Cyber security in Banks has gained paramount importance as banks have opened up their IT platforms to customers in the name of digitization, competition from peers, customer experience, reduction of transaction cost. Massive amounts of confidential data reside in Bank’s data centres and also flow through Bank’s servers and various networks and devices. To protect the IT systems, confidential data of bank’s as well as customers, and to ensure continuity of business a Cyber Security Policy and a Cyber Security Framework are required for every bank. Government’s encouragement since demonetization in November 2016 has brought unprecedented spurt in new digital Banking customers and Digital Payments have registered a record growth. Lot of mobile applications were developed by banks and most of the new digital users were new to digital banking. This called for greater focus for revamping of Cyber Security in Banks and Financial Institutions.
As Cyber-attacks are carried out continuously on various organizations, banks became the favourite destination, for such attacks. The volume and sophistication of cyber-attacks is ever increasing and evolving. Innovation, sophistication, organization of Cyber Criminals is producing ominous results for banks. This has led to Cyber Security rising to the top agenda for banks top Management.
As per G. GopalaKrishna Committee Report, various issues were examined arising out of the use of Information Technology in banks and made its recommendations in nine broad areas. These areas are Information Security, Cyber Fraud, IT Governance, IS Audit, IT Operations, IT Services Outsourcing, Business Continuity Planning, Customer Awareness programmes and Legal aspects.
However, with the gain in momentum of use of technology by the banks and on the other hand tremendous increase in cyber incidents/ attacks in the recent past has pushed the banks and regulators for a robust Cyber Security framework for the banks/FIs.
Our presence on the internet though increases our efficiency but makes us vulnerable to cyber threats. Cyberspace is a complex environment which consists of interactions between people, software and services, supported by worldwide distribution of Information and Communication Technology (ICT) devices and networks. The Cyberspace is vulnerable to a wide variety of incidents, whether intentional or accidental, manmade or natural, and the data exchanged in the cyberspace can be exploited for nefarious purposes. Cyber-attacks that target the infrastructure of the Bank can effectively reduce available resources and undermine the confidence of stakeholders in Bank’s supporting structures.
As per RBI, all the Banks to put in place a robust cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, which shall be duly approved by their Board.
Further, RBI has also advised that Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank. Few broad measures advised by RBI for the Banks are:
- Banks to have a Board approved Cyber-Security Policy which is distinct from the broader IT policy / IS Security Policy of a bank.
- Banks to establish cyber risks in real time through SOC (Security Operations Centre) and make arrangement for continuous surveillance to monitor and manage cyber threats.
- A minimum baseline cyber security and resilience framework is given to be implemented by the banks.
- A Cyber Crisis Management Plan (CCMP) should be immediately evolved which should be a part of the overall Board approved strategy.
- Banks should share information on cyber-security incidents with RBI.
- Banks to bring Cyber-security awareness among stakeholders / Top Management / Board.
Cyber Security Policy is applicable to all cyber facing Information and IT assets (networks, computers, Mobile Devices, peripherals, databases, data centres, applications, etc.)
The cyber-threat landscape has evolved from individual hackers to highly organized groups and advanced cyber criminal syndicates. Cyber attacks now a days are more targeted and sophisticated than ever before. New powerful malware is capable of stealing confidential data and disabling network infrastructure.
Why Cyber Security frameworks for the Banks?
- To protect information and information infrastructure in internet/cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology, and cooperation.
- To safeguard the cyber facing Information Infrastructure of the Bank various types of cyber threats including, but not limited to Denial of Service (DoS), Distributed Denial of Services (DDoS), ransomware /cryptoware, destructive malware, business email frauds including spam, phishing, etc.
- To respond, resolve and recover from cyber incidents and attacks through timely information sharing, collaboration and action.
- To establish a framework to enable a safe and vibrant cyber space.
- Foster a culture of cyber security that promotes safe and appropriate use of cyber space.
- Develop and cultivate cyber security capabilities.
