As the online attacks on the information system of financial institutes are on the rise, the Reserve Bank of India (RBI) has asked all the commercial banks to frame a cyber security policy in order to counter threats.
In a notification to all the commercial bank of the nation, Reserve Bank of India said,
Banks should immediately put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk.
The notification also made it very clear that all the banks are required to send a confirmation to RBI about setting up such policy by the end of September 2016.
It says that the policies must discuss strategy, acceptable level of risks and an appropriate approach to combat cyber security threats. It also said the new cyber security policy should be separate from the broader information technology policy already in place.
The Reserve Bank of India has also asked to ensure that unauthorized access to networks and databases is not allowed and wherever permitted, are done through well-defined processes which are invariably followed.
As per RBI, the policy should focus on aspects like setting up security operation centers for continuous surveillance and management of cyber threats and protection of customer information.
RBI has also asked all scheduled commercial banks to categorize and specify potential risks as “low, moderate, high and very high”. Also, if the bank experiences any “unusual cyber-security incidents”, they must report all such incidents to RBI at once.
As explained in the notification, this new policy is required as the number, frequency and impact of cyber incidents/attacks have increased manifold in the recent past, especially in the case of financial sector including banks.
Thus, as per RBI, there is an urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis.
Reserve Bank of India also added,
While identifying and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online/mobile products, technology services, organizational culture and internal and external threats.
Along with the board-approved security strategy, banks will also have to create a cyber crisis management plan and are expected to be well prepared to face emerging cyber threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.