Strategic Impact of End of Support of Windows XP on Banks...
Transcript of Strategic Impact of End of Support of Windows XP on Banks...
© 2013 Ascentius Consulting
Navigating the Future
Strategic Impact of End of
Support of Windows XP on
Banks in India
© 2013 Ascentius Consulting 2
Preface
The financial intermediation role that Banks fulfill makes them a participant in virtually every
aspect of Indian economy, be it in the sphere of investments, commercial transactions or
individual lives. As an institution that touches upon millions of lives every day, individuals
across the length and breadth of this nation partake banking services satisfactorily and with a
smile.
For an institution of this magnitude, resilience and reliability are intrinsic to its very nature and
Indian Banks have fulfilled this mandate very well. In an ever-changing world, new drivers &
restraints arise and new risks sweep Banks in waves. But Banks have held on to their ground
and successfully managed risks in all their dimensions.
A new risk arises on the firmament. For Banks, whose entire structural edifice is built on
Information Technology, the termination of extended support for Windows XP is an event of
major significance, particularly given that PC’s with Windows XP are strewn across thousands of
Bank Branches in metro, urban, semi-urban and rural branches. This event has given rise to IT
risks and concomitantly, operational risks and reputational risks for Banks.
The objective of this report is to bring together the strategic implications and busine ss risks that
Banks face in light of expiration of support of Windows XP. Our research suggests that that while
all Banks are aware of the event leading to termination of extended support to Windows XP,
many Banks that have not paid sufficient attention to addressing the risk emanating from this
event. Our research further suggests that Banks that have not addressed the risk are likely to
face scenarios ranging from service disruption to denial of service in Bank branches. The
outcomes will range from customer dissatisfaction, delays in availing banking services, denial of
service for customers, inconvenience to Bank employees, missed revenue opportunities for
Banks and in the worst case, financial losses.
Ascentius’ report brings considerable attention to the problem and Banks can treat this report as
an opportunity to inform themselves on the origination of risk, the analysis of risk, implications
of risks and strategies that can lead to cessation of risk.
Finally, we appreciate the positive response, useful data, information and insights we received
from numerous respondents in India’s leading Banks and IT System Integrators who manage IT
for Banks as part of outsourced contracts. We will like to sincerely thank all who assisted us.
Before concluding, I will like to emphasise that while this research is funded by Microsoft, our
work remains truly independent, objective and neutral.
Alok Shende
Principal Analyst & Managing Director
Ascentius Consulting
© 2013 Ascentius Consulting 3
Table of Contents
Executive Summary 4
Risk Management Framework 6
Key Application Ecosystem at Bank’s Branches 9
Identification of Key Risk 12
Windows XP Risk Map 25
Risk Analysis 26
© 2013 Ascentius Consulting 4
Execut ive Sumary
Indian Banks are firmly straddled on the engine of growth. With a theme of soft economy in the
background, Banking Credit in India has grown over 18% CAGR over the past 5 years. And Banks
branch are growing at a healthy 6% CAGR over past 4 years.
Even as Banks are making investment in infrastructure to enhance consumer footprint, the
quality of investments in the last 2 years is significantly different. There is a greater reliance on
alternative and low cost models. In addition to growing with the standard branch approach, new
innovations such as Business Correspondent Model, Ultra Small Branches and USSD based
Mobile Banking are now gaining traction.
The underlying theme across this new investment model is technology. And therefore it is more
pertinent then ever to understand the role of technology in Banks and how technology can
accord both resilience and risk for Banks.
Investment in IT started as a source to seek differentiation. And while Banks are identifying
unique sources of differentiation so as to compete in the marketplace, the broader role of IT has
shifted to as a cost of doing business rather than source of differentiation alone. As applications
have become core to business, IT is required to ‘keep the lights on’ for running the business. IT
has become so intrinsic that any deviation to this paradigm can potentially become an issue of
business risks for Banks.
The termination of extended support for Windows XP is one such risk that has risen up on the
firmament. Windows XP, the workhorse of Indian Banks is moving out of support from April 8,
2014. Given that there’s a large transactional IT infrastructure residing on Windows XP, the
arrival of this event is of significance to both the IT and Business Managers.
To shine light on this issue, Ascentius conducted research with India’s leading State owned
Banks to examine their state of readiness de-risk themselves from the hazard that will start
emanating once the Windows XP goes out of support. Given that this is an issue of mitigating
risks arising from lack of support, Ascentius employed Risk Management Framework AS/NZS
ISO 31000: 2009 framework. Some of the key highlights that emerge from Ascentius’ research
include:
While there is an adequate knowledge about the issue, there is only a small proportion
of Banks who have fully addressed all risks by graduating to a higher version of
Windows.
There is a large segment of State owned Banks that have embarked on the journey to
move away from Windows XP, but may still be left with approximately 20% to 30% of
their base on Windows XP even after April 2014. These Banks may inadvertently take up
considerable risk exposure.
© 2013 Ascentius Consulting 5
From a technology risk perspective, with no free new patches, hot fixes, free support
options, Windows XP will become zero day forever. Cyber criminals will focus on
Windows XP to identify new sources of vulnerability and are likely to focus on targets
with significant monetary potential.
