Separate Cyber Security Policy from Enterprise IS Policy: RBI to Banks

Banks should immediately put in place a cyber-security policy approved by their respective boards, Indian banking regulator Reserve Bank of India has said in a circular sent to all CMDs/CEOs of scheduled commercial banks. RBI has mandated that the cyber security policy should be distinct  from enterprise IT and Information Security policies.

The urgency in RBI’s circular dated 2^nd June 2016 is visible from its tone and specifications. The regulator has asked the banks to inform the steps taken to its Cyber Security and Information Technology Examination (CSITE) Cell latest by September 30, 2016.

Among other specific requirements mandated by RBI in the circular are the following

• Setting up an SOC (Security Operation Centre) by each bank which should monitor threats in real time, as well as assess risks from time to time
• The IT architecture should be conducive to carrying out security measures
• A minimum baseline cyber security and resilience framework to be implemented by the banks. The framework has been released by RBI as an annexure.
• A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address detection, response, recovery and containment..
• The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness.

In an important policy measure, RBI has asked banks to share incidents faced by them. Nothing that collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks, RBI has asked banks to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the RBI.

RBI has, of late, become more proactive in the matters of cyber security. The importance it attaches to cyber security can be gauged from the fact that it has appointed a cyber security expert—former Data Security Council of India chief Nandkumar Sarvade—as the CEO of its IT arm. It may be noted that the brief for the new IT arm, as mentioned by RBI in its circular is four-fold: cyber security, research and innovation, IT system audit and IT project and advisory services. It is looking for four senior VP/SVPs for heading the four verticals.

“It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarization may be organized” the circular notes.

Air Max