Depending on the level of inherent risks, the banks are required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorisation.
The Reserve Bank of India (RBI) has asked banks to “immediately put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk”.
In order to address the need for the entire bank to contribute to a cyber-safe environment, the cyber security policy should be distinct and separate from the broader IT policy or IS security policy so that it can highlight the risks from cyber threats and the measures to address and mitigate these risks, the RBI said in a notification to banks.
According to the RBI, the size, systems, technological complexity, digital products, stakeholders and threat perception vary from bank to bank and hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework. “While identifying and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online or mobile products, technology services, organisational culture and internal and external threats,” it said.
Depending on the level of inherent risks, the banks are required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorisation. “Riskiness of the business component also may be factored into while assessing the inherent risks. While evaluating the controls, board oversight, policies, processes, cyber risk management architecture including experienced and qualified resources, training and culture, threat intelligence gathering arrangements, monitoring and analysing the threat intelligence received vis-à-vis the situation obtaining in banks, information sharing arrangements (among peer banks), preventive, detective and corrective cyber security controls, vendor management and incident management and response are to be outlined,” the RBI said.
As the nature of cyber-attacks are such that they can occur at any time and in a manner that may not have been anticipated, the RBI said a SOC (Security Operations Centre) should be set up at the earliest, if not yet been done. “It is also essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats,” it said.
According to the RBI, recent incidents have highlighted the need to thoroughly review network security in every bank. In addition, the RBI has observed that many times connections to networks/databases are allowed for a specified period of time to facilitate some business or operational requirement. However, the same do not get closed due to oversight making the network/database vulnerable to cyber-attacks. “It is essential that unauthorised access to networks and databases is not allowed and wherever permitted, these are through well-defined processes which are invariably followed. Responsibility over such networks and databases should be clearly elucidated and should invariably rest with the officials of the bank,” it said.
The RBI said a Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall board approved strategy. “Considering the fact that cyber-risk is different from many other risks, the traditional BCP/DR arrangements may not be adequate and hence needs to be revisited keeping in view the nuances of the cyber-risk,” it said.
“Concurrently, there is an urgent need to bring the board of directors and the top management in banks up to speed on cyber-security related aspects, where necessary, and hence banks are advised to take immediate steps in this direction,” the RBI said.
