Reserve Bank Of India – Cyber Security Framework Requirements – Regulatory Requirements

Reserve Bank Of India – Cyber Security Framework Requirements – Regulatory Requirements

Considering the increase in #Cyber Attacks and #Heists, in the mid of 2016 RBI again published a notification (RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16) to all The Chairman/Managing Director /Chief Executive Officer of All Scheduled Commercial #Banks (excluding Regional Rural Banks) on #Cyber #Security Requirements in Banks.

Due to the increased number of #Cyber #Attacks & casual approach towards the Cyber Security requirements now different regulators are also coming up with the mandate and Framework to be adopted by the #BFSI Sector & #NBFCs. As NBFCs also fall under the RBI regulation as per their respective categories.

First I will give some details on the NBFCs and then will talk about the Cyber Security Framework Requirements by RBI.

What is a Non-Banking Financial Company (NBFC)?

A Non-Banking Financial Company (NBFC) is a company registered under the Companies Act, 1956 engaged in the business of loans and advances, acquisition of shares/stocks/bonds/debentures/securities issued by Government or local authority or other marketable securities of a like nature, leasing, hire-purchase, insurance business, chit business but does not include any institution whose principal business is that of agriculture activity, industrial activity, purchase or sale of any goods (other than securities) or providing any services and sale/purchase/construction of immovable property. A non-banking institution which is a company and has principal business of receiving deposits under any scheme or arrangement in one lump sum or in installments by way of contributions or in any other manner, is also a non-banking financial company (Residuary non-banking company).

Now one more Question will arise in your mind that since NBFCs are doing functions similar to banks then what is difference between banks & NBFCs?

NBFCs lend and make investments and hence their activities are akin to that of banks; however there are a few differences as given below:

  1. NBFC cannot accept demand deposits
  2. NBFCs do not form part of the payment and settlement system and cannot issue cheques drawn on itself
  3. Deposit insurance facility of Deposit Insurance and Credit Guarantee Corporation is not available to depositors of NBFCs, unlike in case of banks

Difference between Cyber Security & Information Security

While Information Security focuses on protecting CIA (Confidentiality, Integrity, & Availability of Information. Whereas Cyber Security is the ability to protect or defend the use of cyberspace from cyber attacks. Cyberspace is nothing but interconnected network of information systems or infrastructures such as Internet, telecommunications networks, computer systems, embedded processors and controllers and many other devices which are connected on Internet or on a network.

Traditional information security has limited coverage of risks emanating from cyberspace such as Cyber warfare, negative social impacts of interaction of people (trolling, defamatory viral messages, etc.), software and services on the Internet and threats from Internet of Things (IoT). These and other threats are not classic information security issues and thus need to be covered under a separate Cyber Security Framework. The emerging technologies and tools within the cyberspace is rapidly increasing organizations exposure to new vulnerabilities thereby increasing the risk to the organization. Given the benefits of the cyberspace, it is imperative that organizations manage their risk effectively through a robust Cyber Security Framework.

The RBI guidance consists of the overall/introductory framework and guidance and three annexes are the crux of the whole requirement:

  1. An indicative set of baseline cyber security and resilience requirements
  2. Information on setting up and operationalizing a cyber security operation center (C-SOC)
  3. A template for reporting cyber incidents to the RBI 

Use of Information Technology by banks and their constituents has grown rapidly and is now an integral part of the operational strategies of banks. The Reserve Bank, had, provided guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (G. Gopalakrishna Committee) vide Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011, wherein it was indicated that the measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns.

Need for a Board approved Cyber-security Policy - Since then, the use of technology by banks has gained further momentum. On the other hand, the number, frequency and impact of cyber incidents / attacks have increased manifold in the recent past, more so in the case of financial sector including banks, underlining the urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis. In view of the low barriers to entry, evolving nature, growing scale/velocity, motivation and resourcefulness of cyber-threats to the banking system, it is essential to enhance the resilience of the banking system by improving the current defenses in addressing cyber risks. These would include, but not limited to, putting in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.

