The Reserve Bank of India (RBI) on October 19, 2018 issued a set of guidelines for Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs). Such a framework was issued by the RBI as a measure to enhance security of the UCBs in light of the increasing number and impact of cyber security attacks on the financial sector including banks. [1]
- Board Approved Cyber Security Policy
- All UCBs need to immediately put in place a Cyber Security policy, duly approved by their Board/Administrator, giving a framework and the strategy containing a suitable approach to check cyber threats depending on the level of complexity of business and acceptable levels of risk.
- On completion of the process, confirmation of same within 3 months must be sent to the Department of Co-operative Bank Supervision.
- The Cyber Security Policy should inter alia encapsulate the following concerns:
- Preventing access of unauthorised software.
- Network Management and Security.
- Secure Configuration.
- Anti-virus and Patch Management.
- Secure mail and messaging systems.
- The IT framework/framework must be reviewed periodically by the Board or its IT subcommittee in order to identify vulnerable areas and put in place a suitable cyber security system to address the issues after assessment.
- Cyber Crisis Management Plan
- The Cyber Crisis Management plan, prepared by CERT-In (Computer Emergency Response Team – India maybe referred to by the UCBs for guidance.
- UCBs should promptly detect any cyber intrusions (unauthorised entries) so as to respond/recover/contain impact of cyber-attacks, especially those offering services such as internet and mobile banking, RTGS/NEFT/SWIFT, credit and debit cards etc.
- Organizational Arrangements
- UCBs should review the organisational arrangements so that the security concerns are brought to the notice of suitable/concerned officials to enable quick action.
- UCBs should actively promote among their customers, vendors, service providers and other concerned parties an understanding of its cyber security objectives.
- UCBs, as owners of customer sensitive data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with the third party vendors; the confidentiality of such custodial information should not be compromised in any situation.
- UCBs to put in place suitable systems and processes across the data/information lifecycle. UCBs may educate and create awareness among customers with regard to cyber security risks.
- Supervisory reporting framework
- UCBs should report immediately all unusual cyber security incidents (whether they were successful or mere attempts) to Department of Co-operative Bank Supervision giving full details of the incident.
- UCBs are advised to implement basic Cyber Security Controls and report the same to respective Regional Offices of Department of Co-operative Bank Supervision on or before March 31, 2019.
Source: http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11397&Mode=0
https://rbidocs.rbi.org.in/rdocs/content/pdfs/63NT19102018_A1.pdf
[1] http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11397&Mode=0.