Stocks
Lupin: Assimilating the Acquisitions
Lupin, the country’s third largest drug-maker, has come out with good results for the March...
Premium Content
Monthly Digital Access

Subscribe

Already A Subscriber?
Login
Yearly Digital+Print Access

Subscribe

Moneylife Magazine Subscriber or MSSN member?
Login

Yearly Subscriber Login

Enter the mail id that you want to use & click on Go. We will send you a link to your email for verficiation
Insurance: Fine Print
IRDAI’s U-turn on Government Securities Investment
The Insurance Regulatory and...
Premium Content
Monthly Digital Access

Subscribe

Already A Subscriber?
Login
Yearly Digital+Print Access

Subscribe

Moneylife Magazine Subscriber or MSSN member?
Login

Yearly Subscriber Login

Enter the mail id that you want to use & click on Go. We will send you a link to your email for verficiation
RBI’s new Cyber Security Framework increases bank’s responsibility and enhances protection of stakeholders
The Reserve Bank of India (RBI) has come up with a Cyber Security Framework for Banks that was notified on 2 June 2016 and offers significant benefits to both banks and their customers. (RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16 on 02/06/2016). 
 
This new frameworks asks banks to put in place a board approved, documented “Cyber Security Policy” with a clear strategy and approach to combat cyber threats based on the complexity level of its business and acceptable levels of risk. Banks have been asked to communicate this policy to a brand new Cyber Security and Information Technology Examination (CSITE) Cell created under the Department of Banking Supervision (DBS) before 30 September 2016.
RBI first issued Cyber Security Guidelines in 2001, which were revised in 2011, based on the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of Recommendations, headed by G Gopalakrishna its Executive Director. 
 
However, cyber fraud and misuse of technology has evolved at such a rapid pace that the RBI has needed to update its cyber security framework again, despite the 2011 guidelines having dealt with a broad range of issues including -- IT governance, information security (IS), IS audit, IT operations, IT services outsourcing, cyber fraud, business continuity planning, customer awareness programmes and legal aspects in reasonable details but due to evolution cyber technology and much faster evolution of frauds and misuse of cyber technology.
 
The cyber security policy of banks must be distinct and separate from their broader IT policy or IS security policy so that it can highlight risks from cyber threats and the measures to address and mitigate these risks. A Security Operations Centre (SOC) has to be set up which will be responsible for continuous surveillance and testing for vulnerabilities at reasonable intervals. The role and responsibility of the SOC has been spelt out. Some of the prescriptions in the frameworks are an implicit acknowledgment of a lax network and database security. 
 
Ideally, the RBI needs to update its cyber security policy annually, to keep pace with rapid changes in technology, but a new security framework certainly offers better protection to bank customers. 
 
Since a bank is defined as the data owner by the RBI, it is the bank’s duty and responsibility to protect confidentiality, integrity and availability of data and customers have a right to know the steps that banks have taken in this regard. This is particularly useful in case of litigation because banks, in the past, have tried to define themselves as ‘intermediary’ to avoid responsibility under sections 43, 43A of IT Act 2000/2008.  
 
Banks have been made responsible for creating awareness about cyber threats and resilience of its systems among stakeholders (this includes customers, employees, partners and vendors). The policy makes it clear that if the bank fails to do so and any security incident happens due to ignorance of stakeholder, the stakeholder will not be responsible.
 
The new framework requires bank board members to become more aware and vigilant about cyber security. They can be held directly liable for lapses and losses to the bank and customer, if they cannot establish due diligence done to address cyber security. It will also force banks to provide more resources to address cyber security including the appointment of a chief information security officer (CISO). The CISO will have to work with the bank board to report gaps between the actual state of affairs at each bank and the cyber security requirement under the new framework and come up with a viable plan by 31 July 2016, which will be reported to the RBI. 
 
The RBI itself has created an IT subsidiary, headed by former IPS officer Nandkumar Saravade as its CEO . The cyber security framework as well as the RBI’s own initiatives to address concerns will indeed go a long way in strengthening its ability to deal with risks. However, one big question still remains unaddressed: it is the gap between RBI intentions and bank’s action. What are the consequences if banks do not comply in letter and spirit with what the regulator wants? The policy does not spell out any penalty or action against banks, concerned officers or even auditors responsible for the lapses. 
 
Ideally, RBI should ask the CISO of banks to furnish a detailed quarterly cyber security compliance report, a summary of which must be available on bank websites for customer information. Similarly an annual cyber security compliance report must be published in Bank’s Annual Report.
 
Some highlights of the RBI’s cyber security framework are: 
 
The IT architecture of banks should be conducive to security. An indicative, but not exhaustive, minimum baseline cyber security and resilience framework has been defined in an annexure to the guidelines.
 
Banks must address network and database security comprehensively. 
 
Banks must ensure Confidentiality, Integrity and Availability of data/information.
 
Further, information irrespective of whether the data is stored/in transit within them, the confidentiality of such custodial information should not be compromised.
 
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and be a part of the overall Board approved strategy. It should address four issues: detection, Recovery, Response and Containment. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. 
 
Bank must assess the adequacy of and adherence to cyber resilience framework and measure through development of indicators to assess the level of risk/preparedness. 
 
All cyber security incidents must be reported to RBI within 2 to 6 hours. The incident reporting format is defined in the guidelines.
 
(Dr Rakesh Goyal is an Engineer, PGDM from IIMB and PhD is Cyber Security with many cyber security certifications. He is MD of Sysman Computers Private Limited and Director General of Center for Research and Prevention of Computer Crimes. He can be contacted at rakesh@sysman.in.)  
 

User

COMMENTS

B. Yerram Raju

8 months ago

My article on 27th Februrary 2015 in the Money Life has warned of the impending cyber security crisis and the measures both the banks and regulators have to address with a sense of urgency. I must mention that some more are needed, particularly those relating to the mobile transactions linked to AADHAR where the poor operate the payment options and most of them invariably take the assistance of the literate in the neighbourhood.

We are listening!

Solve the equation and enter in the Captcha field.
  Loading...
Close

To continue


Please
Sign Up or Sign In
with

Email
Close

To continue


Please
Sign Up or Sign In
with

Email

BUY NOW

The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)