The Cyber Security Framework (CSF-2016) proposed by RBI to be implemented by Banks has posed a stiff challenge to the community of Bank Directors. After the lukewarm response to its previous guidelines including the E Banking Security Guidelines (GGWG Recommendations) of 2011 from Banks, RBI has now tried to tighten its screws on the Bank boards and therefore repeatedly sought the direct responsibility of the Board of Directors in Banks for ensuring implementation of the recommendations under CSF-2016.
The Countdown has already started. By September 30, 2016, RBI wants several aspects of its recommendation to be in place and it is hardly 51 days to this deadline and probably not more than two board meetings left to review the implementation. The challenge is stiff, but we need to make a start and start running. The spirit is to make an honest attempt.. afterall, we are in the season of Olympics and participation is the key.. Making an honest attempt to win is necessary….But actually winning is incidental..
Let’s briefly review the challenge that our Bank Directors have on their hand now. I wish Directors in banks and more appropriately the “Independent Directors” need to take note of the following in their own interest.
The first deadline given by RBI was July 31, 2016 by which the Board should have approved a “Gap Analysis ” and signed on a report sent to the DBOD. Probably most Banks should have completed the formality. Those who have shot off the report may now review if the report was complete and those who have not, need to review how quickly they can recover the lost ground.
Banks already have some infrastructure to handle Information Security and there will be a sub committee of senior executives already assigned to the task of managing the Information Security in the Bank as per the GGWG guidelines. There is also a CISO in most Banks. The CISO should therefore present (should have already presented) to the Board his assessment of the Gap and recommended action plan.
If not, summon another Board meeting immediately and ask the CISO to make a presentation. Even if a note has been already presented, it is recommended that the CISO is asked to present his views on the Gap report already sent to RBI and modifications that may be required.
The “Gap Report” is to document the current status of the implementation of the “Cyber Security Program” vis a vis the recommendations contained in the Cyber Security Framework-2016 elucidated in the RBI circular of June 2, 2016.
Obviously, in order to prepare this Gap Report or approve it as a member of the Board of Directors, there is a need to understand the CSF-2016 document and absorb its implications. This itself requires a deep understanding of the nuances of Cyber Risk Management without which the Directors can be easily mislead that “All is Well” and ignore the urgent action to be undertaken.
The first question to be raised is
- It is a requirement of the CSF-2016 that the Board of Directors should be adequately trained on Cyber Security issues. Has the CISO organized such an awareness program for the Directors? If not.. when is it scheduled?
- In order not to waste further time, the agenda for the next Board meeting should include a presentation by the CISO of not only the action plan under CSF-2016 but also a general training on the implications of CSF-2016 .
- Since CISO is the implementing party, it is better if such a training program is organized by an external consultant who understands the issues in managing Information Security in the Banking environment and should precede the presentation of the CISO so that right questions can be raised to the CISO.
- Since it is embarassing for the Board to call for a training for itself, it is better to call this an “Interaction with an expert” or a “Round Table” in which the implications of CSF-2016 can be discussed by the members of the Board along with the CISO and his team.
Some of the challenges that the Directors need to meet during this initial interaction is..
a) The Gap report should have identified the Cyber Threats that confront the Banking environment considering the business and product profile of the Bank. The CISO should have developed a “Threat Register” to identify and list the threats.
b) The Gap report should have identified the Cyber Vulnerabilities of the system including the technical, regulatory, and manpower related deficiencies in the system.
c) Based on the threats and vulnerabilities, the CISO should have developed a “Risk Register” listing out the individual Cyber Risks that confront the Bank.
d) The “Risk Identification” should not be restricted to technical matters only and should also address the legal issues such as compliance to Information Technology Act 2000 as amended in 2008 and later (ITA 2000/8) and also take into account the human factors that can result in exploitation both at the employee level and the customer level
c) The Risk Identification has to also assign a measure of the risk criticality which can be either a subjective evaluation of “Low Risk”, “Medium Risk”, “High Risk” etc or assign a value in an objective manner if possible.
d) The CISO should also indicate and recommend the “Risk Management Policy” consisting of how much of the risk can be avoided, how much of the risk can be transferred by insurance, how much of the risk can be mitigated by various measures and how much of the risk has to be absorbed by the organisation.
e) The CISO should also indicate and recommend a brief overview of a “Risk Mitigation Plan” and suggest what should be the “Risk Appetite” of the organization. It would however be the decision of the Board to determine the “Risk Appetite” of the organization which reflects the extent of risk that it can absorb in the interest of business since ultimately commercial activity is always a risk-return trade off.
f) The CISO may also be asked to present his specific recommendations on the status of implementation on the 24 Baseline controls that have been indicated in Annexure 1 of the CSF-2016 as well as how to approach the SOC set up indicated in Annexure 2 and the Incident Reporting structure indicated in Annexure 3 of the CSF-2016
The “Gap Report” is only a starting point and may be imperfect. But what is required to be done is to set in motion a corrective plan so that by September 30, 2016 when a comprehensive “Cyber security Policy” along with an operating “Security Operations Center” and a “Cyber Crisis Management Plan” is to be presented to the RBI with the recommendations of the Board, the Directors are fully aware of the responsibilities they are undertaking in submitting the plan.
This is also the time for the Board to review if its current information security management infrastructure is adequate and needs to be augmented. Finding right people in the domain is not easy and even if a decision is taken today, it is impossible to get quality people before the deadline of September 30 has already elapsed by a mile. Hence the first set of action has to be initiated by the existing team summoning whatever assistance they can gather from within and available external consultancy resources.
There is no doubt that your CISO will say setting up an SOC is a long term project and even a proper risk assessment will take time. But RBI has taken this into account and advised that Banks cooperate amongst themselves through the CISO forum coordinated by IDRBT to share knowledge and achieve the goals faster than what they would otherwise achieve.
This however requires shedding of individual egos of Banks and their CISOs and working in a spirit of cooperation and benefit to the Banking community on the whole.
The Board has a responsibility to provide support to their CISOs to explore such cooperation in a spirit of give and take so that professional CISOs are not constrained by the fears of breaking the norms of secrecy that often shrouds the operation of the information security departments.
… With these introductory words, I urge the Directors of the Banks to accept the challenge placed before them by RBI to strive towards achieving the Cyber Security Goal however difficult it appears to be.