RBI wants overhaul of cyber security in banks

Central bank says number, frequency and impact of cyber attacks have increased manifold in recent past

The Reserve Bank of India (RBI) on Thursday directed banks to chalk out cyber security policies, separate from the lenders’ IT policy, “immediately” in view of the rising cybercrimes at banks.

In its cyber security framework for banks, the central bank said the number, frequency and impact of cyberattacks “have increased manifold in the recent past” at banks and other financial institutions, “underlining the urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis.”

The circular comes a week after RBI Deputy Governor S S Mundra said at an event that the central bank would get strict with cyber security flaws at banks and was considering to limit a customer’s liability in case of cyber fraud.

The framework, posted on RBI’s website, warned that banks must improve the current defences in addressing cyber risks as entry barriers are getting lowered, while motivation and resourcefulness of cyber threats continue to rise.

Hence, banks should immediately put in place an adaptive incident response, management and recovery framework to deal with adverse incidents, if and when they occur.

RBI said the cyber strategy of banks should be distinct from the broader IT and security policy of the lender and testing for vulnerabilities should be carried out at regular intervals as cyberattacks can occur at any time and in a manner that may not have been anticipated.

“Recent incidents have highlighted the need to thoroughly review network security in every bank,” the framework said.

In no case, personal information of customers should be divulged, even as the data reside with a third party the bank has employed.   

“Banks, as owners of such data, should take appropriate steps in preserving the confidentiality, integrity and availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation,” the central bank warned.  

Banks are expected to be well-prepared to face emerging cyber threats such as “zero-day” attacks, remote access threats, and targeted attacks.

The lenders should also be well aware of how to fight regular threats as denial of service, distributed denial of services (DDoS), ransomware/crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

The banks also must share the data with the central bank and report promptly about any cyber crime they face, it said.