Two months after malware attack on Cosmos Bank, on Oct 19, 2018, the RBI came out with new norms to scale up the cyber-security and resilience framework at the urban cooperative banks (UCBs). According to the circular, all 1500 UCBs should immediately put in place a Cyber Security policy, duly approved by their Board/Administrator, giving a framework and the strategy containing a suitable approach to check cyber threats depending on the level of complexity of business and acceptable levels of risk within three months from the date of circular, i.e. by January 2019.
The RBI also intends to fast-track implementation of the directions. UCBs are required to implement the basic cyber-security controls and report the same on or before March 31, 2019.
The circular, titled “Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs)”, shows how it has become necessary to all such banks to enhance the security. By improving the security defenses to address the rapidly growing cyber risks.
What is typically seen across the spectrum of banks, the level of technology adoption is different across the banks in this sector – some banks offering state-of-the-art digital products to its customers and some banks maintaining their books of account in a standalone computer and using e-mail for communicating with its customers/supervisors/other banks. Hence, RBI has decided to issue basic cyber security guidelines applicable to all UCBs.
All UCBs are free to adopt advanced cyber security norms depending on its Self-Risk Assessment, complexity of its Information Technology (IT)/ Information Security (IS) systems, nature of digital products offered, etc. as decided by their Boards.
As per “RBI Cyber Security framework”, all UCBs need to immediately put in place a Cyber Security policy, duly approved by their Board/Administrator, giving a framework and the strategy containing a suitable approach to check cyber threats depending on the level of complexity of business and acceptable levels of risk. The IT framework must be reviewed periodically by the Board or its IT subcommittee in order to identify vulnerable areas and put in place a suitable cyber security system to address the issues after assessment.
For tricky areas such as Business Continuity or Disaster Management, the Cyber Crisis Management plan, prepared by CERT-In (Computer Emergency Response Team – India maybe referred to by the UCBs for guidance.
A few of the crucial control requirements are as under:
- UCBs should be in a position to promptly detect any cyber intrusions (unauthorised entries) so as to respond/recover/contain impact of cyber-attacks, especially those offering services such as internet and mobile banking, RTGS/NEFT/SWIFT, credit and debit cards etc.
- UCBs should review the organisational arrangements so that the security concerns are brought to the notice of suitable/concerned officials to enable quick action.
- All UCBs should create a cyber-safe environment in the organization. This will require a high level of awareness/familiarisation among staff at all levels including Board and Top Management. UCBs should actively promote among their customers, vendors, service providers and other concerned parties an understanding of its cyber security objectives.
- UCBs, as owners of customer sensitive data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with the third party vendors; the confidentiality of such custodial information should not be compromised in any situation.
- UCBs to put in place suitable systems and processes across the data/information lifecycle. UCBs may educate and create awareness among customers with regard to cyber security risks.
- All UCBs should report immediately all unusual cyber security incidents to Department of Co-operative Bank Supervision by email, giving full details of the incident. A ‘NIL’ report shall be submitted on quarterly basis in case of no cyber security incidents.
The mindset that implementation of IT increases the cost of operations is not acceptable because IT-enabled operations are a necessity to be relevant in the market place and at the same time, one needs to do what it takes to ensure safety of depositors. It is a matter of concern that there are still 171 UCBs which have yet to fully-implement CBS (core banking solutions) and have also not availed the assistance being provided by Reserve Bank in this regard”
The circular with its “13-point framework” broadly covers all the essentials, be it maintaining an up-to-date “IT Asset Inventory Register” and implementing appropriate controls to secure UCBs’ infrastructure and networks or “Vendor/Outsourcing Risk Management”. Moreover, the RBI has made it clear that the “Cyber Security Policy should be distinct from the IT/IS policy of the UCB.
All UCBs are free to adopt more advanced cyber-security norms on the basis of their respective self-risk assessments and product portfolio, as decided by their boards.
To read the entire circular, click here.