Insurance: Fine Print
IRDAI’s U-turn on Government Securities Investment
The Insurance Regulatory and...
Premium Content
Monthly Digital Access

Subscribe

Already A Subscriber?
Login
Yearly Digital+Print Access

Subscribe

Moneylife Magazine Subscriber or MSSN member?
Login

Yearly Subscriber Login

Enter the mail id that you want to use & click on Go. We will send you a link to your email for verficiation
RBI’s new Cyber Security Framework increases bank’s responsibility and enhances protection of stakeholders
The Reserve Bank of India (RBI) has come up with a Cyber Security Framework for Banks that was notified on 2 June 2016 and offers significant benefits to both banks and their customers. (RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16 on 02/06/2016). 
 
This new frameworks asks banks to put in place a board approved, documented “Cyber Security Policy” with a clear strategy and approach to combat cyber threats based on the complexity level of its business and acceptable levels of risk. Banks have been asked to communicate this policy to a brand new Cyber Security and Information Technology Examination (CSITE) Cell created under the Department of Banking Supervision (DBS) before 30 September 2016.
RBI first issued Cyber Security Guidelines in 2001, which were revised in 2011, based on the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of Recommendations, headed by G Gopalakrishna its Executive Director. 
 
However, cyber fraud and misuse of technology has evolved at such a rapid pace that the RBI has needed to update its cyber security framework again, despite the 2011 guidelines having dealt with a broad range of issues including -- IT governance, information security (IS), IS audit, IT operations, IT services outsourcing, cyber fraud, business continuity planning, customer awareness programmes and legal aspects in reasonable details but due to evolution cyber technology and much faster evolution of frauds and misuse of cyber technology.
 
The cyber security policy of banks must be distinct and separate from their broader IT policy or IS security policy so that it can highlight risks from cyber threats and the measures to address and mitigate these risks. A Security Operations Centre (SOC) has to be set up which will be responsible for continuous surveillance and testing for vulnerabilities at reasonable intervals. The role and responsibility of the SOC has been spelt out. Some of the prescriptions in the frameworks are an implicit acknowledgment of a lax network and database security. 
 
Ideally, the RBI needs to update its cyber security policy annually, to keep pace with rapid changes in technology, but a new security framework certainly offers better protection to bank customers. 
 
Since a bank is defined as the data owner by the RBI, it is the bank’s duty and responsibility to protect confidentiality, integrity and availability of data and customers have a right to know the steps that banks have taken in this regard. This is particularly useful in case of litigation because banks, in the past, have tried to define themselves as ‘intermediary’ to avoid responsibility under sections 43, 43A of IT Act 2000/2008.  
 
Banks have been made responsible for creating awareness about cyber threats and resilience of its systems among stakeholders (this includes customers, employees, partners and vendors). The policy makes it clear that if the bank fails to do so and any security incident happens due to ignorance of stakeholder, the stakeholder will not be responsible.
 
The new framework requires bank board members to become more aware and vigilant about cyber security. They can be held directly liable for lapses and losses to the bank and customer, if they cannot establish due diligence done to address cyber security. It will also force banks to provide more resources to address cyber security including the appointment of a chief information security officer (CISO). The CISO will have to work with the bank board to report gaps between the actual state of affairs at each bank and the cyber security requirement under the new framework and come up with a viable plan by 31 July 2016, which will be reported to the RBI. 
 
The RBI itself has created an IT subsidiary, headed by former IPS officer Nandkumar Saravade as its CEO . The cyber security framework as well as the RBI’s own initiatives to address concerns will indeed go a long way in strengthening its ability to deal with risks. However, one big question still remains unaddressed: it is the gap between RBI intentions and bank’s action. What are the consequences if banks do not comply in letter and spirit with what the regulator wants? The policy does not spell out any penalty or action against banks, concerned officers or even auditors responsible for the lapses. 
 
