Last month, RBI levied a monetary penalty of Rs 6 crore on Yes Bank for failing to report a cyber-security breach of its ATM network
The Reserve Bank of India (RBI) asks active Board involvement and quarterly updates by banks and financial institutions to keep a check on cyber security threats.
"Banks are now required to place before the Board cyber security arrangements and the status of such arrangements on a quarterly basis. The intention is that the Board level focus will ensure sustained compliance," said Meena Hemchandra, Executive Director, RBI, at a cyber-security summit organised by the CII.
With increasing digitisation, cyber-crimes have taken center-stage and there is a larger threat of leakage of data and information at the digital level increasing the requirement of higher quality technology to protect businesses and consumers from frauds.
Last month, the RBI levied a monetary penalty of Rs 6 crore on Yes Bank for failing to report a cyber-security breach of its ATM network, and for breaching its rules regarding Income Recognition Asset Classification (IRAC).
Hemchandra said cyber security is emerging as a leading risk for the financial industry in particular. Banks as well as supervisors are also taking various measures to address concerns of cyber risk.
According to her, at present, banks receive threat information from various sources. RBI has also started giving its advisories, through CISO (Chief information security officer) forum.
The central bank has set up an IT subsidiary ReBIT in 2016 and also announced, in February 2017, the setting up an inter-disciplinary Standing Committee on Cyber Security.
On June 2, 2016 the RBI issued a circular on cyber security framework which mandated banks to comply with a certain baseline scenario of preparedness indicated therein.
In July this year, Minister of State for Electronics and IT, PP Chaudhary told Rajya Sabha that India witnessed more than 27,000 cyber security threat incidents in the first half of 2017 (till June). This number for the full year in 2016 was 50,362.
Addressing a gathering of cyber security officers and tech experts from the industry, Hemchandra listed 10 key checks to be kept by financial entities to strengthen cyber security and create a safe environment.
Key 1o checks to prevent cyber frauds
The ten checks include board level involvement “as there is no time to lose”, place quarterly updates before the Board by the IT department, appropriate organisational arrangement, have a CISO with suitably qualified senior level functionary, independent line of reporting to the IT head, who reports to the Board, etc.
The other important checks include patch management as delay and unavailability of patch at the right time can be a threat, addressing crisis management with a calibrated approach and not through a knee-jerk reaction so that we don't lose trail of data and demand higher standard from the vendors and third-party outsourcers.
The financial company must also have own quality assurance themes by doing away with obsolete hardware and software and adopt latest technology, include skill level training, periodic fresher courses, etc., have a high frequency oversight framework so that security arrangements are sustained and lastly enhance consumer awareness.