CERT India has written an advisory note for Windows XP users to immediately plan for
upgradation to the latest available OS according to their requirement. Leading anti-virus
software companies indicated that they cannot guarantee that they will be able to
prevent threat activity involving unpatched exploits from their Windows XP PC’s
The penetration of Windows XP is particularly higher in semi urban and rural branches.
Lacking support at these locations, there is a non-trivial likelihood for customers to face
delays, service disruptions and denial of service in conducting banking transactions.
New business opportunities such as financial inclusion and MGNREGA payments are
becoming important source of income for Banks in rural markets. Banks are likely to
loose on leveraging these emerging business opportunities because Windows XP PC’s
are unlikely to support the current edition of biometric hardware, card encoders and
software that has been written for latest technology.
In the worst case scenario where sources of hazards impact with full force, Indian
Banking industry will be exposed to loss of income to the range of INR 330 Crores over 3
days period.
Furthermore, the waiting time for the Metro & Urban Bank branches is expected to rise
to more than 30 minutes for average transactions.
Should Banks turn the wheels in motion and accelerate their decision making cycle, there is still
time to mitigate risks. The scope of latency in decision-making is low because the time it takes
from decision to implementation is 4-6 months.
© 2013 Ascentius Consulting 6
Risk Management Framework
The risk management process Ascentius followed in course of this research is based on the
AS/NZS ISO 31000: 2009 framework.
Source: AS/NZS ISO 31000:2009
The key steps in the risk management process are as follows:
Establish the Context
Before one begins to consider risk management, it is necessary to identify the strategic and
organizational context under which an organization operates.
The organization’s goals, objectives, values, policies and strategies and how one contributes to
these are also important considerations. These considerations help define the criteria by which
Risk Assessment
Establishing the Context
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Co
mm
un
ica
tio
n &
Co
nsu
lta
tio
n
Mo
nito
ring
& R
ev
iew
© 2013 Ascentius Consulting 7
decisions are made on the acceptability or otherwise of risks, form and basis of controls and
management options available.
Identify risk categories
Organizations have an obligation to identify risks and ensure that all the appropriate people in
the organization are made aware of them. Once identified, preventive measures can be taken and
put in place to control the risks.
It is critical in the identification of risk, that two key elements of actual or potential exposure are
identified, namely:
— The cause of an exposure
— The effect of the exposure. The effects may include financial impact, impact on staff, and
other stakeholders, impact on reputation and probity, impact on operational
management and impact on the delivery of programs
The most commonly used method of identification is an effective interview program. An effective
interview program should detect most emerging risk issues.
Analyse risks
The data collected from the identification phase has to be analyzed so that decisions can be
made about evaluating, prioritizing and treating the risks. It helps separate the minor and major
risks as well as those risks that fall in between.
Likelihood and consequences
Organizations would have some systems already in place to manage and control risks. These
systems will have to be identified and should form the basis of risk analysis.
Risk analysis is a study of likelihood and consequences.
— What is the likelihood of an incident occurring?
— If an accident occurs, what would be the magnitude of its consequence?
The level of risk created by the incident is determined by analyzing the combined impact of
likelihood and consequences.
Evaluate risks
Having analyzed the risks, evaluating and prioritizing these risks would be fairly
straightforward. The results of the analysis are evaluated. This evaluation will generate a list of
© 2013 Ascentius Consulting 8
risks into categories of low, medium and high risks. This list will create an order of priority so
that an occupier can make decisions about how best to treat these risks.
Monitor and review
Risk management is ongoing. Risks change in a changing environment. Good risk management
places emphasis on monitoring and reviewing all current organizational plans, strategies
systems and controls.
© 2013 Ascentius Consulting 9
Key Appl icat ions Ecosys tem a t Bank’s Branches
From our research on IT at the branch level, applications can be broadly classified under two
categories. The first tier exclusively comprises of Core Banking Solution (CBS) – the centralized
web-based application that is hosted in Banks Data Center and that can be accessed at the Bank
branch level over Web Browser. The second tier comprise of host of applications that provide for
many critical branch level functions. Many of these applications are working as stand alone
applications but as Banks realize benefits of centralized data center, many of these local
applications are likely to be hosted in the Data Center in the future.
A priori, all banking applications have direct dependencies on branch level PC’s. So even while
CBS is hosted on a centralized Data Center, it is accessed at the branch via a PC. Another
distinguishing aspect of branch level applications is that while the set of applications are
common across all Banks that participated in this research, owing perhaps to common business
processes, they manner in which these applications have been implemented varies. At one end
are Banks that have rich client software install on the PC’s. There are other set of Banks that
have hosted branch level applications on servers. And lastly, there are Banks that have
implemented hybrid model in which some level of data processing happens on the local branch
PC and the balance on Bank’s Data Center. Any vulnerability stemming from lack of support for
branch level PC’s has a potential to directly violate IT assurance and translate into
inconvenience for customers.
