‘Our Goal is to Make Every Woman Customer Digitally Confident and Fraud-Resilient’: Gagandeep Sharma, Chief Information Security Officer, Midland Microfin Ltd

As digital adoption deepens across India’s microfinance sector, cybersecurity has become central to protecting trust, especially for first-time borrowers. In this exclusive interview, Gagandeep Sharma, Chief Information Security Officer at Midland Microfin Ltd., explains to APAC Media how the company aligns its security strategy with its mission of financial and social empowerment, especially for women. 

He discusses balancing rapid digital growth with strong data protection, meeting RBI expectations, managing multi-vendor risks, and strengthening fraud defenses. Sharma also shares how Midland builds digital awareness among women customers and prepares for emerging threats through AI-driven detection, Zero-Trust frameworks, and privacy-enhancing technologies.

How do you align cybersecurity strategy with the mission of financial and social empowerment of women?

Our cybersecurity strategy is directly aligned with our mission of enabling safe, trusted, and inclusive digital access for women entrepreneurs.

We design security controls with three principles:

• Trust as an enabler of inclusion – if a first-time digital borrower loses trust due to fraud or data misuse, she is unlikely to return to formal finance.
• Security by design in field operations – mobile devices used by field officers and women borrowers are protected through:
  • device hardening, secure application containers, and strong authentication,
  • geo-based and role-based access to sensitive functions.
• Measurable impact
  • Reduction in fraud complaints and impersonation cases
  • Improvement in successful digital onboarding completion
  • Zero material audit observations on data protection controls

Cybersecurity is therefore positioned as a business enabler for financial inclusion, not a back-office IT function.

How do you balance rapid digital growth with the protection of sensitive customer data?

We follow a “secure-by-default and scalable” architecture:

• API-first integrations with:
  • strong authentication,
  • encryption in transit and at rest,
  • environment segregation (production / test / vendor access).
• Data minimisation across apps (only business-required attributes are exposed).
• Standard security gates for every new digital rollout:
  • threat modelling,
  • vendor risk assessment,
  • go-live security sign-off.

Business impact we track:

• Reduced average remediation time for vulnerabilities
• Faster onboarding of digital partners without compromising compliance
• Zero critical data exposure incidents during new feature launches

How does your security strategy align with RBI expectations on protecting financial data?

Our security framework is aligned with the regulatory and supervisory expectations of the Reserve Bank of India for NBFCs and MFIs.

Key focus areas include:

• Board-approved IT & Information Security policies
• Data classification and handling controls for:
  • customer identity data,
  • financial and transaction data
• Continuous monitoring of:
  • privileged access,
  • vendor access to systems,
  • outsourced SaaS platforms
• Incident response, cyber awareness, and regulatory reporting processes

This ensures our controls are consistent with RBI’s governance, outsourcing, and IT risk management expectations for regulated entities.

What are the biggest compliance challenges you face?

The most significant challenges are:

• Multi-vendor SaaS and fintech integrations
  Ensuring uniform security, audit rights, and data residency controls across partners.
• Operational adoption at scale
  Ensuring thousands of field users consistently follow secure practices.
• Regulatory convergence
  Aligning internal processes simultaneously with RBI supervisory expectations and national cyber advisories from CERT-In.

The operational challenge is not policy creation; it is consistent execution across rural and semi-urban operations.

What are the most significant cybersecurity risks for the microfinance sector in India, and how is Midland evolving its defenses?

Major sector risks

• Account takeover and social-engineering-driven fraud
• Device-level compromise of field staff smartphones
• Fake loan apps and impersonation of MFIs
• Data leakage from third-party service providers
• Business disruption from ransomware and credential compromise

Our evolving defense approach

• Risk-based authentication for high-impact transactions
• Device and application integrity checks for field operations
• Strong vendor security reviews and contractual security obligations
• Centralised log monitoring and early-warning alerts for abnormal activity

Measured improvement

• Reduction in fraud-linked incidents
• Improved Mean Time to Detect (MTTD)
• Improved Mean Time to Respond (MTTR)

How do you protect women customers from fraud and build digital awareness for first-time users?

We treat customer protection as a direct cybersecurity outcome, not only a business responsibility.

Technical protection

• OTP and transaction validation with behavioural checks
• Limits and alerts for unusual transaction patterns
• Strong controls on who can access or modify customer profiles internally

Digital awareness for women borrowers

• Simple, local-language awareness sessions during group meetings
• Practical education on:
  • never sharing OTPs,
  • identifying fake calls and fake loan apps,
  • reporting suspicious activity quickly
• Toll-free escalation channels and rapid support turnaround

Our goal is to make every woman customer digitally confident and fraud-resilient, not merely digitally onboarded.

Looking ahead, what emerging technologies will be most critical for securing financial transactions for the underserved?

The most impactful technologies for MFIs serving underserved communities will be:

1. AI-driven fraud and anomaly detection
   To detect subtle and region-specific fraud patterns in real time.
2. Behaviour-based authentication
   Reduces dependency on complex passwords for first-time digital users.
3. Zero-Trust access architectures
   Especially important for distributed field operations and partner integrations.
4. Privacy-enhancing technologies (PETs)
   Such as tokenisation and controlled data sharing to minimise exposure of sensitive customer data.

These technologies allow us to scale securely without increasing friction for women entrepreneurs who are new to digital financial services.

Also Read

‘Vision NER 2047 Will Transform the North East into a Land-Linked Trade Gateway and Growth Engine’: Satinder Kumar Bhalla, ITS, Secretary, NEC, Govt of India