RBI Issues New Cybersecurity GuidanceNotification Calls for Distinct, Board-Approved Cyber Policies
The Reserve Bank of India has issued new cybersecurity guidelines to scheduled banks (private, foreign and nationalised banks listed in the schedule of RBI Act, 1934), directing them to devise cybersecurity policies distinct from their institutions' existing IT or IS security policies.
In its June 2 notification, the regulator says banks must proactively create or modify their policies, procedures and technologies based on new developments and emerging concerns.
This move comes in the wake of the growing frequency and impact of cyberattacks on the financial sector, underlining the urgent need for a robust cybersecurity/resiliency framework.
R. Ravikumar, chief general manager, RBI, who released the cybersecurity framework guidelines to all scheduled commercial Indian banks, said the use of information technology and their constituents has grown rapidly and is now an integral part of banks' operational strategies; hence the need for a board-approved cyber-security policy.
"In view of the low barriers to entry, evolving nature, growing scale/velocity, motivation and resourcefulness of cyber-threats to the banking system, it is essential to enhance the resilience of the banking system by improving the current defences in addressing cyber risks," Ravikumar writes. "These would include, but not limited to, putting in place an adaptive incident response, management and recovery framework to deal with adverse incidents/disruptions, if and when they occur."
12 Key Elements
Within this new notification, RBI calls upon banks to immediately put in place a cybersecurity policy duly approved by their board, containing an appropriate approach to combat cyber threats. Among the 12 elements to be included in these policies:
- Cybersecurity policy to be distinct from the broader IT policy/IS security policy of a bank;
- Arrangement for continuous surveillance;
- Ensuring protection of customer information;
- Sharing of information on cyber-security incidents with RBI;
- An immediate assessment of gaps in preparedness to be reported to RBI.
Banks also are called upon to increase cybersecurity awareness among all stakeholders, including customers, partners and senior management.
"It is well recognised that stakeholders' awareness about the potential impact of cyber-attacks helps in cyber-security preparedness of banks," Ravikurmar writes. "Banks are required to take suitable steps in building this awareness."
A Boardroom Issue
RBI insists CISOs must provide confirmation of the board's approval of these new plans to the Cyber Security and Information Technology Examination Cell of Department of Banking Supervision at RBI's headquarters in Mumbai.
In response to this notification, some security practitioners - requesting anonymity - say that taking the board's cognizance while drafting a cybersecurity policy is a big challenge. Board members usually aren't inclined to get into the nitty gritty of security.
One practitioner says this is a nice thought - involving the board and senior management - but their awareness level is questionable.
However, RBI argues that the top management and board should also have a fair degree of awareness of the finer nuances of threats, and appropriate familiarisation may be organized. RBI's thrust an important task on security heads to build awareness about the impact of cyberattacks among stakeholders.
Cybersecurity vs. IS Policy
The circular comes a week after RBI's Deputy Governor, S. S. Mundra, said at an event that RBI would get strict with cybersecurity flaws at banks, and was considering limiting a customer's liability in case of cyber fraud.
Further, the strategy should deal with aspects of distinguishing cybersecurity policy from the broader IT policy or information security policy of a bank, to highlight the risks from cyber threats along with measures to address them.
The key focus should be:
- The size, systems, technological complexity, digital products, stakeholders and threat perception vary among banks; hence it's important to identify the inherent risks and controls in place to adopt an appropriate cyber-security framework.
- While identifying and assessing inherent risks, banks must consider technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal and external threats.
- They must map risks as low, moderate, high and very high or adopt any other similar categorisation. Riskiness of the business component also may be factored in while assessing inherent risks.
- While evaluating the controls, board oversight, policies, processes, cyber risk management architecture including experienced and qualified resources, training and culture, threat intelligence gathering arrangements, monitoring and analysing the threat intelligence received vis-à-vis the situation obtaining in banks, information sharing arrangements (among peer banks, with IDRBT/RBI/CERT-In), preventive, detective and corrective cybersecurity controls, vendor management, incident management and response are to be outlined.
Speaking to Information Security Media Group recently, Dr. A. S. Ramasastri, director, IDRBT, said the current efforts may be insufficient, and so the CISO office in banks must be empowered to find new ways to handle new threats.
"One way is to take a risk-based approach by understanding and mapping organization risks and work out a cyber defence strategy to mitigate these," he maintains.
Cyber Crisis Management Plan
A key RBI recommendation is that banks must evolve a cyber crisis management plan, considering that cyber risk is different from other risks, as the traditional BCP/DR arrangements may be inadequate.
RBI has urged banks to follow CERT-In's guidelines and leverage its threat intelligence services to assess preparedness.
Banks are asked to follow four aspects - detection, response, recovery and containment - as part of the cyber crisis management plan and promptly detect cyber-intrusions to respond/recover and contain the fallout.
RBI says lenders should be aware of how to fight regular threats and take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to: distributed denial-of-service attacks, ransomware/cryptoware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc (see: Are Indian Banks Prepared for DDoS? ).
According to Ravikumar, the adequacy of and adherence to the cyber resilience framework should be assessed through development of indicators. These should be used for comprehensive testing through independent compliance checks and audits by qualified and competent professionals. Awareness among stakeholders, including employees, may also form part of it.
RBI has urged all banks to report cyber incident (any type of incidents - outage of IT, cybersecurity, theft or loss of information, outage of infrastructure, financial, etc,) to RBI within two-to-six hours. It's also shared the template for reporting incidents.
Critics hope RBI will soon mandate the breach disclosure norm for all banks, which will help combat future incidents.
RBI's also set up its new IT subsidiary, appointing a new CEO to help banks strengthen their cybersecurity initiatives (see: Nandkumar Saravade is CEO of RBI's New IT Arm ).
Ravikumar's statement says: "Banking CISOs need to place these guidelines before their respective board of directors to enable them to take cognizance of cybersecurity needs and understand risks associated with them."