Some of the key branch level software includes:
Queue Management System
Given the rising turnout of customers at peak banking hours, managing customers experience
while they avail banking services is of utmost importance to Branch Managers. The Queue
Management System helps Retail Bank customize their client’s individual experience when
visiting the branch. Queue management systems help manage tokens ranking for a banking
service and thus enable a stress-free waiting period for customers.
Self-update Kiosk
A self-service kiosk at a Bank branch enables a customer to update their passbook by
themselves, without having to wait at the counter for having their passbook printed. It
essentially comprises a comprehensive solution for Bar Code-based printing that is integrated
with the Core Banking System of the Bank. The application also provides for printing of the Bar
Code from individual terminals at branches based on the account number.
© 2013 Ascentius Consulting 10
Cheque Truncation System (CTS)
The Cheque Truncation System (CTS) enables faster clearing of cheques. CTS eliminate the need
to move the physical instruments across branches, except in exceptional circumstances. This
results in effective reduction in the time required for payment of cheques, the associated cost of
transit and delays in processing, etc., thus speeding up the process of collection or realization of
cheques.
Credit Rating system
With the adoption of Basel II norms, credit risk management pervades all aspect of lending and
income-producing activities of the Bank. Credit Risk is the primary financial risk in the banking
system and encompasses consumer credit as well as business loans, new loans as well as existing
loans, priority sector as well as non-priority sector.
The Bank’s Credit Rating System helps in monitoring credit worthiness and credit quality on a
continuous basis to ensure the quality of advance assets.
Loan Origination System
Bank branches host of loan products including, car loans, commercial vehicle loans, inventory
finance, home loans, education loans, personal loans, salary overdraft, loan against property,
loan against shares among others.
Loan Origination System (LOS) facilitates the process of consumer availing loans. Once the
consumers applies for a new loan from the chosen product areas, LOS accomplishes all tasks
from capturing customer detail, verification, incorporating credit scores from third parties such
as Cibil and Banks internal credit ratings. The system helps Bankers to arrive at an approve-
reject decision and if the loan is approved, a floor for interest rates and discounts that can be
offered to the clients.
Human Resource Management Solution (HRMS)
An HRMS solution deployed at the Bank branch level enables employee self-service by providing
functionalities like viewing leave records, printing of payslips, booking of Bank’s guest’s house
and electronic submission of various applications, etc. on-line. At a broader level the application
helps improve efficiency of the Bank’s existing systems, practices and procedures. Therefore, in a
sense, the HRMS solution is a ‘hybrid’ system wherein some of the modules are ‘localized’ at the
branch level while the rest are ‘centralized’.
A brief summary of Applications and the concomitant impact of hazard is as follows:
© 2013 Ascentius Consulting 11
Application Key Function Key Stakeholders Impact of Hazard
Queue Management System
Manage customer experience
Customers Long Queues, Denial of Service, Chaos.
Self-update Kiosk Provide Self service & Convenience to customers
Customers Long Queues. Denial of Service. Chaos.
Cheque Truncation System
Obviates the need to move the physical instruments across branches.
Branch Management & Customers
Delay in loan processing & approvals. Loss of Customers
Credit Rating system Manage financial risks for loan approvals & outstanding loans
Branch Credit Management & Customers
Delay in loan processing & approvals. Loss of Customers.
Loan Origination System
Process loans Branch Management & Customers
Delay in loan processing & approvals. Loss of Customers.
Human Resource Management Solution
Employee records and self service
Branch Management & Employees
Inconvenience to employees. Employee dissatisfaction
Source: Ascentius Analysis
© 2013 Ascentius Consulting 12
Idendt i f i cat ion of Key Risks
Risk management, by its very nature, is at the very heart of banking industry and Bankers are at
the middle of the risk-return conundrum. While the scope of risk management in Banks is all-
pervasive, risks can be broadly categorized under three categories:
Source: Ascentius Analysis
Among all the different risks listed above, Operational Risk and Reputational Risks assessment
play an exceptional role in each organization. The key reason for this is that these two aspects
impinge upon and integrate all different functional areas within an organization and thus have a
potential to integrate how risks pan out as well.
In this section we therefore look into the critical Operational and Reputational risks that the
Bank branches are likely to be exposed to due to the termination of extended support for
Windows XP from April 8, 2014. First, we briefly describe the nature of risks and then go to
analyze the impact of them in detail.
Risk of Bottlenecks in Leveraging New Business Opportunities
The connotation of risks is not limited to hazards that have potential downsides alone.
Incidences that limit access to market opportunities and that stifle revenue upside equally come
under the purview of risks and Banks duly acknowledge the same in terms of their risk
management framework.
New opportunities are opening up for retail Banks. However, for Banks monetization strategy to
derive fruitful results, a robust IT infrastructure at branch level is a sine qua non. Ascentius
evaluates three major opportunities where Banks are likely to experience challenges in light of
IT infrastructure that relies on Windows XP.
