Money & Banking
RBI’s new Cyber Security Framework increases bank’s responsibility and enhances protection of stakeholders
The Reserve Bank of India (RBI) has come up with a Cyber Security Framework for Banks that was notified on 2 June 2016 and offers significant benefits to both banks and their customers. (RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16 on 02/06/2016). 
 
This new frameworks asks banks to put in place a board approved, documented “Cyber Security Policy” with a clear strategy and approach to combat cyber threats based on the complexity level of its business and acceptable levels of risk. Banks have been asked to communicate this policy to a brand new Cyber Security and Information Technology Examination (CSITE) Cell created under the Department of Banking Supervision (DBS) before 30 September 2016.
RBI first issued Cyber Security Guidelines in 2001, which were revised in 2011, based on the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of Recommendations, headed by G Gopalakrishna its Executive Director. 
 
However, cyber fraud and misuse of technology has evolved at such a rapid pace that the RBI has needed to update its cyber security framework again, despite the 2011 guidelines having dealt with a broad range of issues including -- IT governance, information security (IS), IS audit, IT operations, IT services outsourcing, cyber fraud, business continuity planning, customer awareness programmes and legal aspects in reasonable details but due to evolution cyber technology and much faster evolution of frauds and misuse of cyber technology.
 
The cyber security policy of banks must be distinct and separate from their broader IT policy or IS security policy so that it can highlight risks from cyber threats and the measures to address and mitigate these risks. A Security Operations Centre (SOC) has to be set up which will be responsible for continuous surveillance and testing for vulnerabilities at reasonable intervals. The role and responsibility of the SOC has been spelt out. Some of the prescriptions in the frameworks are an implicit acknowledgment of a lax network and database security. 
 
Ideally, the RBI needs to update its cyber security policy annually, to keep pace with rapid changes in technology, but a new security framework certainly offers better protection to bank customers. 
 
Since a bank is defined as the data owner by the RBI, it is the bank’s duty and responsibility to protect confidentiality, integrity and availability of data and customers have a right to know the steps that banks have taken in this regard. This is particularly useful in case of litigation because banks, in the past, have tried to define themselves as ‘intermediary’ to avoid responsibility under sections 43, 43A of IT Act 2000/2008.  
 
Banks have been made responsible for creating awareness about cyber threats and resilience of its systems among stakeholders (this includes customers, employees, partners and vendors). The policy makes it clear that if the bank fails to do so and any security incident happens due to ignorance of stakeholder, the stakeholder will not be responsible.
 
The new framework requires bank board members to become more aware and vigilant about cyber security. They can be held directly liable for lapses and losses to the bank and customer, if they cannot establish due diligence done to address cyber security. It will also force banks to provide more resources to address cyber security including the appointment of a chief information security officer (CISO). The CISO will have to work with the bank board to report gaps between the actual state of affairs at each bank and the cyber security requirement under the new framework and come up with a viable plan by 31 July 2016, which will be reported to the RBI. 
 
The RBI itself has created an IT subsidiary, headed by former IPS officer Nandkumar Saravade as its CEO . The cyber security framework as well as the RBI’s own initiatives to address concerns will indeed go a long way in strengthening its ability to deal with risks. However, one big question still remains unaddressed: it is the gap between RBI intentions and bank’s action. What are the consequences if banks do not comply in letter and spirit with what the regulator wants? The policy does not spell out any penalty or action against banks, concerned officers or even auditors responsible for the lapses. 
 
Ideally, RBI should ask the CISO of banks to furnish a detailed quarterly cyber security compliance report, a summary of which must be available on bank websites for customer information. Similarly an annual cyber security compliance report must be published in Bank’s Annual Report.
 
Some highlights of the RBI’s cyber security framework are: 
 
The IT architecture of banks should be conducive to security. An indicative, but not exhaustive, minimum baseline cyber security and resilience framework has been defined in an annexure to the guidelines.
 
Banks must address network and database security comprehensively. 
 
