The Reserve Bank of India has instructed all banks to formulate a comprehensive cyber security policy approved by their boards to tackle cyber threats, depending on the complexity of business and subsequent risk assessment.
The directive lays out that cyber policies in banks must focus on mitigating and preventing specific cyber threats as distinct from overall IT security measures already in place. Banks are under increasing pressure to safeguard infrastructure and sensitive information against Distributed Denial of Service (DDoS) attacks, phishing and zero-day vulnerabilities, among others.
The new initiative underscores the need to maintain a Supervisory Reporting Framework to report cyber threats to the RBI in the following format. In the event of gaps in preparedness, banks are expected to report the same to the Cyber Security and Information Technology Examination (CSITE) Cell of the RBI.
Banks are expected to communicate their compliance with this requirement to the CSITE cell before Sep. 30, 2016, and are also required to spell out risk cost and decisions based on "potential cost trade-offs" to the central bank in order to facilitate a subsequent supervisory assessment.
The RBI's notice mandates banks to categorise risks into low, moderate, high and very high, based on internal and external risk assessments, which in turn depend on factors such as bank size, business complexity, prevalent technology, nature of digital products and stakeholders involved in banking activities.
The report also calls for periodical assessment of vulnerabilities, a functional Security Operations Centre (SOC) "to monitor and manage cyber risks in real time," protection of network as well as databases that often store important information, a separate Cyber Crisis Management Plan, cyber resilience framework to assess risk levels and preparedness.
The banking regulator emphasised that banks have to continuously review their cyber policy to take preventive action against new security threats.
"Wherein it was indicated that the measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns" the report states.