Reputation Risks Operational Risks Banking Risks
Credit Risk Liquidity Risk Market Risk Macroeconomic Risks Foreign Exchange Risk
Legal Risk Political Risk Valuation Risk Loss of New Business
Opportunity IT Risk Compliance Risk
Damage to Customer Relationship
Negative Media Coverage
Litigation Negative Brand
Perception
© 2013 Ascentius Consulting 13
New Aadhar Based e-KYC Norms
RBI through its recent order (RBI/203-14/263, UBD.BPD (PCB) Cir. No. 15 /14.01.062/2013-14,
dated September 17, 2013) has permitted Banks to leverages Unique Identification Authority of
India (UIDAI) data for authenticating customer credentials for electronic know-your-customer
(e-KYC) process. This paperless process, as it turns out, is of immense benefit both to customers
as well as Banks. Customers can employ e-KYC as a valid means to authenticate for banking
services like Account Opening, buying insurance, Mutual Funds, DMAT accounts and other
financial products.
Banks are required to employ UIDAI-approved biometric scanning devices to match customers
biometric scan with corresponding records stored in UIDAI Central Identity Data Repository.
Many of the new biometric scanning devices do not support Windows XP and hence, Banks with
Windows XP in Bank branches will be constrained to continue with the manual , translating into
higher transaction costs for Banks as well depriving the convenience of E-KYC to new customers.
Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA)
Attending to the financial needs of bottom of pyramid customers is not only a regulatory
requirement but also more importantly, a significant growth opportunity for Banks.
Furthermore, this opportunity space will fill-up very fast. Not only one Bank is vying with
another bank for the same set of customer but equally, telecom operators are also vying, with
mobile services, for the same customers.
Banks have an inherent advantage in this race for bottom of pyramid customers. MGNREG Act
mandates a single branch to hold all accounts of Blocks/Panchayat and beneficiaries in a block.
With the integration of Aadhar Card and Biometric authentication, Banks will be able to support
real time transactions and thus eliminate fake attendance and corresponding fake payments.
For Banks to leverage these opportunities, Banks will need to set up biometric readers and
software in the rural branches. Volumes are likely to be high since there are 15,000 MNREGA
workers on an average in each block, with 1-2 Bank branches per block.
Mandate for Financial Inclusion
“Swabhimaan” - the financial inclusion campaign launched by Government of India in 2011 is
running on full speed. Different Banks are at varying degrees of implementation of the program
for Financial Inclusion, particularly in the rural areas. While Branch level innovations such as
availability of a Basic Savings Bank Deposit Account is the first step towards financial inclusion,
enhancing banking outreach to the remote corners of the country is an equally important
dimension.
© 2013 Ascentius Consulting 14
Banks are deploying technology to enhance customer outreach. Banks have started deploying
smart cards, biometric authentication and mobile technology to help customer transact and
extend banking services similar to Bank Branches.
Downside Risks for Revenue Growth - Lack of Capability to Support
At the branch level and particularly in the semi urban and rural branches, the deployment
density of Windows XP PC’s is relatively high. Current edition of Biometric hardware, Card
Encoder and software may not work on Windows XP PCs, the primary reason being the device
drivers have not been optimized to work on Windows XP. Furthermore, newer applications that
meet emergent needs may not support XP, leaving Banks out from realms of innovations.
Possibility of biometric devices not working at all, low productivity resulting in long waiting
time for consumers and service disruptions resulting in denial of service are most likely
consequences.
Risk of Damage to Customer Relationship
One of the prime goals of public institutions is to ensure friction free availability of their services
and mitigation of transactions cost for their consumers. The risks emanating from end of
extended support for Windows XP are likely to impact both these aspects for customers.
Customer Service
When customers come in to the branch, they hope to complete their transactions within
expected period. To ensure lower latency for banking transactions, applications and PC uptime
are key elements of the puzzle.
Core Banking Software (CBS) is hosted on Bank’s Data Centers and there are no direct
vulnerabilities. However, at the branch level, customer transactions that rely on CBS may be
affected because the underlying Windows XP PC can potentially turn vulnerable post expiry of
Windows XP. Similarly, local branch level applications like Queue Management Applications or
Loan Origination Software that operates on Windows XP PC’s may turn vulnerable once the
extended support for Windows XP expires.
Both of these strands have a direct impact on the branch level performance indicators. Potential
impact are likely to cause denial of service to banking customers as well as result in delays in
approval of consumer and business loans, both portending negatively on customer satisfaction
as well revenue growth.
© 2013 Ascentius Consulting 15
Customer Process IT Asset Frequency Value Impact KPI
Token for Transaction
Queue Management System + Branch PC
High - Denial of Service CSI
Deposits CBS + Branch PC High Medium Denial of Service CSI
Withdrawal CBS + Branch PC High Medium Denial of Service CSI
Account Information
CBS + Branch PC High - Denial of Service CSI
Passbook Updation
CBS + Branch PC High - Denial of Service CSI
Loan Request Loan Origination System + Branch PC
Medium High Delays RG + CSI
CSI: Customer Satisfaction Index, RG: Revenue Growth
Source: Ascentius Analysis
Potential losses from outage will vary depending on the length of outage. Branches that have a
mix of Windows 7, Windows 8 and Windows XP PC’s will be able to transfer workload to secure
PCs. For Bank Branches that are relying entirely on Windows XP, the potential losses will rise
exponentially.
