The recent developments in RBI with the issue of “Cyber Security Guidelines” on June 2, 2016 and formation of an IT Subsidiary which apart from overseeing the internal IT operations will guide the regulated Banks also has created a renewed thrust on Information Security across the Banking organizations in India.
When we discuss such issues, we often focus on the top Public Sector and Private Sector Banks and forget that Indian Banking system has hundreds of Cooperative Banks of various categories licensed to accept deposits from public and are important for the financial welfare of the citizens. Some of these Cooperative Banks are big enough to be considered as significant players particularly in a restricted area of operation. Some of them have adopted technologies of Internet Banking, ATMs and credit cards. They need to adopt security practices that are on par with the larger Banks since the risks they face are similar. However, these Banks have lesser access to required skilled manpower to advise them on Information Security and also lesser resources to deploy for security beyond the investments already committed to IT infrastructure and operational training.
As a long term observer of the Banking industry, I can foresee this sector becoming a “Security Hole” in the Indian Banking industry unless the managements wake up and initiate quick action to set things right. RBI and State regulators also need to initiate action that is required to ensure that these Banks have the necessary information security implementation that is recommended vide various RBI circulars.
As of a recent date, 172 Banks in India operate NEFT and this list includes many cooperative Banks and Grameena Banks. 154 Banks have been permitted Mobile Banking which again includes man Banks outside the well known public sector and private sector Banks. 44 Banks are permitted to issue Prepaid Cards. Soon many of them will also issue credit cards either co-branded or otherwise. In addition, RBI licenses payment Banks and wants to issue Banking licenses on tap.
All these liberalized approach to Banking regulation and adoption of new technology has diluted the security of Banking from the customer’s perspective.
While RBI has refused to force Cyber Insurance responsibility on Banks, it has from time to time issued guidelines and notifications that mandate information security practices in these Banks. It is a moot point however whether these small and micro banks have the capability to implement the guidelines and whether RBI is monitoring the implementation.
In this context we can view the impact of the circular of November 2, 2015, in which All licensed StCBs, DCCBs and UCBs which have implemented CBS and migrated to IPv6 and complying with the regulations mentioned in the circular may offer Internet Banking (View only) facility to their customers without prior approval of RBI.
Further, those who satisfy other criteria listed in the circular on Networth, NPA etc will be permitted transactional facility “With Prior Approval” of RBI.
Some of the key criteria included in the annexure to these circulars are interesting to note and are summarised here. (Detailed circular is available here)
- Bank should formulate and Internet Banking and Information Security policy and obtain approval of the Board and such policy should ensure confidentiality and security addressing legal, regulatory and supervisory issues mentioned in the circular.
- Banks should put in sound internal controls and provide adequate disclosure on risk, responsibilities and liabilities to the customers before offering the facility.
- There should be clear segregation of duties between IT and IS divisions and there should be a separate designated IS officer and IS auditor as well as a Network and Database administrator.
- Banks should ensure that there should be no direct connection between the Internet and the Bank’s system.
- All computer access including messages should be logged.
- Suspected security violations should be recorded and follow up action taken.
- Periodic penetration tests should be conducted.
- Should have proper back up and business continuity plan.
- Should follow the guidelines provided in the April 29, 2011 circular on Internet Banking (GGWG Guidelines)
The Circular has also highlighted the following legal issues:
- Banks may provide Internet Banking facility to a customer only at his/her option based on specific written or authenticated electronic requisition along with a positive acknowledgement.
- Considering the prevailing legal position, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about the integrity and reputation of the customer opting for internet banking. Therefore, even though request for opening an account may be accepted over Internet, accounts should be opened only after verification of the identity of the customer and adherence to KYC guidelines.
- From a legal perspective, security procedure adopted by banks for authenticating a user needs to be recognized by law as a substitute for signature. The provisions of the Information Technology Act, 2000, and other legal requirements need to be scrupulously adhered to while offering internet banking.
- Under the present regime, there is an obligation on banks to maintain secrecy and confidentiality of customers’ accounts/information. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking / technological failures. The banks should, therefore, have in place adequate risk control measures to manage such risks.
The guidelines also highlight the security features to be adopted. In particular, speaking on the authentication, the circular says
“There is a legal risk in not using the asymmetric cryptosystem and hash function for authenticating electronic transactions.
For carrying out critical transactions like fund transfers, the banks, at the least,
need to implement robust and dynamic two-factor authentication through user id/password combination and second factor like
(a) a digital signature (through a token containing digital certificate and associated private key, preferably for corporate customers) or
(b) One Time Password (OTP) / dynamic access code through various modes (like SMS over mobile phones or hardware token).”
Though the OTP is provided as an alternative, it is important for Banks to remember the “Legal Risk” that RBI has warned the Banks of. In the GGWG circular, special mention had been made on the S.Umashankar Vs ICICI Bank case and hence Banks should be wary of introducing any systems which is not ITA 2008 compliant.
All said and done, one cannot deny that RBI is providing information security guidelines from time to time and the ball is transferred to the Court of the Banks to implement them or face the “Legal Risk”.
While larger Banks have the access to necessary expertise in the form of well qualified and informed CISOs, the smaller Banks will not find it easy to access either professionals or technology for managing their information security at affordable costs.
However, since these Banks cannot ignore security, they need to find a solution to this challenge of “Information security at affordable cost” and if they ignore this responsibility, they will be facing undue business risks that may pose a grave survival risk. Many times genuine business problems leading to financial failure in these institutions will be unfairly interpreted as a “Fraud” and “Scam” and adversely publicized by the news hungry media leading to arrest and humiliation of the Directors even when they are honest.
I therefore request all the Directors of small Banks including Co Operative Banks to immediately bestow their attention on reviewing their “Compliance Status” and build a “Compliance Shield” to protect them from adverse developments.
Naavi is trying to work out a suitable strategic solution to such small Banks to harden their security posture at a reasonable cost.