Banks must ensure Confidentiality, Integrity and Availability of data/information.
 
Further, information irrespective of whether the data is stored/in transit within them, the confidentiality of such custodial information should not be compromised.
 
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and be a part of the overall Board approved strategy. It should address four issues: detection, Recovery, Response and Containment. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. 
 
Bank must assess the adequacy of and adherence to cyber resilience framework and measure through development of indicators to assess the level of risk/preparedness. 
 
All cyber security incidents must be reported to RBI within 2 to 6 hours. The incident reporting format is defined in the guidelines.
 
 

User

COMMENTS

B. Yerram Raju

12 months ago

My article on 27th Februrary 2015 in the Money Life has warned of the impending cyber security crisis and the measures both the banks and regulators have to address with a sense of urgency. I must mention that some more are needed, particularly those relating to the mobile transactions linked to AADHAR where the poor operate the payment options and most of them invariably take the assistance of the literate in the neighbourhood.

SEBI to Issue Discussion Paper on HFT after It Accounts for 98% Equity Derivative Orders
A year after Moneylife published a whistleblower’s letter pointing to grave issues in the way high frequency trading (HFT) was conducted at India’s largest bourse, SEBI is still discussing plans to “put in place stringent norms for high-frequency trades along with higher penalties for misuse.” 
 
HFT refers to the use of complex algorithms and high-powered electronic machines to execute thousands of transactions in a fraction of a second. This allows traders to make huge profits by scalping tiny gains from changing prices. It gives large players with servers located within the exchange (called co-location) an advantage over other investors, big and small. An investigation commissioned by SEBI’s technical advisory committee (TAC), following Moneylife’s exposé confirmed all the main charges of the whistleblower. Although SEBI has not released the details of the report, the minutes of the TAC’s meeting dated 15th March are available to many media and industry persons including Moneylife. This is the background to chairman UK Sinha’s statement to the media on 25th May that SEBI plans to issue a discussion paper on tightening the HFT rules and tackle the issue of fairness to all market participants and issue new rules in three or four months.  
It is rather strange that SEBI will put out its first discussion paper six years after it allowed bourses to start HFT and when HFT already accounts for anywhere between 94% to 98% of trade orders in the cash and equity derivatives segment of the market. Instead, a time-wasting public discussion will be conducted when SEBI needs to act quickly on the findings of its own investigation and tighten the rules. 
 
Mr Sinha justifies this lax attitude by emphasising that “SEBI is among the first regulators to have some kind of regulations in place on HFT.” This only indicates the kind of power that large financial institutions, brokerage firms and bourses exert on regulators around the world. It also shows that, eight years after a global financial crisis and five years after the “occupy Wall Street” protests, regulatory capture by those with money power remains undiminished. Bloomberg newswire has reported that two of India’s top broker associations have demanded action on the SEBI panel’s findings and to punish those involved in wrongdoing; but SEBI is in no hurry to even announce new regulations at least for three months. 
 
Moneylife learns that the finance ministry as well as some MPs (members of parliament) have keenly followed SEBI’s action in connection with the findings of its TAC and asked for its report. SEBI chairman is also reported to have told the media that some government agencies were also looking at the issue from a cyber-security perspective. 

User

RBI keeps policy rates unchanged
The Reserve Bank of India (RBI), in its second bi-monthly credit policy review on Tuesday for FY2016-17 has kept the policy rates unchanged. The repo rate will remain at 6.50% while the reverse repo rate under the liquidity adjustment facility (LAF) will also remain at 6%. The marginal standing facility (MSF) rate and the bank rate also remain static at 7.0%. 
 
In a statement, RBI Governor Dr Raghuram Rajan said, "Incoming data since first bi-monthly policy show a sharper-than-anticipated upsurge in inflationary pressures emanating from a number of food items (beyond seasonal effects), as well as a reversal in commodity prices. A strong monsoon, continued astute food management, as well as steady expansion in supply capacity, especially in services, could help offset these upward pressures. Given the uncertainties, the Reserve Bank will stay on hold, but the stance of monetary policy remains accommodative.The Reserve Bank will monitor macroeconomic and financial developments for any further scope for policy action."
 
