It was indeed a pleasant surprise to come across the latest RBI circular “Cyber Security Framework in Banks” released on June 2, 2016. The cyber security risks facing banks have increased rapidly over the past couple of years.
Matters came to head with the recent compromise of the SWIFT infrastructure of Bangladesh Bank. To the credit of Reserve Bank of India, they have acted swiftly (pun unintended) to address the threat. The formation of the RBI subsidiary for Cyber Security headed by Nandakumar Saravade and the release of this comprehensive circular shows the seriousness of the threat facing the banking system and the importance RBI has placed on it.
Here are some of the key mandates outlined in the RBI circular:
1. Banks have been mandated to “immediately” (emphasis by RBI) put in place a board approved Cyber-security Policy. This policy is to be distinct from the broader IT policy / IS Security Policy of the bank. Confidis comment: This approach is a good way of focusing attention on the most pressing issue of cyber security rather than spreading it thin across all the domains of Information Security.
2. Banks are required to perform a risk assessment and identify their risk level based on the technologies used. It covers issues right from the board oversight, to policy, to training and culture, availability of experienced and qualified resources, threat intelligence gathering infrastructure, monitoring and analysing threat intelligence, information sharing with other banks, RBI, CERT-In, vendor management and incident management and response. Confidis Comment: The granularity prescribed when doing the risk assessment is commendable.
3. RBI has mandated setting up of a Security Operation Centre (SOC) if not yet done. Confidis comment: Given that the banking sector is consider part of “Critical National Infrastructure” this is welcome move. This is minor investment for banks considering what is at stake.
4. IT architecture has to be designed keeping in mind security issues. This needs to be reviewed by the IT sub committee of the Board and upgraded if required. Confidis comment: In fact, the RBI could have gone further to recommend national grade security infrastructure for banks instead of the current commercial grade security products that they use.
5. Thorough network security review of the bank has been recommended. Further, responsibility for cyber security has to be clearly defined. Confidis comment: This is a basic hygiene requirement given the possibility that hackers may already be on bank networks using Advanced Persistent means. (APT attacks)
6. The circular has clearly indicated that measures need to be put in place to maintain security of the customer data both at rest and in transit. Confidis comment: Customer data security is another welcome focus area. While not clearly spelt out, this means that the bank need to use encryption both on data at rest and data in motion to meet this mandate, in addition to other controls to maintain confidentiality, integrity and availability of customer data.
7. The RBI has mandated implementing a “Cyber Crisis Management Plan” (CCMP). The RBI has gone so far as to suggest that traditional BCP/DR arrangements may not be adequate and a separate capability requires to be developed for this using guidelines like those published by CERT-In. Confidis comment: Most cyber security experts have come to the conclusion that it no longer a matter of if, but rather a matter of when you get hacked. Keeping this in mind, response and recovery capabilities are a must.
8. RBI has also mandated development of metrics to assess and measure cyber security. Confidis comment: It may be cliche, but what cannot be measured cannot be managed. Over time, this will lead to mature cyber security capability if implemented in spirit.
9. Stopping short of mandating it, RBI has encouraged banks to participate in information sharing forums so that collective action can become possible. Confidis comment: While just a recommendation, we believe this is the key in the fight against hackers. If hackers collaborate using all mediums at their disposal, why can’t the good guys?
10. Banks are now required to promptly report cyber incidents to RBI in a given format. Confidis comment: While this is great recommendation, risk intelligence should not get buried under red tape. It remains to be seen whether RBI will develop capability to use this intelligence to help other banks avoid becoming victims. The RBI needs to develop capabilities for quick analysis and dissemination of threat intelligence based on these incident reports.
11. Banks are supposed to complete a self-assessment of gaps in preparedness and submit a report to RBI by July 31, 2016. The short deadline shows the urgency of the issue. Confidis comment: While this seems to be a tight deadline, so is the issue.
12. RBI has also recommended a review of the organizational arrangements so that security issue get due importance. Confidis comment: Despite all the talk, security issues do not get due importance at the board level. Security related information does not get attention and does not quickly come to the notice of senior management. While this recommendation has not been elaborated, banks would do well to review how cyber security is looked upon in the bank so that it does not get ignored.
13. Awareness of cyber security across the organization has also been recommended. Further RBI has also recommended that banks build awareness among its customers as well. Confidis comment: A much welcome step in an era where customers are unaware of threats to mobile banking due to poor security on their mobile devices.
In addition to the above mandates, RBI has also provided a comprehensive checklist of controls that are required for cyber resilience. These range from application development security controls to Data Leakage Prevention to even anti-phishing.
Summary
This circular is indeed a timely and comprehensive mandate for banks to ensure cyber security of the banking sector. However, banks need to implement this circular in spirit rather than in letter. They need to invest in building cyber security capabilities that are robust rather than just aimed at meeting these mandates. Just looking at this circular from a compliance angle and getting auditors to provide third party assurance would not do justice to the spirit of this circular.