The Cyber Security Policy should be distinct and separate from the broader IT policy / IS Security policy so that it can highlight the risks from cyber threats and the measures to address / mitigate these risks - Banks should immediately put in place a cyber-security policy revealing the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board. A confirmation in this regard may be communicated to Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Reserve Bank of India, Central Office, World Trade Centre-I, 4th Floor, Cuffe Parade, Mumbai 400005 at the earliest, and in any case not later than September 30, 2016. It may be ensured that the strategy deals with the following broad aspects: Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank. In order to address the need for the entire bank to contribute to a cyber-safe environment.

Arrangement for continuous surveillance - The size, systems, technological complexity, digital products, stakeholders and threat perception vary from bank to bank and hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework. While identifying and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organizational culture and internal & external threats. Depending on the level of inherent risks, the banks are required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorization. Riskiness of the business component also may be factored into while assessing the inherent risks. While evaluating the controls, Board oversight, policies, processes, cyber risk management architecture including experienced and qualified resources, training and culture, threat intelligence gathering arrangements, monitoring and analyzing the threat intelligence received vis-à-vis the situation obtaining in banks, information sharing arrangements (among peer banks, with IDRBT/RBI/CERT-In), preventive, detective and corrective cyber security controls, vendor management and incident management & response are to be outlined.

IT architecture should be conducive to security - Testing for vulnerabilities at reasonable intervals of time is very important. The nature of cyber-attacks are such that they can occur at any time and in a manner that may not have been anticipated. Hence, it is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is also essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.

Comprehensively address network and database security - The IT architecture should be designed in such a manner that it takes care of facilitating the security measures to be in place at all times. The same needs to be reviewed by the IT Sub Committee of the Board and upgraded, if required, as per their risk assessment in a phased manner. The risk cost/potential cost trade off decisions which a bank may take should be recorded in writing to enable an appropriate supervisory assessment subsequently. Also an indicative, but not exhaustive, minimum baseline cyber security and resilience framework to be implemented by the banks is given in Annex 1 (http://rbidocs.rbi.org.in/rdocs/content/pdfs/CSFB020616_AN1.pdf). Banks should proactively initiate the process of setting up of and operationalizing a Security Operations Centre (SOC) to monitor and manage cyber risks in real time. An indicative configuration of the SOC is given in Annex 2 (http://rbidocs.rbi.org.in/rdocs/content/pdfs/CSFB020616_AN2.pdf).

Ensuring Protection of customer information - Recent incidents have highlighted the need to thoroughly review network security in every bank. In addition, it has been observed that many times connections to networks/databases are allowed for a specified period of time to facilitate some business or operational requirement. However, the same do not get closed due to oversight making the network/database vulnerable to cyber-attacks. It is essential that unauthorized access to networks and databases is not allowed and wherever permitted, these are through well-defined processes which are invariably followed. Responsibility over such networks and databases should be clearly elucidated and should invariably rest with the officials of the bank.

Cyber Crisis Management Plan - Banks depend on technology very heavily not only in their smooth functioning but also in providing cutting-edge digital products to their consumers and in the process collect various personal and sensitive information. Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.

Cyber security preparedness indicators - A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. Considering the fact that cyber-risk is different from many other risks, the traditional BCP/DR arrangements may not be adequate and hence needs to be revisited keeping in view the nuances of the cyber-risk. As you may be aware, in India, CERT-IN (Computer Emergency Response Team – India, a Government entity) has been taking important initiatives in strengthening cyber-security by providing proactive & reactive services as well as guidelines, threat intelligence and assessment of preparedness of various agencies across the sectors, including the financial sector. CERT-IN also have come out with National Cyber Crisis Management Plan and Cyber Security Assessment Framework. CERT-In/NCIIPC/RBI/IDRBT guidance may be referred to while formulating the CCMP. Also CCMP should address the following four aspects:

  1. Detection
  2. Response
  3. Recovery
  4. Containment

Banks need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, banks should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

Sharing of information on cyber-security incidents with RBI - The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment.

