Information Technology Structure for NBFCs.. RBI issues guidelines

Posted on July 4, 2017 by Vijayashankar Na

On June 8, 2017, RBI issued an important document containing guidelines for Information Technology Framework for NBFC sector. The Master Direction sets detailed guidelines for managing the IT infrastructure by  NBFCs in order to enhance the safety, security and efficiency of IT operations. The guidelines are on the lines of the Gopala Krishna Working Group (GGWG) recommendations for Banks and cover

  1. IT Governance
  2. IT Policy
  3. Information and Cyber Security
  4. IT Operations
  5. IS Audit
  6. Business Continuity Planning and
  7. IT Services Outsourcing.

Subsequently in 2016, a Cyber Security Framework for Banks was also mandated.

While the directions proceed on expected general principles of Good IT Governance, it is interesting to note that the Information Security has been defined to include “Authenticity” as one of the basic tenets apart from the well known CIA principle (Confidentiality, Integrity and Availability). The Total Information Assurance model which the undersigned recommends is on the similar thought process and infact extends it to the fifth tenet which is “Non Repudiation”. “Non Repudiation” is an extension of “Authenticity” and hence we can equate the new RBI quartet of CIAA as not different from Naavi’s adoption of CIAA and Non Repudiation.

The IS policy is recommended to be built on

  1. Identification and Classification of Information Assets. NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset.
  2. Segregation of functions: There should be segregation of the duties of the Security Officer/Group (both physical security as well as cyber security) dealing exclusively with information systems security and the Information Technology division which actually implements the computer systems. The information security function should be adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there should be a clear segregation of responsibilities relating to system administration, database administration and transaction processing.
  3. Role based Access Control Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented.
  4. Personnel Security A few authorized application owners/users may have intimate knowledge of financial institution processes and they pose potential threat to systems and data. NBFC should have a process of appropriate check and balance in this regard. Personnel with privileged access like system administrator, cyber security personnel, etc should be subject to rigorous background check and screening.
  5. Physical Security The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. NBFCs need to create a secured environment for physical security of IS Assets such as secure location of critical data, restricted access to sensitive areas like data center etc.
  6. Maker-checker is one of the important principles of authorization in the information systems of financial entities. For each transaction, there must be at least two individuals necessary for its completion as this will reduce the risk of error and will ensure reliability of information.
  7. Incident Management The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents.
  8. Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.
  9. Public Key Infrastructure (PKI) NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation.

It is interesting to note that RBI stops at making a suggestion that NBFCs may increase the usage of PKI and does not go for a mandate though any prudent NBFC would like its operations to be fully compliant with the law of the land though the regulatory authority has given them a certain cushion.

A separate mention has been made of a “Cyber Security Policy” though experts would consider both Information Security and Cyber Security as inter dependent.

As indicated in the Cyber Security Framework (CSF) for Banks, the directions require that “The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment.”

Similarly, a “Cyber Crisis Management Plan” has also been suggested which includes DEtection< Response, Recovery and Containment principles. As in the CSF, it has been stated that NBFCs are “Expected” to  be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.

A specific mention has also been made of the necessity to take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

Additionally, a Cyber Incident Reporting mechanism has also been suggested on the format similar to that meant for the Banks and the reporting has to be done within 24 hours. (Format)

On the mobile, “End to End Encryption” has been mandated to maintain information security. A warning has also been sounded on the risks of using Social Media for marketing and the possibility of malware distribution through this channel.

For smaller NBFCs with an asset size of less than Rs 500 crores, it has been suggested that the appropriate Information Technology policy is put in place by September 30, 2018.

In summary one can observe that RBI like its earlier guidelines, is washing its hands off by sending out a circular. It has been observed that RBI does not normally care to follow up on implementation of any of its Information Security related circulars at least as we have seen in the Banking sector. Hopefully they will be more pro active in implementation since NBFCs are not as powerful as Banks and cannot arm twist the RBI.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.