RBI has been from time to time providing guidelines to Banks for managing the Information Security aspects. Recently, RBI also has created an Information Security Subsidiary which apart from looking after the Information Security in RBI will also provide policy guidelines to the Banking industry as a whole.
While the IT subsidiary is kicking off its activities with the appointment of a CEO (Mr Nandakumar Sarvade), RBI has come up with a notification on a “Cyber Security Framework for Banks”, vide its circular dated June 2, 2016, RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16) as an extension of the circular of April 29, 2011, after the well known GGWG report on which extensive comments were made in 2011.
In particular the new circular of June 2, 2016, recognizes the growing sophistication of attacks in the Banking sector and highlights the need to putting in place an “adaptice Incident Response”, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.
Some of the key aspects of the circular are reproduced here. (Detailed Circular is available here)
- Banks need to communicate to the Cyber Security and Information Technology Examination (CSITE) cell of the DBOD that they have in place a “Cyber Security Policy” elucidating the strategy containing an appropriate approach to combat Cyber threats.
- The Cyber Security policy is to be distinct from the broader IT Policy/IS Security policy of a Bank and highlight the risks from cyber threats and measures to address/mitigate these risks.
- While identifying the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal & external threats.
- It is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.
- Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.
- A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. Cyber-risk is different from many other risks and hence the traditional BCP/DR arrangements may not be adequate.
- Banks need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.
- The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness.
- It is reiterated that banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Banks are required to report promptly the incidents, in the format given.
- The format indicates that the report on “Cyber Incidents” submitted within two to six hours, which includes an “Impact Assessment” including the “Legal Impact”. (Looks too good to be true!)
- The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately. The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the Chief Information Security Officer.
- Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.
- Banks should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing.
- It is well recognised that stakeholders’ (including customers, employees, partners and vendors) awareness about the potential impact of cyber-attacks helps in cyber-security preparedness of banks. Banks are required to take suitable steps in building this awareness.
- Concurrently, there is an urgent need to bring the Board of Directors and Top Management in banks up to speed on cyber-security related aspects, where necessary, and hence banks are advised to take immediate steps in this direction.
- A Copy of this circular may be placed before the Directors in the ensuing meeting
A close observation of the guidelines indicate that this is significantly different and aggressive than the earlier guidelines and comes close to what Naavi has been suggesting as “Techno Legal Information Security”. RBI must be congratulated for coming up with these guidelines.
The responsibility of the Directors is being emphasized by the insistence of placing the circular in the next meeting. The circular also recognized that the data is processed by the Bank as an “Owner” and not as an “Intermediary” which was often a point of difference in my discussions with the Bankers. Another notable feature is that by including the “Zero day” attacks in the list of threats, the expectation on the security measures required has been significantly enhanced.
The CISOs will no longer be feeling comfortable with this circular which actually will force Banks to create a separate “Cyber Security Policy” over and above the “Information Security Policy”. This may also require a seggregation of duties by designating a separate “Cyber Security Compliance Officer” in addition and above the CISO.
The policy also highlights the need for Banks to consider “Data with outsource vendors” as “Data owned by the Bank” and ensure its security. This will require a significant additional oversight on the vendors.
A new measurement criteria has been suggested to be developed by the Banks to assess their preparedness and this calls for some effort from the Banks.
Obviously the “Gap Assessment” will be one of the requirements that banks have to immediately undertake and this will develop the further road map for the Bank. Since “Gap Assessment” is an assessment of the current status, it can be and should be ordered immediately. Hence, the Board of Directors after taking note of this circular should immediately order a Gap assessment and expect the results to be available by the next board meeting. Otherwise they need to record a delay in compliance at that meeting, failing which, their oversight will itself show a shortfall.
Independent directors should take special note of this requirement and should not allow this circular to be brushed under the carpet. (They can expect numerous RTI applications from industry watch dogs which should keep them on their toes).
Overall, the circular has brought a “Quantum Jump” in the Reasonable Security Practice criteria of ITA 2008 which should shake up the industry.
We may add however that in the past RBI has been good in providing advisories to the Banks but has not cared to follow up. Major Banks have used their clout in IBA to delay or defer good practices that RBI has tried to initiate. This circular should not be allowed to be treated in a similar manner.
Now that RBI has also set up an IT Subsidiary in addition to the Cyber Security and Information Technology Examination (CSITE) Cell referred to above, it would be interesting to observe the role segregation between the IT subsidiary and CSITE. Perhaps CSITE should continue to monitor the member Banks while the subsidiary will get busy with the Information Security within the RBI.
Also the role of IDRBT which was hither to taking care of advising Banks on security matters including providing security clearances on applications (which might have been ignored in recent years) may get revised since the CSITE and the IT subsidiary already will be addressing similar concerns.
It would be interesting to watch how the CISOs of Banks start reacting to this circular. I am sure that if the implications of the circular sync in, they will not be able to sleep properly at least for some time now.
Naavi has been critical of RBI management in recent days basically because of its inability to push e-banking security. This circular will address most of these concerns. I only hope that the guidelines will not simply remain on paper and RBI will develop its own plan of action to monitor the implementation over the next few quarters.
Pushing Banks for compliance should not be forced on Netizen activists through RTI applications and should be part of the responsibility of a person in RBI who should be designated as a “Compliance Monitoring Official”.
Hopefully, Mr R.Ravikumar, the CGM who has issued this circular should consider himself the “Chief Cyber Security Compliance Monitoring Officer” and develop a road map/check list for himself to follow up.
I would have appreciated that the circular had also mandated submission of a monthly compliance report signed by the Chairperson and Managing Director to RBI before 5th of every month and to be placed before the Board in subsequent meetings for their post-facto information and approval.
Perhaps this can still be done and I suggest RBI to add this guidance.
To summarize, great news for Customers of E Banking… difficult time for CISOs and Independent Directors in Banks.