According to data points available to Ascentius from public sources including RBI and primary
research interviews, total vulnerable Branches that have 40% penetration of Windows XP PC’s is
close to 34115 Bank branches.
PSU Banks # of
Branches Annual Businesses
in INR Lakhs % of XP
PC’s Vulnerable Branches
PC per Branch
Worst Case Scenario
Rural 8552 50 70% 5987 4 Outage +DOS
Semi- Urban 18445 70 60% 11067 6 Outage +DOS
Urban 22518 90 40% 9007 7 Outage +Delays
Metro 20137 120 40% 8055 10+ Outage +Delays
Total 69652 34115
Source: RBI & Ascentius Analysis
We present two scenarios. The first scenario consists of Bank branches that have a mix of
Windows XP along with Windows 7 & 8. The second scenario consists of set of Bank branches,
particularly in Semi-Urban & Rural locations, that have higher mix of Windows XP PC’s.
© 2013 Ascentius Consulting 16
Scenario I
In case of the first category, where the proportion of Windows 7 & Windows 8 PC’s is relatively
higher than Windows XP PC’s, any materialization of risk for Windows XP PC will lead result in
their outage. Thus, the branch will have lesser number of PC’s available to service same volume
of customers. At peak hours, the waiting time will stretch. According to industry estimates, the
median waiting time for Banks is close to 5-15 minutes. Secondly, 54% of FTE time in a Branch
goes towards servicing customers.
Source: BCG & Ascentius Analysis
Under normal circumstances, where the triad of Banking staff, IT infrastructure and pace of
customer walk-ins are optimized and working in synch, the system is in steady state. However,
once the hazard is actually established and the availability of Windows XP PC’s goes down , it is
likely to throw the smooth running system out of gear.
Waiting time for customers even in normal hours will extend. In the peak hours, there are likely
to be non-linear cascading effects leading to long queues and extended waiting hours.
23
54
23
0
10
20
30
40
50
60
70
80
90
100
% o
f B
ran
ch F
TE
PSU Branch Time Allocation
Back Office Service Sales
26
65
9
0
20
40
60
80
100
% o
f B
ank
s
Wait Time in Branch
2-5 Mins 5-15 Mins >15 mins
© 2013 Ascentius Consulting 17
Ascentius estimates that the waiting time for the Metro & Urban Bank branches is expected to
rise to more than 30 minutes for average transactions.
Source: Ascentius Analysis
Scenario II
The other risk that will enact, particularly in Semi-Urban & Rural branches, will the risk of denial
of services. Penetration of Windows XP is these branches is at an average 60% of all PCs. At
extreme end, there are Bank branches that have close to 80%- 100% of Windows XP based PCs.
Many of the semi-urban and rural branches conduct high volume of transactions. Volume of
transactions can go as high as 1000 transactions in a day, particularly because Government is
transferring subsidies such as MGNREGA and Aadhar based transactions through Banks.
# Of Vulnerable Branch
Daily Business in INR Crores @293 days
Potential loss of income (INR Crores) with 30%
Vulnerable Branch
Semi Urban Branch 5987 0.24 793
Rural Branch 11067 0.17 306
Potential Opportunity Lost INR 1100 Crores/Day
Estimated Loss with 10% leakage INR 110 Crores/Day
Estimated loss over 3 days INR 330 Crores
Source: Ascentius Analysis
Excluding Sundays and scheduled holidays in a year, there are close to 293 banking days in year.
Per day Business Rural branch is estimated at INR 17 Lakhs and for the semi-urban is estimated
at INR 24 Lakhs per day. Assuming 30% of the vulnerable bank branches go down owing to
26
65
10
9
90
0
20
40
60
80
100
Pre Hazard Post Hazard
% W
aiti
ng
Tim
eWait Time in Branch
2-5 Mins 5-15 Mins >15 mins
© 2013 Ascentius Consulting 18
actualization of hazard on Windows XP PC, the vulnerable branches are estimated to be 5116
Bank branches. Should the hazard materialize and affect with a rate of 30% of Branches Banks
will be forgoing an opportunity of conducting businesses worth INR 1100 Crores per day.
Assuming the systems come back in 3 days, customers will return to conduct banking
transactions. However, even if 10% of the customers find alternative non-banking channels for
conducting financial transactions over 3 days, the loss of income is estimated to be INR 330
Crores.
Vulnerabilities at Banking Customers End
Owing to the convenience and popularity of online banking, there is a large swathe of Ind ian
consumers who access their online banking account and conduct banking transactions from
their Windows XP PC. Upon termination of extended support for Windows XP, these PC’s will
potentially stand vulnerable to be exposed to cybercriminals. The worst -case scenario entails
possibility of customers account details being stolen by cybercriminals who then can use this
information to transfer money out of these compromised accounts.
To indemnify themselves, Banks should evaluate issuing advisories that educate their customers
to both protect themselves as well as avoid being a victim of such vulnerabilities.
IT Risks
There are broad spectrums of technology risks that Banks face in light of termination of
extended support for Windows XP.
