The Reserve Bank of India (RBI) on Tuesday said all RBI-regulated entities entering into a contract with third-party automated teller machine (ATM) switch application service providers (ASPs) need to comply with cybersecurity controls prescribed by the central bank. They also have to give access to the RBI for on-site or off-site supervision.
The RBI-regulated entities have to amend their contracts at the earliest or at the time of renewal, in any case not later than March 31, 2020.
In the fifth bi-monthly monetary policy statement of the RBI in December, the central bank had said that a number of commercial banks, urban co-operative banks (UCBs), and other regulated entities are dependent upon third-party ASPs for shared services for ATM switch applications.
Since these service providers also have exposure to the payment system landscape and are, therefore, exposed to the associated cyber threats, the RBI decided that certain baseline cybersecurity controls shall be mandated by the regulated entities in their contractual agreements with these service providers.
The guidelines would require implementation of several measures to strengthen the process of deployment and changes in application software in the ecosystem, continuous surveillance, implementation of controls on storage, processing and transmission of sensitive data, building capacity for forensic examination, and making the incident response mechanism more robust.
Meanwhile, the RBI has also recommended a comprehensive cybersecurity framework for UCBs, based on their digital depth and interconnectedness with the payment system landscape, digital products offered by them, and assessment of cybersecurity risk.
Among the requirements, the RBI has said UCBs have to put in place a two-factor authentication for accessing their core banking system (CBS) and applications connecting the CBS — with the second factor being dynamic in nature.