Supervisory Reporting Framework - It is observed that banks are hesitant to share cyber-incidents faced by them. However, the experience gained globally indicates that collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks. It is reiterated that banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Such collaborative efforts will help the banks in obtaining collective threat intelligence, timely alerts and adopting proactive cyber security measures.

An immediate assessment of gaps in preparedness to be reported to RBI - It has been decided to collect both summary level information as well as details on information security incidents including cyber-incidents. Banks are required to report promptly the incidents, in the format given in Annex-3 (http://rbidocs.rbi.org.in/rdocs/content/pdfs/CSFB020616_AN3.pdf).

Organizational arrangements - The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately. The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the #Chief Information Security Officer (#CISO).

Cyber-security awareness among stakeholders / Top Management / Board - Banks should review the organizational arrangements so that the security concerns are appreciated, receive adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action.

It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarization may be organized. Banks should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronized implementation and testing. It is well recognized that stakeholders’ (including customers, employees, partners and vendors) awareness about the potential impact of cyber-attacks helps in cyber-security preparedness of banks. Banks are required to take suitable steps in building this awareness. Concurrently, there is an urgent need to bring the Board of Directors and Top Management in banks up to speed on cyber-security related aspects, where necessary, and hence banks are advised to take immediate steps in this direction.

#CISO/#CIO should present these requirements during Board Meetings and gain Board concurrence for setting up a Cyber Security Framework within their Organization.

IRDA also is in process of drafting a Cyber Security Framework for #Insurance Companies and is expected to publish a Final Cyber Security Requirement Framework Version in mid of 2017 (The Year of next level of Cyber Attacks and Frauds).

Continue reading
Recent comment in this post
MESA (Middle East Security Awards)
@Bharat Gautham, thank you for such a informative and detail post. It's very helpful.
Monday, 02 January 2017 15:17
7 Hits
1 Comment

Cybersecurity Challenges In The Digital World

 

 

"Towards a Resilient and Robust Cyber Security"

 

The growing number of security breaches and the recent wave of cyber-attacks on various government as well industry sectors such as banking, retail, healthcare, utilities have once again emphasized the need to collaborate and work together as an industry to deal with unknown and unseen attacks. Most organizations are unprepared to detect, respond or recover from a sophisticated attack.

 

The new age of technology innovation and disruption is beyond anyone’s imagination. The impact of technology in today’s world has changed the way business, individuals and government interact with each other and moreover it has a big impact on the way of life. The adoption of technology by individuals as well as organizations will create a world economy worth trillions of dollars forcing organizations to take up digital transformation as a key initiative to keep up with competition and stay profitable.

 

 The digital transformation requires an adequate understanding of risks that come with these initiatives, which most fail to see either due to ignorance or lack of understanding. While most organizations are still struggling to deal with yesterday’s technology related security problems, they are unaware of the new set of problems at their doors that are part of current digital initiatives.

 

It is important to understand the critical impact of cyber-attacks and breaches on both social and business level with more digitalization. These attacks can become a concern for the online business and digital economy as customers lose trust and confidence in these business models and service offerings.

  “Many leaders in business, civil society and government realize that for the world’s economy to fully derive the value inherent in technological innovation, a robust, coordinated system of global cyber resilience is essential to effectively mitigate the risk of cyberattacks.”- Risk and Responsibility in a Hyper connected World by World Economic Forum & McKinsey
 

The conventional security controls used are outdated and are useless against the sophisticated and advanced malware's & zero-day exploits that utilize vulnerabilities, inside the enterprise to move laterally among computers on the network and capture the credentials of people & privileged users within the enterprise. Some of the recent attacks have indicated the sophisticated capability of adversaries that have managed to penetrate even some of the most well-protected networks by gaining a deeper understanding of the core internal systems and processes with a lot of dedicated effort and collaborating with other adversaries to exchange information / exploits working as an organized crime industry.

