RBI's Cyber Security Framework in Banks

3 Points to remember from RBI’s Cyber Security Framework in Banks

Cyber Security is an important issue nowadays. Every sector is taking it seriously and so is Reserve Bank of India(RBI). RBI sent an important circular – Cyber Security Framework in Banks – to CEOs of Indian banks. This circular mentions that the bank has to put a strong cybersecurity framework and keep a regular check on cybersecurity. This has happened before. Similar circular was sent out in 2011, but as the usage of online operations is increases vastly in last couple of years, now is the essential period to focus on cybersecurity. Palo Alto Networks seeks to share best practices, use cases and expert advice to guide executives on managing cybersecurity risks. As banks are top target for cyber criminals, keeping their systems free from such cyber attacks is top priority of Indian banks. For this, RBI’s Cyber Security Framework in Banks has 3 important points as follows:

  • An indicative set of baseline cyber security and resilience requirements.
  • Information on setting up and operationalising a cyber security operation centre (C-SOC).
  • A template for reporting cyber incidents to the RBI.

Within the range of instructions and recommendations in the guidance, three things rise to the top as notable.

First, the guidance instructs banks to involve their boards of directors and other senior management in cybersecurity. Boards must approve their banks’ cybersecurity policies and strategies and, more generally, they need to be brought up to speed on potential cybersecurity impacts, including their banks’ preparedness, and the need to manage cyber risks. At the same time, the guidance notes that managing cyber risk requires awareness and commitment among staff at all levels. We agree wholeheartedly. Executives can no longer delegate the whole cybersecurity agenda to the IT division. Because the value of a bank’s brand can be directly affected by security incidents, security needs to become an integral part of the company strategy at the highest possible level, actionable at every branch and corporate site and supported by greater employee awareness. Through Palo Alto’s recent book, Navigating the Digital Age, and online community, SecurityRoundtable.org,

Second, the guidance directs Indian banks to take a risk management approach to cybersecurity.  RBI notes that the size, IT systems, technological complexity, stakeholders, and other factors vary from bank to bank, and thus banks must identify their own inherent risks and needed controls to adopt an appropriate cybersecurity approach. We agree. No “one size” cybersecurity solution will fit all banks. However, there are some best practices that will improve overall cybersecurity hygiene.

Third, the guidance emphasises prevention. For example, the guidance says that banks should not allow unauthorised access to networks and databases, should take necessary preventive and corrective measures, and should endeavor to stay ahead of the adversary. We agree. Given that banks everywhere are constantly under siege from cyber attackers, a prevention-minded philosophy to cybersecurity is needed. Detection and remediation are too little and far too late to properly protect the financial assets and information of banks’ clients. This is where the SOCs called for by RBI will be extremely helpful. Per the guidance, a bank’s SOC should “keep itself regularly updated on the latest nature of emerging cyber threats” and be “well-prepared to face emerging cyber threats such as zero-day attacks”. However, SOCs are just part of the solution. Including cybersecurity in the overall network or enterprise architecture will also contribute to a preventive posture. Palo Alto Networks is focused on preventing successful cyberattacks and can be part of such a layered defense approach.

These requirements are helpful. Having an advanced real-time defence and management system will definitely help. Banks must evolve from time to time to ensure safety of client data and financial assets. Since the boom of online transactions, there is a lot of pressure on financial services industry. Information must be secured from cyber criminals, and that is why RBI’s Cyber Security Framework in Banks is necessary.

To Top