RBI circular on Cyber security frameworks for banks.
Reserve bank of India has on 02.06.2016 released a notification asking banks to spruce their cyber security frameworks. What stands out in this recent circular which is of important item to note that RBI has asked banks to immediately put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board. This cyber security policy needs to be distinct from the broader IT policy / IS Security Policy of a bank.
So what is required from banks to comply and are they not doing so currently:
- Banks are required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorisation.
- Setup Security operations centre for continuous monitoring
- IT architecture should be designed in such a manner that it takes care of facilitating the security measures to be in place at all times.
- Network database connectivity requirements are reviewed – Responsibility over such networks and databases should be clearly elucidated and should invariably rest with the officials of the bank.
- irrespectiveof whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.
- Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy.
- CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment.
- adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness
- banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank.
- Reporting framework is now described
- material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately.
- The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the Chief Information Security Office
- Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.
The complete circular can be accessed from attached link:
IMHO good mature banks understand IT Security framework and they continue to assess the controls and associated risk but Cyber security is completely different ball game as threat is multidimensional and attacker has specific asset in mind which it would like to compromise or make unavailable. To achieve so bad guys would launch multiple attacks and have a clear event flow chart on their white boards. Therefore, unless banks clearly feel paranoid about the threat they would not be able to get it. As its now agreed it’s not a question of whether if a bank would be attacked but when you are attacked how you would defend and come back strongly to get the security services on the information, assets back and running. This mind set and philosophy to Cyber security is different from checklist based IT security management. Really happy and proud that Reserve bank of India has called out this distinction so clearly in their circular.
Hong Kong Monetary authority came with a guidelines in September 2015 on similar lines.