- To create awareness among the stakeholders including employees
Information Security and Cyber Security Policy
Information Security covers protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction. It’s main aim is to provide Confidentiality, Integrity, and Availability (CIA) of information systems and the information within.
Cyber Security is a subset of Information Security. It should be distinct from the broader IT policy / IS Security Policy of a bank. Bank uses protective measures such as encryption, firewalls and other technology and security procedures to protect the accuracy and security of sensitive personal information and to prevent unauthorised access or improper use.
Cyber security Policy
The policy specify what aspects of Information Security are of paramount importance to the organisation, and thus a Cyber Security Policy can be treated as a basic set of mandatory rules that must be observed. The policy should be observed throughout the organisation and should be in accordance with the security requirements, and the organisation’s business objectives and goals.
Cyber security policy should be practical and important for the organisation. The following should be considered for cyber security policy:
- The sensitivity and value of the IT assets that need to be protected
- The legal requirements, regulations and laws of the Government in our jurisdiction
- Bank’s goals and business objectives.
- The practicalities in implementation, distribution and enforcement
- International best practices in the industry to the extent applicable/feasible
- Cyber Security Framework of RBI
A Cyber Security Policy must address procedures and behaviours that can be changed. It is also important to recognize that there are exceptions to every security rule. Thus the policy should be as flexible as possible in order that it remains viable for a longer time.
If a proper security policy is in place, then all staff will be able to clearly understand what is permitted and what not, in the organisation relating to the protection of information assets and resources. This helps is raising the level of security consciousness among all staff. In addition to this, a security policy provides a baseline from which detailed guidelines and procedures can be established. It may also help in supporting any decision to prosecute in the event of serious security violations.
RBI instruction regarding Cyber Security policy
Cyber-aware board and establishment of strong governance
Banks needs to create programmes and interventions to sensitise the board and management about the evolving threat landscape and the current and future state of their cyber security posture. This will help in setting the right tone at the top and will make cyber security as important as investing in business-enabling technologies.
RBI also calls for banks to strengthen enterprise-wide cyber security governance. It articulates aspects that need the approval of the IT sub-committee of the board.
Further, there is a clear emphasis on the establishment of metrics to measure and monitor outcomes of cybersecurity initiatives.
24×7 operations centre with advanced real-time capabilities
Banks need effective cyber security monitoring and detection capabilities that focus on building resilient systems which can traverse a large volume of system events and deduce intelligence. A resilient banking ecosystem is characterised by banks’ ability to detect threats in advance, prevent cyber incidents, learn from threat intelligence to prevent similar incidents.
Banks needs to refocus some of their security operations priorities and augment their current Security Operations Center (SOC) to make it more robust by focussing on cyber threats on a real time basis.
RBI’s instruction lays emphasis on protecting customer data and protecting customers against financial crimes. Banks are required to put in place a strong control mechanism to protect customer data across the life cycle regardless of whether data is at rest or in motion, within the banking environment or within the vendor’s environment. As banks are rapidly adopting digital products, they are also required to take stronger measures in areas such as authentication and risk based transaction monitoring to prevent fraud.
Banks have also been asked to establish strong cyber awareness programmes focussed on customer awareness to reduce the incidence of attacks like phishing.
Building cyber Resilience
As attack vectors are increasingly becoming sophisticated, the cost of launching an attack is going down, the scale and velocity of cyber attacks are increasing, and there is greater recognition of the possibility of incidents.
Accordingly, banks not only need to strengthen cyber defence but also build strong resilience. The RBI circular calls for the establishment of Cyber Crisis Management Plan to address the full life cycle of detection, response, containment and recovery.
Banking sector faces growing cyber risks to its customer data, digital platforms and operational integrity. In light of this, Banks need to increase their investment in the people, processes, and technologies involved in their cybersecurity operations. By leveraging threat intelligence, security orchestration automation and response (SOAR), and cyber fusion, banks can drastically strengthen the cyber resilience of their infrastructure, services, and operations going forward.