RBI’s new Cyber Security Framework increases bank’s responsibility and enhances protection of stakeholders
The Reserve Bank of India (RBI) has come up with a Cyber Security Framework for Banks that was notified on 2 June 2016 and offers significant benefits to both banks and their customers. (RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16 on 02/06/2016).
This new frameworks asks banks to put in place a board approved, documented “Cyber Security Policy” with a clear strategy and approach to combat cyber threats based on the complexity level of its business and acceptable levels of risk. Banks have been asked to communicate this policy to a brand new Cyber Security and Information Technology Examination (CSITE) Cell created under the Department of Banking Supervision (DBS) before 30 September 2016.
RBI first issued Cyber Security Guidelines in 2001, which were revised in 2011, based on the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of Recommendations, headed by G Gopalakrishna its Executive Director.
However, cyber fraud and misuse of technology has evolved at such a rapid pace that the RBI has needed to update its cyber security framework again, despite the 2011 guidelines having dealt with a broad range of issues including -- IT governance, information security (IS), IS audit, IT operations, IT services outsourcing, cyber fraud, business continuity planning, customer awareness programmes and legal aspects in reasonable details but due to evolution cyber technology and much faster evolution of frauds and misuse of cyber technology.
The cyber security policy of banks must be distinct and separate from their broader IT policy or IS security policy so that it can highlight risks from cyber threats and the measures to address and mitigate these risks. A Security Operations Centre (SOC) has to be set up which will be responsible for continuous surveillance and testing for vulnerabilities at reasonable intervals. The role and responsibility of the SOC has been spelt out. Some of the prescriptions in the frameworks are an implicit acknowledgment of a lax network and database security.
Ideally, the RBI needs to update its cyber security policy annually, to keep pace with rapid changes in technology, but a new security framework certainly offers better protection to bank customers.
Since a bank is defined as the data owner by the RBI, it is the bank’s duty and responsibility to protect confidentiality, integrity and availability of data and customers have a right to know the steps that banks have taken in this regard. This is particularly useful in case of litigation because banks, in the past, have tried to define themselves as ‘intermediary’ to avoid responsibility under sections 43, 43A of IT Act 2000/2008.
Banks have been made responsible for creating awareness about cyber threats and resilience of its systems among stakeholders (this includes customers, employees, partners and vendors). The policy makes it clear that if the bank fails to do so and any security incident happens due to ignorance of stakeholder, the stakeholder will not be responsible.
The new framework requires bank board members to become more aware and vigilant about cyber security. They can be held directly liable for lapses and losses to the bank and customer, if they cannot establish due diligence done to address cyber security. It will also force banks to provide more resources to address cyber security including the appointment of a chief information security officer (CISO). The CISO will have to work with the bank board to report gaps between the actual state of affairs at each bank and the cyber security requirement under the new framework and come up with a viable plan by 31 July 2016, which will be reported to the RBI.
The RBI itself has created an IT subsidiary, headed by former IPS officer Nandkumar Saravade as its CEO
. The cyber security framework as well as the RBI’s own initiatives to address concerns will indeed go a long way in strengthening its ability to deal with risks. However, one big question still remains unaddressed: it is the gap between RBI intentions and bank’s action. What are the consequences if banks do not comply in letter and spirit with what the regulator wants? The policy does not spell out any penalty or action against banks, concerned officers or even auditors responsible for the lapses.
Ideally, RBI should ask the CISO of banks to furnish a detailed quarterly cyber security compliance report, a summary of which must be available on bank websites for customer information. Similarly an annual cyber security compliance report must be published in Bank’s Annual Report.
Some highlights of the RBI’s cyber security framework are:
• The IT architecture of banks should be conducive to security. An indicative, but not exhaustive, minimum baseline cyber security and resilience framework has been defined in an annexure to the guidelines.
• Banks must address network and database security comprehensively.
• Banks must ensure Confidentiality, Integrity and Availability of data/information.
Further, information irrespective of whether the data is stored/in transit within them, the confidentiality of such custodial information should not be compromised.
• A Cyber Crisis Management Plan (CCMP) should be immediately evolved and be a part of the overall Board approved strategy. It should address four issues: detection, Recovery, Response and Containment. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.
• Bank must assess the adequacy of and adherence to cyber resilience framework and measure through development of indicators to assess the level of risk/preparedness.
• All cyber security incidents must be reported to RBI within 2 to 6 hours. The incident reporting format is defined in the guidelines.
(Dr Rakesh Goyal is an Engineer, PGDM from IIMB and PhD is Cyber Security with many cyber security certifications. He is MD of Sysman Computers Private Limited and Director General of Center for Research and Prevention of Computer Crimes. He can be contacted at [email protected].)