Vulnerability on account of End of support of Windows XP
With the end of support for Windows XP, Windows XP is likely to turn into a beehive of
vulnerabilities that cybercriminals will find easy to exploit. The reasons are two fold :
New Patches as Signal for Vulnerability
As Microsoft notifies new patches for Windows 7 and Windows 8, it simultaneously sends out
signals about vulnerability that may find existence in Windows XP.
This risk is in particularly accentuated because Microsoft releases security patches regularly,
with an unintended consequence of leaving a trail for cybercriminals to pursue. From a risk
origination perspective, it will be easy for cybercriminals to track the open vulnerabilities and
exploit them.
© 2013 Ascentius Consulting 19
New World, New Threats
Windows XP was conceptualized for a world where Firewall was enough to protect system and
programs. However, the world has changed much beyond the original conception. The newer
versions of Windows support features that are in consonance with sophisticated level of threats
that are in vogue today. Key features include:
Protected View to help protect the computer
— Files from potentially unsafe locations are opened in Protected View. By using
Protected View, the user can read a file and see its contents while reducing the
risks.
No Auto Run
— Many malware have used the Auto Run feature in Windows XP to run and spread
viruses. This feature has been disabled Windows 7 onwards.
SmartScreen
— SmartScreen Filter can protect user from downloading or installing malware.
Hardening applications and default setting
— Hardening feature in Windows 7 deny and deter hackers with layers of protection.
Windows Defender
— Protection against spyware and malware
Windows User Account Control
— User Account Control (UAC) can help users prevent unauthorized changes to
computer
AppLocker
— AppLocker provides administrators with the ability to specify which users can run
which specific applications.
Windows XP lacks many of these features that are considered as default in Windows 7 &
Windows 8.
Termination of ISV’s and Hardware Companies Support for Windows XP
ISV’s and Hardware vendors follow planned obsolescence cycles. Many ISVs and Hardware
manufacturers (including PC’s, Printer’s, Smart Card Readers and other long tail of devices) are
© 2013 Ascentius Consulting 20
expected to both stop testing new features as well as supporting critical applications that work
on Windows XP.
Computer Emergency Response Team-India (CeRT-IN) has flagged this issue in the Advisory
issued in July 2013
In sum, the implication is that many of the applications and IT hardware that Banks have
deployed in branches may not be supported by the vendors themselves, as a result of which
many customer facing operations at Bank branches may not be able to fully function at the
expected benchmarks.
Antivirus Support
From our conversation with many Banks, there is a modicum of assurance that Banks will be
able to protect their Windows XP PC’s with Anti Virus software and hence there is no urgency to
invoke the PC refresh cycle or OS Upgrade. Simultaneously, there is a belief that because at the
level of Bank branches, Windows XP PC’s are connected to LAN with no exposure to Internet,
hence there’s a little risk for PC’s to be infected with viruses.
However, both of the arguments are not borne by facts.
“The software vendors and hardware manufacturers will stop support for Windows XP on their new versions and models…. It is recommended that all the users and organisations using Window
XP OS in their environment should immediately plan for upgradation to the latest available OS according to their requirement and test software applications well before April, 2014."
“Most viruses, Trojan horses, and worms are activated when you open an attachment or click a link contained in an email message. If your email client allows scripting, then it is possible to get a virus
by simply opening a message. "
“After the official End of Support date from Microsoft goes into affect, Symantec Support may not be able to provide full threat resolution on XP systems due to a lack of Microsoft security patches. …we
cannot guarantee that we will be able to prevent threat activity involving unpatched exploits "
© 2013 Ascentius Consulting 21
Furthermore, sharing data on USB drives is a fairly common practice in Banks, thus giving rise to
another possibility of a vector that can transport virus that will target Windows XP
vulnerabilities. And lastly, the internal LAN Network can serve as a network to propagate
viruses.
SI Partner Support
In our conversations with System Integration partners for Banks, there are two viewpoints that
have came into fore.
One set of SI recognizes the implications of end of support of Windows XP and deduce the impact
of the same on their practice. System Integrators in this category are categorical of what they
can offer and what they cannot.
At the other end of the spectrum are System Integrators who recognize the end of extended
support for Windows XP as a market opportunity that can be monetized. System Integrators in
this category are likely to purport that they have expertise in supporting Windows XP and they
will offer paid support services to Banks.
However, there is a need to shine light on this aspect. Key questions that Banks must elicit
answers from System Integrators include:
Will SI Partner offer services to maintain Windows XP at competitive prices or will they,
knowing Banks are at their mercy, charge opportunistic prices?
Since SI Partners do not have access to Microsoft Windows XP source code, how will
they be able to address vulnerabilities that stem at the level of Windows XP OS?
Banks have branches that sum to thousands of locations, both in urban centers and
hinterland. How will SI Partners be able to extend support at locations where they don’t
have presence?
“As part of the contract with Banks, we have a PC replacement policy at the branch level for events such as hardware failure. However, if the PC has Windows XP and if XP is out of
support from Microsoft, we won’t replace the PC. “
“We will also not offer paid support to our Banking clients for Windows XP PC post April 2014.”
