On June 2, 2016 Reserve Bank of India published its circular on cyber security requirements for banks operating in India, a much awaited initiative from RBI, as most of its western counterparts have had similar regulations in place for a while. This is a major overhaul compared to the guidelines provided in summer of 2011. In light of the fact that India has been, both the source & target of a multiple cyber crimes over the past decade, both malicious and nation state attacks against its financial industry aimed at disrupting and/or destabilizing the financial system. It should be noted that CERT-IN, has been a key player in providing resources and education, with key objective of enabling the country to defend against large scale cyber attacks.
In its circular, RBI notes that it is essential for banks to enhance their cyber security safeguards, and improve resiliency to cyber attacks. RBI has noted the importance of Top executive managements role in ensuring success of cyber security programs and their acceptance across the organization. It stressed on the importance of the Board and its executives being up-to-date on the state of cyber security using relevant metrics. If this is not already part of your Board's agenda, then it absolutely should be. We are actively moving into an era, where Cyber Security is seen as an organizational risk, and should be given the same visibility at the Board level as financial risk or operational risk.
Top Management & Board should educate themselves on Cyber Risk, and proactively promote Cyber Resilience among their Customers, 3rd Parties and relevant Stake-Holders
RBI has laid out a number of requirements for banks, in its circular. Major components of the requirements are laid out below. We will take a deeper dive into each of them further in this series.
1) Banks should have a comprehensive Cyber Security Policy
2) Banks' Board should approve the Cyber Security Policy
3) Banks should setup a Security Operations Center (SOC)
4) Banks should have a Continuous Security Monitoring program in place. (RBI calls it Continuous Surveillance)
5) Banks should have a Security Architecture in place that aligns with IT Architecture.
6) Banks should implement adequate security measures in place to protect networks and data (Due Diligence).
7) Banks are mandated to protect Customer Information, irrespective of where the data is stored or in transit. This includes bank itself, 3rd parties or at the customer.
8) Banks should revisit their Business Continuity Plan/Disaster Recovery Plan, in the context of Cyber Risk.
9) Banks should have an Incident Response Plan (Cyber Crisis Management Plan, in RBI language)
10) Banks should share Cyber Security Incidents with RBI using a prescribed format provided.
11) Banks should perform periodic GAP Assessments to review their cyber security preparedness.
In the second part of this series, we will get into more details on each individual action and best practices in these areas. Our goal is to help Banks understand these requirements and help implement them.
Kiran Vangaveti is the Founder of BluSapphire Technologies that provides Managed Security Asset Management, Continuous Security Monitoring, Risk Assessments and Compliance assistance to Small & Medium Enterprises in Financial and Health Care industries. He is the thought leader behind BluSapphire Intelligent Cyber Defense, security tool providing unrivaled visibility into Advanced Persistent Threats (APT) and malicious activity on client's infrastructure, operating across the entire Cyber Defense stack, utilizing Advanced Behavioral Analytics, Multi-layered Anomaly Detection.