Two months after Pune-based Cosmos Bank became victim of a malware attack, in which hackers siphoned off over Rs 94 crore, the RBI has come out with new norms to scale up the cyber-security and resilience framework at the urban cooperative banks (UCBs). "All UCBs should immediately put in place a Cyber Security policy, duly approved by their Board/Administrator, giving a framework and the strategy containing a suitable approach to check cyber threats depending on the level of complexity of business and acceptable levels of risk," the apex bank said in a circular issued on Friday.
The circular, titled "Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs)", further noted that it has "become essential to enhance the security" of such banks from cyber threats "by improving the current defences". Given that the country boasted over 1,500 UCBs with deposits aggregating Rs 4.43 lakh crore as on March 31, 2017, and the role they play in pushing financial inclusion, this is a much-needed move on the part of the apex bank.
"It is observed that the level of technology adoption is different across the banks in this sector - some banks offering state of the art digital products to its customers and some banks maintaining their books of account in a standalone computer and using e-mail for communicating with its customers/supervisors/other banks. Hence, it has been decided to issue basic cyber security guidelines applicable to all UCBs," it added.
In early August, addressing an event organised by Gujarat Urban Co-operative Banks Federation, RBI Deputy Governor NS Vishwanathan had claimed to be "worried" about the smaller UCBs. "The argument that adoption and implementation of IT increases the cost of operations is not acceptable because IT-enabled operations are a necessity to be relevant in the market place and at the same time, one needs to do what it takes to ensure safety of depositors," he had explained, adding, "It is a matter of concern that there are still 171 UCBs which have yet to fully-implement CBS (core banking solutions) and have also not availed the assistance being provided by Reserve Bank in this regard".
So with its newly laid-out cyber-security framework, the apex bank is finally cracking the whip. The 13-point framework broadly covers all the essentials, be it maintaining an up-to-date "IT Asset Inventory Register" and implementing appropriate controls to secure UCBs' infrastructure and networks or "Vendor/Outsourcing Risk Management". Moreover, the RBI has made it clear that the "Cyber Security Policy should be distinct from the IT/IS policy of the UCB".
Among other things, UCBs, especially those offering services such as internet banking, mobile banking, mobile wallet, online fund transfers, SWIFT, debit and credit cards, et al, will now have to take necessary detective and corrective measures to address various types of cyber threats.
The threats listed by the RBI include identity frauds, denial of service, ransomware/cryptoware, destructive malware, business email frauds including spam, phishing, whaling, memory update frauds, drive-by downloads, browser gateway frauds, ghost administrator exploits, and password-related frauds.
"UCBs should report immediately all unusual cyber security incidents (whether they were successful or mere attempts) to Department of Co-operative Bank Supervision by email, giving full details of the incident. A 'NIL' report shall be submitted on quarterly basis in case of no cyber security incidents," the RBI directed.
Significantly, the circular specifies a tight deadline for the UCBs to get their act together - their boards have to complete the process of policy formulation and send a confirmation to the Department of Co-operative Bank Supervision within three months from the date of circular, i.e. by January 19. The RBI also intends to fast-track implementation. UCBs have been advised to implement the basic cyber-security controls and report the same on or before March 31, 2019.
The apex bank further pointed out that the above is "an indicative but not exhaustive" framework. So UCBs are free to adopt more advanced cyber-security norms on the basis of their respective self-risk assessments and product portfolio, as decided by their boards.