India’s Leading Hardware Manufacturer & IT Outsourcing Partner for Banks.
2. For PCs that have Windows XP, will HP offer paid support after April 2014, when XP will no longer be supported by Microsoft? NO.the official End of Support date from Microsoft goes into affect, Symantec Support may not be able to provide full threat resolution on XP systems due to a lack of Microsoft security patches. …we cannot guarantee that we will be
able to prevent threat activity involving unpatched exploits"
© 2013 Ascentius Consulting 22
In case of a increased likelihood of impact, speed to contain impact is of prime essence.
How will SI partners execute their containment tasks so that when the branch opens up
for business at 9:30 AM in the morning, it is up and running?
Will SI partners be able to guarantee Windows XP uptime for the contractual periods
and will they be able indemnify Banks for any losses should they be not able to meet
their commitments?
Our prognosis remains that none of the System Integrators are capable to meet the above five
criteria and Banks should have healthy dose of skepticism in accepting propositions offered by
System Integrators on this count.
While Microsoft does offer "Custom Support Agreement" for customers who may want to stay on
Windows XP post April 8 2014, this option is a very expensive proposition, thus rendering the
postponement beyond the stipulated period an unwise decision.
Execution Risk
In course of the research, Ascentius has identified a small set of State owned Banks that have
moved majority of the PCs to Windows 7.
A second segment comprises of State owned Banks that are on their way to move off Windows
XP by April 2014. The third segment comprises of a large number State owned Banks that have
embarked on the journey to move away from Windows XP, but may still be left with
approximately 20% to 30% of their base on Windows XP even after April 2014. Ascentius
estimates that the third segment of Banks will expose themselves to execution risks, unless they
take extraordinary measures to crank up their decision-making cycles.
There are primarily two upgradation scenarios; the first consists of OS upgrade on existing
Windows XP PC’s. The second scenario is that of PC refresh cycle. In both the scenario, we
consider a Bank that has 1000 Branches divided equally between urban, semi urban and rural
branches. The urban branches can have as many as 25 PC’s and the rural branches can have as
low as 2 PC’s
OS Upgradation Scenario
The OS upgradation process has to contend with the following constraints
There is no single SI who has a reach across these 1000 branches located in both cities
and hinterlands. The choice is between:
— Large SI partner’s who will have good project management skills to execute this
project but will result in longer elapsed time and higher costs
© 2013 Ascentius Consulting 23
— Local or regional SI partner who will be more economical but carry large search
costs and considerable project management risks. Search costs include
administrative costs that businesses expend to identify, negotiate and select
vendors. Given that Banks will have to search for vendors across hundreds of
location, search costs will rise to that extent.
Bank branches work from morning 9:30 AM to 6:30 PM, six days a week. System
Integrators gain a very narrow window of time to accomplish the upgradation process.
OS Upgrade may require RAM upgradation
— For 64-bit Windows XP, the recommended memory was 128 MB of RAM. For
Windows 7, the recommended memory RAM is 1 GB of RAM.
— Upgradation processes may require upgrading of memory, taking data back up,
upgrade OS and then finally reload data.
From Ascentius’ conversations with India’s leading SIs, the estimated time for Bank with 1000
branches will take to upgrade from Windows XP to a newer OS is approximately- 4-6 months.
PC Refresh Scenario
Assuming the same Bank with 1000 branches spread equally between urban, semi urban and
rural regions, the problems that this Bank is trying to contend is as follows.
Depending on the distribution of Windows XP PC’s in Banks, PC refresh across 10000-25000 PC
will require a large financial outlay. Many Banks have not made a budgetary allocation for this
quantum.
From our research, the estimated elapsed time from initiating RFP process to fin al installation
and testing of PC acquisition can be in the range of 4-6 months.
In both the scenario’s, the time it will take to bring together a paradigm shift to a post Windows
XP world closely coincides with the April 2014 date that has been issued fo r termination of
extended support for Windows XP. Banks can use this window of opportunity to mitigate all
risks.
Compliance Risk
Under the tutelage of Reserve Bank of India, Banks have created an entire structural edifice in
meeting requirements for Information Security, Electronic Banking, Technology risk
management and cyber frauds. Based on COBIT architecture, IT risk management function
extends from IT Governance, organizational structure, process & procedures to finally, audits.
© 2013 Ascentius Consulting 24
While Banks are cognizant about their exposure to compliance risk originating from end of
extended support for Windows XP, the bigger challenge is to turn the wheels in motion so as to
address the impulse that is leading to vulnerability. Should Banks fail to close the loop within the
prescribed time lines, they may have to bear denial of service in branches and in the worst
possible scenario, bear financial loses.
© 2013 Ascentius Consulting 25
Windows XP Risk Map
The risks arising from termination of extended support to Windows can be plot on two
dimensions
The probability of risk may occur
The likely impact of the risk. In some instances, the impact may be in acceptance zone. In
other instances, the impact can have significant financial costs
The total risk that Banks take is a function of probability and impact. Banks can use the Windows
XP Risk Map to delineate, which risks are acceptable and which ones are not in conjunction with
the impact to arrive at their decision matrix.
Source: Ascentius Analysis
* Lack of Antivirus support
* Lack of ISV support
* New Business Revenue Risk
* Compliance risks
* Disruption to customer service
* Loss of Income
* Vulnerabilities at banking customer end
* Upgradation Risk
Impact
Low Medium High
Lo
w
Med
ium
H
igh
Lik
elih
oo
d
* Vulnerability to PC infrastructure
IT Risks Analys is
The section presents IT Risk Analysis for the Bank Branches
R i s k A n a l y s i s
Rank Source/type of
Risk
Description Asset
Aff
ect
ed
Me
tric
s
Pro
ba
bil
ity
Imp
act
Tim
e t
o I
mp
act
Fin
an
cia
l
Se
ve
rity
Se
ve
rity
fo
r
Cu
sto
me
r
Re
pu
tati
on
al
Se
ve
rity
Co
ntr
ols
Ass
ess
me
nt
1 Technology Vulnerabilities of
Windows XP
All Windows XP Desktops and
laptops across the organization
To
tal
Ass
ets
,
Re
turn
on
Ne
t A
sse
ts
Hig
h
Hig
h
Imm
ed
iate
Hig
h
Hig
h
Hig
h
We
ak
© 2013 Ascentius Consulting 27
2 Technology Termination of ISVs
and Hardware
companies support
for XP
Bar-code based printers in
Self-update Kiosks, scanners in
Cheque-Truncation Systems
(CTS) etc
Op
era
tin
g
Exp
en
ses,
Re
turn
on
Ass
ets
Hig
h
Hig
h
Imm
ed
iate
Hig
h
Hig
h
Hig
h
We
ak
3 Technology Antivirus support All Windows XP Desktops,
laptops and servers across the
organization
Op
era
tin
g
Exp
en
ses,
Pro
du
ctiv
ity
Me
diu
m
Lo
w
Ne
ar-
term
Me
diu
m
Lo
w
Me
diu
m
we
ak
4 Technology SI Partner Support All Windows XP Desktops and
laptops across the organization
Ro
I,
Em
plo
ye
e
Pro
du
ctiv
it
y, R
eso
urc
e
Uti
l.
Lo
w
Me
diu
m
Me
diu
m-
term
Me
diu
m
Lo
w
Lo
w
Mo
de
rate
5 Customer Customer Service Queue Mgmt Systems, Self-
update Kiosks, CTS, CRS
C-S
at,
rev
en
ue
/cu
sto
me
r
Me
diu
m
Hig
h
Ne
ar-
term
Hig
h
Hig
h
Hig
h
We
ak
6 Customer Vulnerabilities at
banking customer
end
N/A
C-S
at,
Re
ve
nu
es
Lo
w
Lo
w
Ne
ar-
term
Lo
w
Hig
h
Me
diu
m
Ad
eq
ua
te
© 2013 Ascentius Consulting 28
7 Compliance Regulatory
compliance / RBI
guidelines on IT
Risk Mgmt
All Windows XP Desktops and
laptops across the organization
Co
st o
f fu
nd
s,
Re
ve
nu
e g
row
th
Lo
w
Hig
h
Me
diu
m-t
erm
Hig
h
Me
diu
m
Hig
h
We
ak
8 Execution OS Upgradation
scenario
All Windows XP Desktops and
laptops across the organization
Op
Ex,
Pro
du
ctiv
it
y
Hig
h
Me
diu
m
Ne
ar-
term
Hig
h
Me
diu
m
Lo
w
We
ak
9 Execution PC Refresh scenario All Windows XP Desktops and
laptops across the organization
Ca
pit
al
exp
en
se
bu
dg
et
Lo
w
Hig
h
Me
diu
m-
term
Hig
h
Lo
w
Lo
w
Mo
de
rate
10 New Business
Revenue Risk
New Aadhar-based
e-KYC
Windows XP desktops at
branch
Re
ve
nu
e
Gro
wth
,
C-S
at
Me
diu
m
Me
diu
m
Ne
ar-
term
Me
diu
m
Hig
h
Me
diu
m
We
ak
11 New Business
Revenue Risk
MNREGA Windows XP desktops at
branch
Re
ve
nu
e
Gro
wth
,
C-S
at
Me
diu
m
Me
diu
m
Ne
ar-
term
Me
diu
m
Hig
h
Me
diu
m
We
ak
12 New Business
Revenue Risk
Financial Inclusion
initiatives
Windows XP desktops at
branch
Re
ve
nu
e
Gro
wth
,
C-S
at
Me
diu
m
Me
diu
m
Ne
ar-
term
Me
diu
m
Hig
h
Me
diu
m
We
ak
© 2013 Ascentius Consulting 29
Source: Ascentius Analysis
13 Suppliers,
vendors, other
3rd parties
Vulnerabilities at
suppliers. Vendors,
other 3rd party
partners’ end
N/A
Pro
du
ctiv
ity
,
Op
tg E
xpe
nse
s
Lo
w
Lo
w
Me
diu
m-t
erm
Lo
w
Me
diu
m
Lo
w
Ad
eq
ua
te