RBI to strengthen cyber security in Indian banks

Written by Arijit Dutta || June 23 2016

The Reserve Bank of India (RBI) has proposed that commercial banks need to institute a Board-approved Cyber Security Policy no later than September 30, in a bid to address the growing number of cyber threats and reported incidents of cyber crime in the banking industry. The RBI set the rules in a letter to bank chief executives this month, with Regional Rural Banks exempt from the change. The use of technology in banks, already an "integral part" of operational strategy, has gained further momentum, hence the need for such guidelines, the RBI said.

The Cyber Security Policy is distinct from the existing information technology (IT) and the information security (IS) rules that banks have, and the RBI expects the new policy to be comprehensive and aligned to the nature and operations of each specific bank, rather than a plain vanilla document common to all banking institutions. The central bank expects banking institutions to prepare a policy identifying various cyber risks, types of risks, and the different strategies to prevent and tackle these risks when the system gets attacked.

In addition, banks are requested to ascertain their level of risk: choosing between low, moderate or high. This self assessment will then be used to monitor the performance of banks on cyber security. Interestingly, the central bank is forcing banks to look at cyber security at a granular level, ordering them to describe the level of risks, identify the various types of businesses, different business products & services offered, regulatory requirements, associations with 3rd parties and technologies. The RBI also ordered financial institutions to install proper systems and use adequate technology to ensure the security and confidentiality of personal and sensitive customer information - irrespective of whether it is stored in the banks or with third party vendors.

Going forward, it will be mandatory for banks to establish and publish a Cyber Crisis Management Plan as part of their Cyber Security policies, and banks will also have to share information on cyber threats and attacks ranging from ransomware or crypto ware to password-related frauds, even if these attacks were unsuccessful. The RBI believes actively sharing information and a collaborative effort will mitigate cyber security risks.

A majority of Indian banks have recently instituted enterprise risk management frameworks covering technology functions in detail. Even so, the RBI’s current push for a separate Cyber Security Policy and Framework spells that this is clearly not been enough. By insisting on a Board Level sign-off, the RBI is placing Cyber Security as a top agenda item for financial institutions, and it also foreshadows the potentially large business disruption if the issue is not addressed now.