The Reserve Bank of India (RBI) released a comprehensive cyber security framework for primary (urban) cooperative banks (UCBs). The RBI new guidelines are aimed at ensuring the safety of customer data and transactions, and protecting UCBs from cyberattacks.
The framework is expected to help UCBs to take proactive steps to protect their networks and systems, and to respond effectively in the event of a cyber security incident.
The framework lays out guidelines based on a graded approach. The UCBs have been put into four levels based on how digitally deep their operations are and how well they connect to the payment systems landscape.
|Level I||All UCBs|
|Level II||All UCBs, which are sub-members of Centralised Payment Systems (CPS) and satisfying at least one of the criteria given below:offers internet banking facility to its customers (either view or transaction based)provides Mobile Banking facility through application (Smart phone usage)is a direct Member of CTS/IMPS/UPI.|
|Level III||UCBs having at least one of the criteria given below:Direct members of CPShaving their own ATM Switchhaving SWIFT interface|
|Level IV||UCBs which are members/ sub-members of CPS and satisfy at least one of the criteria given below:having their own ATM Switch and having SWIFT interface, hosting data centre or providing software support to other banks on their own or through their wholly owned subsidiaries|
The framework includes four levels of cyber security requirements for UCBs, with each level building on the previous one. Level I includes basic cyber security controls, such as implementing bank-specific email domains with anti-phishing and anti-malware controls, and conducting security reviews of PCs and terminals used for accessing corporate internet banking applications. Level II includes additional controls, such as subscribing to Anti-Phishing and Anti-Rogue services, and conducting periodic vulnerability assessments and penetration testing. Level III includes more advanced controls, such as setting up a Cyber Security Operations Centre (C-SOC) for continuous surveillance, and implementing a centralised authentication and authorisation system. Level IV includes participation in cyber drills, incident response and management, and forensic and metrics analysis.
The framework also includes guidelines for UCBs to manage vendor and outsourcing risks, such as conducting effective due diligence and oversight of third-party vendors and service providers, and requiring agreements that provide for the right to audit by the UCB.
We compiled some important highlights of the framework below:
Anti-Phishing & Anti-Rogue Services
RBI new guidelines have advised banks to subscribe to external service providers for anti-phishing / anti-rogue app services. It allows them to recognise and remove phishing websites and applications that are used for malicious purposes against the banks, such as financial fraud, reputational damages etc.
The best way to defend against phishing threats is through mitigation of external and internal phishing threats, and using solutions like an Anti-Phishing Detection and Mitigation Solution which can help keep your organization safe from new threats and attacks.
Security Testing & Cyber Risk Assessments
Cyber risk assessment is an essential part of a comprehensive cyber security strategy for banks. It involves finding and evaluating possible weaknesses and threats to a bank’s digital assets and infrastructure, as well as figuring out how a cyber attack might affect the bank’s business and reputation.
By doing a thorough cyber risk assessment, banks can decide how to prioritize their cyber security efforts, put in place effective controls to reduce the risks they’ve identified, and make sure they’re ready to handle a cyber incident in the best way possible. This helps to protect the bank’s assets and reputation, as well as the sensitive personal and financial information of their customers.
Furthermore, with the growing dependence on technology in banking sector and the rising frequency of cyber attacks, regulatory bodies like RBI have mandated the banks to conduct regular cyber risk assessment to ensure their preparedness against cyber threats.
Warnings or timelines do not accompany cyberattacks. Banks should maintain continuous surveillance and keep up to date on the latest nature of emerging cyber threats.
RBI new guidelines recommends that banks develop ongoing monitoring to keep abreast of emerging cyber threats.
In banks, having a track record of the activities is important to secure big data and avoid any type of data leaks. SIEM solutions assist security professionals in gaining insight into and tracking records of their environment.
Protect Customer Information
Bank is the controller of personal and confidential details that it receives from a customer. RBI guidelines on data protection advises that banks should develop and implement comprehensive measures to ensure that the confidentiality, credibility, and quality of this data are not jeopardized and that any leaks or losses are avoided.
Cyber Security Awareness
Banks employees, management, and customers are their first line of defense. RBI new guidelines say that banks should educate staff, vendors, and customers about information security to prevent human errors. Banks should conduct information security awareness and training sessions for all key bank stakeholders, including the board of directors, top management, third-party vendors, clients, and employees.
Phishing simulation and awareness training platforms introduce security awareness in your environment in a more effective way. The best way to combat phishing threats is to combine practical experience with a security awareness knowledge base.
With the RBI new guidelines for cyber security, banks will move forward with much more security and customer trust. As customers migrate to internet banking and attackers become more sophisticated, banks will need to up their game in 2023 to ensure the online safety of their customers and organization.
You can read more about the RBI information security guidelines for banks in circular titled Comprehensive Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs).