Let's Build a Responsible Cyber Society




Due Diligence: Chairman of Banks in India

Today two interesting news reports have appeared in the news papers. These reports have come to my notice as common man and if I was merely one of those "Mr Citizen" types, I would have perhaps ignored the news or at best glanced through them and proceeded to more interesting news of what Sachin says or Which new scam is on the table? etc.

As an ex-Banker and presently a Techno Legal Information Security Consultant as well as a Netizen activist, however, my thoughts run in a different direction and I would like to point this out for the specific notice of the Chairman of various Banks in India. Many of these Chairmen are persons of my generation and not Information Technology experts. They know more about NPA guidelines rather than Information Security guidelines. They might have therefore missed an important action point that arises when they read such stories in the news papers. The objective of this article is to highlight this responsibility of the Chairman of a Bank.

The first story I am referring is the news from Hindustan Times titled "Writing on the wall spelt bad news for Dadar bank"  which reports that in one of the branches of Union Bank of India at Dadar, Mumbai, there was a burglary in which the burglars entered the cashier's room took the key to the strong room and opened the strong room all in the night. Don't ask me why the key to the strong room was left in the cashier's drawer. There is one more interesting aspect in this incident. It appears that the Bank had set up a burglar alarm system which was programmed to go off if the strong room is opened even with the genuine key outside the designated hours. Police were wondering why the alarm did not ring. It was later observed that on the wall of the strong room a number had been written and this was actually the PIN to deactivate the alarm system. It is reported that this existed for the past 6 months on the wall and no body seems to have realized the risk. Some times we blame customers of banks who write ATM PIN number on the card itself and when they lose the card, the thief finds it convenient to use the card to draw money from ATMs. We blame the ignorance of the customers and express pride that "Banks system are secure and it is only the ignorant customers who bring a bad name to them". Now the customers of the Banks can also have their share of making fun of Banker's sense of security.

The second report is the article in Deccan Herald titled "Hackers may catch Indian banks napping"  This article carries a reaction of a CISO of a Bank on a security query which needs some introspection. When informed of a security hole in the Bank's system he is reported to have stated " Has a fraud happened? If not, why worry?. Well, it is not the worry of the security consultant that the Bank is not concerned about a security flaw. It is the Customers of the bank since the security hole is likely to reflect in Phishing attacks in which they will lose money.

Under the circumstances when news reports such as these come to the knowledge of a Bank's Chairman, or an Independent Director, it is necessary for us to remind them of their fiduciary responsibilities. Bank's Chairman is the CEO and he is ultimately responsible for the security and when it goes wrong, he has to face the civil and criminal liabilities that attaches to him in law as "Vicarious liability". The independent Directors as well as other Directors are also equally responsible for the management of the Bank and hence they also need to be conscious of their liabilities for security lapses.

 It should be noted that the management of the Banks involved in the above two incidents as well as every other Bank which has come to know that such a security lapse exists in the system now has the responsibility to initiate a corrective action which qualifies as "Due Diligence" under law.. For example, If I am the Chairman of Union Bank I need to immediately take action to pull up the responsible executives and also send circulars to all Branches to avoid such security lapses. I need to call a meeting of the top executives, discuss, chart out a correction plan and document the meeting. I also need to follow up with disciplinary action against the erring personnel since blanker condonement of a security lapse is not acceptable in security best practice.

 As regards the Deccan Herald report where the name of the bank is not known, the first due diligence action which I as a Chairman of any Bank should take is to call a meeting with my CISO and CIO (If there are different persons handling the security of information system and general security) and enquire if it was he who is referred to in the report of Deccan Herald (where the name of the Bank is not known) and if so what is the security hole and how it can be breached. I need to document this meeting and follow up with a letter addressed to the CISO for necessary action and reporting back before the next Board meeting when it should be placed before the Board for information. I should also send out a circular to all the executives pointing out to this report as well as the Dadar Union Bank burglary report and initiate corrective action and reporting back to the Board within a reasonable time. These are the obligations cast on the Chairmen of Banks both under ITA 2008 and Gopalakrishna Working Group report. Related report in DH.

 If I am an Independent Director of a Bank then I will raise this issue in a letter which I will write today to the Chairman and also request him to discuss this in the next Board meeting. This will be my part of "Due Diligence". I will also raise in this letter what action has the Bank taken to implement the G Gopalakrishna Working group report on E-Banking on which the first deadline prescribed by RBI is October 31st".

I hope that some of the thoughts expressed by me here as an ex-Banker groomed in the earlier physical Banking era and migrated to the area of Information Security in the digital era are also the thoughts of the top management in Banks who also belong to my generation, with the same commitment on the safety of the customers though not with the same exposure on security issues.



July 13, 2011

 Related report in DH : Related Report in HT

 Comments are Welcome at naavi@vsnl.com