Ideally, RBI should ask the CISO of banks to furnish a detailed quarterly cyber security compliance report, a summary of which must be available on bank websites for customer information. Similarly an annual cyber security compliance report must be published in Bank’s Annual Report.
 
Some highlights of the RBI’s cyber security framework are: 
 
The IT architecture of banks should be conducive to security. An indicative, but not exhaustive, minimum baseline cyber security and resilience framework has been defined in an annexure to the guidelines.
 
Banks must address network and database security comprehensively. 
 
Banks must ensure Confidentiality, Integrity and Availability of data/information.
 
Further, information irrespective of whether the data is stored/in transit within them, the confidentiality of such custodial information should not be compromised.
 
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and be a part of the overall Board approved strategy. It should address four issues: detection, Recovery, Response and Containment. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. 
 
Bank must assess the adequacy of and adherence to cyber resilience framework and measure through development of indicators to assess the level of risk/preparedness. 
 
All cyber security incidents must be reported to RBI within 2 to 6 hours. The incident reporting format is defined in the guidelines.
 
 

User

COMMENTS

B. Yerram Raju

12 months ago

My article on 27th Februrary 2015 in the Money Life has warned of the impending cyber security crisis and the measures both the banks and regulators have to address with a sense of urgency. I must mention that some more are needed, particularly those relating to the mobile transactions linked to AADHAR where the poor operate the payment options and most of them invariably take the assistance of the literate in the neighbourhood.

SEBI to Issue Discussion Paper on HFT after It Accounts for 98% Equity Derivative Orders
A year after Moneylife published a whistleblower’s letter pointing to grave issues in the way high frequency trading (HFT) was conducted at India’s largest bourse, SEBI is still discussing plans to “put in place stringent norms for high-frequency trades along with higher penalties for misuse.” 
 
HFT refers to the use of complex algorithms and high-powered electronic machines to execute thousands of transactions in a fraction of a second. This allows traders to make huge profits by scalping tiny gains from changing prices. It gives large players with servers located within the exchange (called co-location) an advantage over other investors, big and small. An investigation commissioned by SEBI’s technical advisory committee (TAC), following Moneylife’s exposé confirmed all the main charges of the whistleblower. Although SEBI has not released the details of the report, the minutes of the TAC’s meeting dated 15th March are available to many media and industry persons including Moneylife. This is the background to chairman UK Sinha’s statement to the media on 25th May that SEBI plans to issue a discussion paper on tightening the HFT rules and tackle the issue of fairness to all market participants and issue new rules in three or four months.  
It is rather strange that SEBI will put out its first discussion paper six years after it allowed bourses to start HFT and when HFT already accounts for anywhere between 94% to 98% of trade orders in the cash and equity derivatives segment of the market. Instead, a time-wasting public discussion will be conducted when SEBI needs to act quickly on the findings of its own investigation and tighten the rules. 
 
Mr Sinha justifies this lax attitude by emphasising that “SEBI is among the first regulators to have some kind of regulations in place on HFT.” This only indicates the kind of power that large financial institutions, brokerage firms and bourses exert on regulators around the world. It also shows that, eight years after a global financial crisis and five years after the “occupy Wall Street” protests, regulatory capture by those with money power remains undiminished. Bloomberg newswire has reported that two of India’s top broker associations have demanded action on the SEBI panel’s findings and to punish those involved in wrongdoing; but SEBI is in no hurry to even announce new regulations at least for three months. 
 
Moneylife learns that the finance ministry as well as some MPs (members of parliament) have keenly followed SEBI’s action in connection with the findings of its TAC and asked for its report. SEBI chairman is also reported to have told the media that some government agencies were also looking at the issue from a cyber-security perspective. 

User

We are listening!

Solve the equation and enter in the Captcha field.
  Loading...
Close

To continue


Please
Sign Up or Sign In
with

Email
Close

To continue


Please
Sign Up or Sign In
with

Email

BUY NOW

The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)