Use of Information Technology by banks has grown rapidly and is now an important part of the operational strategy of banks. The number, frequency and impact of cyber incidents/attacks have increased manifold in the recent past, more so in the case of financial sector including banks. There is an urgent need to put in place a robust cybersecurity/ resilience framework at urban co-operative banks (UCBs) to ensure adequate security of their assets on a continuous basis. It has, therefore, become essential to enhance the security of the UCBs from cyber threats by improving the current defences in addressing cyber risks.
In this regard, the Reserve Bank of India has issued basic cyber security guidelines applicable to all UCBs. However, any UCB, depending on its self-risk assessment, complexity of its information technology (IT)/ information security (IS) systems, nature of digital products offered, and others, is free to adopt advanced cyber security norms as decided by their Boards. It is observed that the level of technology adoption is also different across the banks in this sector – some banks offering state of the art digital products to its customers and some banks maintaining their books of account in a standalone computer and using e-mail for communicating with its customers/supervisors/ other banks.
Need for a Board approved Cybersecurity Policy
All UCBs should have a cyber security policy, duly approved by their Board/Administrator, giving a framework and the strategy containing a suitable approach to check cyber threats depending on the level of complexity of business and acceptable levels of risk. On completion of the process of policy formulation by the Board, a confirmation is sent to the Department of Cooperative Bank Supervision. It is imperative that the cyber security policy deals with the following broad aspects, keeping in view the level of technology adoption and digital products offered to the customers:
Cybersecurity Policy to be distinct from the IT policy/IS Policy
The cyber security policy should be distinct from the IT/IS policy of the UCB so that it highlights the risks from cyber threats and the measures to address/reduce these risks. While identifying and assessing the inherent risks, UCBs should keep in view the technologies adopted, delivery channels, digital products being offered, internal and external threats etc., and rate each of these risks as low, medium, high and very high.
IT Architecture/Framework be security compliant
The IT architecture/ framework which includes network, server, database and application, end-user systems, and others, should take care of security measures at all times and this should be reviewed by the Board or IT Sub-committee of the Board periodically. For this purpose, UCBs could carry out the following steps:
- Identify weak/vulnerable areas in IT systems and processes,
- Allow restricted access to networks, databases and applications wherever permitted, through well-defined processes and approvals including rationale for permitting such access,
- Assess the cost of impact in case of breaches/failures in these areas and,
- Put in place suitable cybersecurity system to address them,
- Specify and document clearly the responsibility for each of above steps.
It is recommended that a proper record of the entire process be kept to enable supervisory assessment.
Cyber Crisis Management Plan
Since cyber risk is different from many other risks, the traditional Business Continuity Plan/Disaster Recovery arrangements may not be adequate and hence need to be revisited keeping in view the nature of cyber risk. A Government of India organisation, CERT-In (Computer Emergency Response Team – India, a Government entity) has been taking important initiatives in strengthening cyber security by providing proactive/reactive services and guidelines, threat intelligence and assessment of preparedness of various agencies in different sectors, including the financial sector. CERT-In also has come out with National Cyber Crisis Management Plan and Cyber Security Assessment Framework. UCBs could refer to CERT-In/ National Critical Information Infrastructure Protection Centre (NCIIPC)/RBI/Institute for Development and Research in Banking Technology (IDRBT) guidelines as reference material for their guidance.
UCBs should promptly detect any cyber intrusions (unauthorised entries) so as to respond/recover/contain the impact of cyber-attacks. Among other things, UCBs, especially those offering services, such as, internet banking, mobile banking, mobile wallet, Real Time Gross Settlement (RTGS)/ National Electronic Funds Transfer (NEFT)/ Immediate Payment Service (IMPS), Society for Worldwide Interbank Financial Telecommunications (SWIFT) , debit cards, credit cards and others, should take necessary detective and corrective measures/steps to address various types of cyber threats, such as, denial of service (DoS), distributed denial of services (DDoS), ransomware/crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, and others.
UCBs should review the organisational arrangements so that the security concerns are brought to the notice of suitable/concerned officials to enable quick action.
Managing cyber risk requires the commitment of the entire organisation to create a cyber-safe environment. This will require a high level of awareness/familiarisation among staff at all levels including Board and Top Management. UCBs should actively promote among their customers, vendors, service providers and other concerned parties an understanding of its cyber security objectives. Security awareness among customers, employees, vendors, service providers about the potential impact of cyber-attacks helps in cyber security preparedness of UCBs.
Ensuring protection of customer information
UCBs, as owners of customer sensitive data, should take appropriate steps in preserving the confidentiality, integrity and availability of the same, irrespective of whether the data is stored/in transit within themselves or with the third-party vendors; the confidentiality of such custodial information should not be compromised in any situation. To achieve this, suitable systems and processes across the data/information lifecycle need to be put in place by UCBs. As regards customers, UCBs may educate and create awareness among them with regard to cybersecurity risks.
Supervisory reporting framework
UCBs should report immediately all unusual cyber security incidents (whether they were successful or mere attempts) to Department of Co-operative Bank Supervision, giving full details of the incident. A ‘NIL’ report should be submitted every quarter in case of no cyber security incidents.