 

How do we address this issue of digitalization risks?

Security technologies are always the first line of defense. However, the people & process behind it play a vital role. The lack of skill sets and scarce of security professionals globally is creating a more serious challenge to the industry as businesses rush to embrace the digitalization era, the adoption of IoT and other intelligent devices expose organizations and individuals to new risks where the impact and consequences are unimaginable.

One of the key activities to succeed in fighting against adversaries is to have sufficient information and intelligence to recognize an attack and respond to it on a timely basis.

 

Another naïve, but sadly common, method of advancing cybersecurity science is by uninformed and untested guessing. We guess what users want tools to do. We guess about what to buy and how to deploy Cybersecurity solutions. Guessing is uninformed and ineffective, and while it may appear to advance security, it often fails miserably. New ways or techniques such as Moving Target Defense, which states that controlling change across multiple system dimensions increases uncertainty and complexity for attackers.

 

I strongly believe that increased collaboration in cyber security industry could improve the cyber security and resilience while addressing various policy issues. This collaboration could also be extended to business, academia, and public leaders to progress further towards cyber-resiliency.

Continue reading
5 Hits
0 Comments

Human Centric - Enterprise Security Culture

The profound change in technology and its rapid adoption by global enterprises and individuals has challenged the human behavior, demanding a serious change to deal with the emerging risks and safety issues associated with it. As awareness is key for any change, it requires people to learn and understand the risks and it impacts as a result of their behavior.

 

In the wake of the recent increase in cyber-attacks and data thefts, we don't need to be an expert to understand the seriousness and impact of these attacks as it's already causing a serious damage and never fails to become a media headline.

 

Geert Hofstede, a well-known social physiologist organizational states culture as “software of the mind” that allows individuals to align their thoughts, beliefs, and actions in order to solve specific problems.

While, most organizations are investing millions in security technologies as their defense, they are neglecting the human aspect of security which has proven to be the weakest link. Thus, making it possible for adversaries to take advantage by targeting the people through Social Engineering, Phishing and other means. Some of the recent attacks have shown us the serious impact of a small mistake such as a wrong click by a user or someone introducing external storage devices such as USB memory sticks (STUXNET attack) into the enterprise or industrial networks. These risks are not just limited to organizations as many individuals are falling victims to cyber-attacks. Some of the recent attacks involving phishing scams and ransomware have caused serious financial damages to organizations and individuals. The business email compromise where hackers have impersonated as CEOs and CFOs have been very effective Phishing attack resulting in financial damages and other successful attacks that include the CEOs have caused more than US$ 2.3 Billion in damages.

 

Human behavior is complex and inconsistent, making it a rich hunting ground for would-be hackers and a significant risk to the security of your organization -  Kai Roer, Build a Security Culture

All too often the security awareness is a one time or once a year effort that fails to engage employees. Educating people to be more security and risk aware is challenging and especially in attaining that as a competence is a process and not something that can be delivered by just a lecture or presentation. Human-centric security culture requires a change in how people think, what they believe and finally how they act on it. It may also vary depending on their past experience and background.

 

Organizations of all types and size have to invest and engage in employee security awareness to be successful and deal with modern day attacks and risks. Focus on SMART goals and right metrics to plan, implement and measure the security effectiveness. Security awareness should incorporate videos, online training, board briefings and other means to engage users depending on the audience. Awareness programs can be very effective if they are customized and tailored to highlight specific risks evident in users business environment and keep users aware of implications that security failure to business and individuals.

 

Finally, a few important points for better security awareness are

  • Identification of business specific and technology risks
  • Security Awareness Program
  • Establish Goals and Metrics
  • Identify effective awareness delivery medium
  • Delivery in multiple languages (Multilingual)
  • Understand Cultural sensitivities
  • Make it Ongoing awareness
  • Monitor the effectiveness
Continue reading
7 Hits
0 Comments

Events Calendar

Advertisement

CES2018

Advertisement

mescon ad