"More monetary transmission to support the revival of growth continues to be critical. The government’s reform measures on small savings rates combined with the Reserve Bank’s refinements in the liquidity management framework should help the transmission of past policy rate reductions into lending rates of banks. The Reserve Bank will shortly review the implementation of the Marginal Cost Lending Rate framework by banks. Timely capital infusions into constrained public sector banks will also aid credit flow," he added.
 
Arundhati Bhattacharya, Chairman of State Bank of India (SBI) thinks that capital infusion will be the key going forward to support credit growth. She said, "The decision to keep the repo rate unchanged was as per market consensus. The tone of the policy is fairly balanced, pragmatic and continues to reemphasize that the policy continues to be in accommodative cycle. Inflation trajectory seems broadly in line with RBI prognosis, though we are fairly hopeful of inflation possibly undershooting RBI Jan 2017, 5% target."
 
Commenting on the RBI policy, Chanda Kochhar, MD and CEO, ICICI Bank said, "The RBI's continued commitment to an accommodative policy stance and the assurance of moving towards a neutral liquidity framework is positive. This should continue to support transmission of RBI's policy stance. Additionally, the reassurance that the RBI stands ready to mitigate any financial volatility resulting out of FCNR deposit maturities due later this year is very welcome. Overall, macro-economic conditions are conducive for an improving growth trajectory as the various policy measures announced by the Government take effect."
 
With the RBI's accommodative stance still in place, Yes Bank sees a high probability of a rate cut in August by at least 50bps. "It appears that the uncertainties on the global horizon with Fed policy overhang and UK Brexit vote tipped RBI's decision in favour of a status quo. I foresee RBI's cautious stance giving way to accommodative actions in August, on the back of favourable monsoon outcomes and sustained acceleration of Government reforms," says Rana Kapoor, MD & CEO of YES Bank.
 
Industry body Confederation of Indian Industries (CII) feels that the RBI could have given more emphasis to the need to continue the rate cutting cycle. "Instead, the RBI has chosen to rely on the transmission of lower interest rates to borrowers by the banks. At this time when credit demand is still flat and industry is facing a demand crunch, a rate cut would have done much to restore the investment cycle. CII is hopeful that RBI will resume the rate cutting cycle and support growth impulses in the economy in the next monetary policy," says Chandrajit Banerjee, Director General of CII.
 
According to the central bank, inflation surprise in April reading makes the future trajectory of inflation somewhat more uncertain. The expectations of a normal monsoon and a reasonable spatial and temporal distribution of rainfall, along with various supply management measures and the introduction of the electronic national agriculture market (e-NAM) trading portal, should moderate unanticipated flares of food inflation, it said. 
 
"In addition," RBI said, "capacity utilisation indicators suggest that the available headroom in industry could keep output prices subdued even as demand picks up. Nonetheless, there are upside risks – firming international commodity prices, particularly of crude oil; the implementation of the 7th Central Pay Commission awards, which will have to be factored into projections as soon as clarity on implementation emerges; the upturn in inflation expectations of households and of corporates; and the stickiness in inflation excluding food and fuel. Taking these factors into account, the inflation projections given in the April policy statement are retained, though with an upside bias. Considerable uncertainty surrounds these projections (see below), which should be clarified by incoming data in the next few months." 
 
 
Commenting on the RBI status quo on monetary policy, Dr Arun Singh - lead economist at Dun & Bradstreet India, says, "The upside risk to inflation however received a tad  more weightage in the policy statement, turning the spotlight to continued astute food management as well as steady expansion in supply capacity- particularly in services. The focus on efficient transmission of earlier rate cuts has received much emphasis in the policy statement. All eyes are now set on the monsoon rains as it could have potential inflationary or disinflationary pressures."
 
RBI says it sees domestic conditions for growth are improving gradually mainly driven by consumption demand that is expected to strengthen with a normal monsoon and the implementation of the Seventh Pay Commission award. "Higher public sector capital expenditure, led by roads and railways, should crowd in private investment, offsetting somewhat the subdued appetite for fresh private investment due to financial stress. Yet, business confidence will be restrained to an extent on account of unrelenting global factors. On a reassessment of balance of risks, therefore, the gross value added (GVA) growth projection for 2016-17 has been retained at 7.6% with risks evenly balanced," it added.
 
Saravana Kumar, Chief Investment Officer, LIC Mutual Fund, says, "More monetary transmission to support the revival of growth continues to be critical. The government's reform measures on small savings rates combined with the Reserve Bank's refinements in the liquidity management framework should help the transmission of past policy rate reductions into lending rates of banks."
 
Recently released provisional estimate of GVA for 2015-16 marginally scaled down the annual growth rate to 7.2%, on a deceleration of services sector activity in relation to the advance estimates. There was, however, a sequential pickup in activity in fourth quarter of FY2016, in line with expectations. 
 
As regards the current financial year, the India Meteorological Department (IMD) has forecast an above-normal and well-distributed south west monsoon as El Nino wanes – albeit with a slightly delayed onset. Realisation of this prediction is critical for the outlook for agriculture since reservoir levels have been depleted to 17% of capacity – 40% lower than the level a year ago. Even though rabi procurement was lower in April-May 2016 than a year ago, mid-May food stocks at 58 million tonnes were almost three times the norm for first quarter.
 
The index of industrial production (IIP) decelerated in 2015-16, mainly pulled down by weak manufacturing in an environment of subdued investment demand and weak rural consumption. In May 2016, the manufacturing purchasing managers’ index (PMI) remained subdued on account of slowing output and export orders. However, except for natural gas and crude oil, the core sector registered strong growth in April 2016 on account of a seasonal pick-up in industries like electricity, also supported by a low base. There are signs that corporate performance is improving. Available information on fourth quarter earnings suggests double digit growth in earnings before interest, taxes, depreciation and amortization (EBITDA) levels for non-financial corporates. The Reserve Bank’s latest rounds of forward looking surveys indicate an improvement in the overall business situation, driven by a pick-up in capacity utilisation and in order books – both domestic and external. 
 
"These developments have improved the expectation of business conditions in the first half of 2016-17. Public investment, especially in roads and railways, is gaining strength, though the continuing weakness in private investment is of concern. Demand conditions are likely to improve going forward; consumer confidence is seen as rising on improving expectations of employment and spending, with rural demand aided by a stronger monsoon. Rising capacity utilisation should prompt private investment," RBI added.
 
According to the central bank, some high frequency indicators for April point to a firming recovery, although it is still uneven. It says, "Leading the upturn are cargo traffic at major ports, automobile sales, especially two-wheelers and three-wheelers, commercial vehicle sales, passenger air and freight traffic, cement production and steel consumption. Abstracting from seasonal effects, this suggests that the expansion, especially in the service sector, is getting broad-based. On the other hand, railway freight traffic and passenger car sales have decelerated on sector-specific constraints. Purchasing managers in the services sector indicated slowing new business in May and subdued expectations of future activity."
 
Ratings agency CRISIL expect another 25bps cut this fiscal. "The RBI's policy stance remains accommodative, but before wielding the knife on interest rates, it will monitor the growth recovery, US fed action, monsoons, trend in food inflation and watch how the things unfold in the money market," it said.
 
Here are the latest policy rates following RBI review… 
 
Repo Rate......................6.50%
Reverse Repo Rate..........6%
CRR...............................4%
Bank Rate......................7%
 

 

User

We are listening!

Solve the equation and enter in the Captcha field.
  Loading...
Close

To continue


Please
Sign Up or Sign In
with

Email
Close

To continue


Please
Sign Up or Sign In
with

Email

BUY NOW

The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)