Me

diu

m

Ad

eq

ua

te


7 Compliance Regulatory

compliance / RBI

guidelines on IT

Risk Mgmt



Co

st o

f fu

nd

s,

Re

ve

nu

e g

row

th

Lo

w

Hig

h

Me

diu

m-t

erm

Hig

h

Me

diu

m

Hig

h

We

ak

8 Execution OS Upgradation

scenario



Op

Ex,

Pro

du

ctiv

it

y

Hig

h

Me

diu

m

Ne

ar-

term

Hig

h

Me

diu

m

Lo

w

We

ak

9 Execution PC Refresh scenario All Windows XP Desktops and


Ca

pit

al

exp

en

se

bu

dg

et

Lo

w

Hig

h

Me

diu

m-

term

Hig

h

Lo

w

Lo

w

Mo

de

rate

10 New Business

Revenue Risk

New Aadhar-based

e-KYC

Windows XP desktops at

branch

Re

ve

nu

e

Gro

wth

,

C-S

at

Me

diu

m

Me

diu

m

Ne

ar-

term

Me

diu

m

Hig

h

Me

diu

m

We

ak

11 New Business

Revenue Risk

MNREGA Windows XP desktops at

branch

Re

ve

nu

e

Gro

wth

,

C-S

at

Me

diu

m

Me

diu

m

Ne

ar-

term

Me

diu

m

Hig

h

Me

diu

m

We

ak

12 New Business

Revenue Risk

Financial Inclusion

initiatives

Windows XP desktops at

branch

Re

ve

nu

e

Gro

wth

,

C-S

at

Me

diu

m

Me

diu

m

Ne

ar-

term

Me

diu

m

Hig

h

Me

diu

m

We

ak



13 Suppliers,

vendors, other

3rd parties

Vulnerabilities at

suppliers. Vendors,

other 3rd party

partners’ end

N/A

Pro

du

ctiv

ity

,

Op

tg E

xpe

nse

s

Lo

w

Lo

w

Me

diu

m-t

erm

Lo

w

Me

diu

m

Lo

w

Ad

eq

ua

te

Strategic Impact of End of Support of Windows XP on Banks...

Documents

Transcript of Strategic Impact of End of Support of Windows XP on Banks...