RBI Plans Cybersecurity Arm for BanksSecurity Leaders Welcome Help Setting New Standards
The Reserve Bank of India has plans to set up a new IT subsidiary responsible for strengthening cybersecurity in the Indian banking sector.
"While the precise nature of the subsidiary is yet to be formulated, the cybersecurity arm will supervise and formulate policies for cybersecurity among other information technology issues related to banks," says Raghuram Rajan, RBI governor, during a press conference in Goa, after a meeting of the central board of directors of RBI.
Rajan says the entity will attract people from the IT sector to focus on issues affecting the banking space, including cybersecurity, and equip the sector with the tools necessary to face any attack.
"Cybercriminals are getting sophisticated in terms of using technology, and we have to constantly examine our readiness to face the new innovations in the field of cybercrime," Rajan says.
While the details of the structure of the new entity are not clear, banking and security experts consider the move a positive step in the right direction.
'The Right Effort'
Security practitioners say the RBI's move will certainly focus on regulating banks regarding cybersecurity, auditing the strengths and weaknesses of technology in banks, their sensitivity toward public grievances on cybercrime and creating awareness through incident response mechanisms.
Sameer Ratolikar, chief information security officer, HDFC Bank, says the move indicates the kind of attention cybercrime has managed to grab.
"Given that Indian banks are moving to digital and using SMAC (social, mobility and cloud) business models for transactions, cyber-threats are bound to increase," Ratolikar says. "Setting up such an arm definitely instills confidence among security practitioners, as the regulator is making the right effort in addressing this menace."
He confirms that public sector banks, payment banks and small and mid-size banks will benefit immensely. as they would have direct access to the regulator's information about cybercrime and breaches.
Another advantage, Ratolikar observes, is that the RBI would ensure security standards and best practices are shared with the banks through this subsidiary, raising the security bar for all institutions.
N.D. Kundu, CISO of Bank of Baroda, agrees that the proposed entity will be a good resource for information sharing on cybercrime, breaches and online fraud, and a good platform to roll out best practices.
"It is a logical approach from RBI, as at this point in time the regulator is unable to guide or share information with all banks in the country or make its policies mandatory, owing to different cultures and policies of each bank," Kundu says.
"RBI is also unable to monitor online fraud and assess the right technological support; having a focused arm will definitely help get into the nitty-gritty of online transactions and discover discrepancies," he believes.
Chennai-based V. Rajendran, president of Cyber Society of India, argues that this move is something the industry has demanded for a considerable time. "With so many electronic delivery channels and such a huge number of electronic products, the banking industry is bound to make a paradigm shift away from personal and physical banking to electronic, impersonal and often faceless banking, resulting in huge security risks."
The current RBI guidelines are not followed as closely as some RBI guidance, such as the Gopalakrishna Working Group of RBI April 2001-Report on Data and information management in the RBI, Banking Ombudsman Circulars and RBI Guidelines on Internet Banking, Rajendran says. But with this new entity, the RBI can formally be part of the national cyber co-ordination center and call for exchange of information on any terrorist sharing the bank details, remittance details, money mule operations, etc.
"Creation of a separate investigative agency under the direct control of the RBI (through the information subsidiary) will definitely help investigate breaches of security and [incidents of ] bank fraud, provided it is equipped with properly-trained personnel and state-of-the-art resources," says Coimbatore-based S.N. Ravi Chandran, cybercrime investigator and member of Cyber Society of India.
While it is too early to guess how RBI intends to equip its IT subsidiary, experts recommend tasks that can be taken up.
Ratolikar hopes that the subsidiary will take control of the automatic data flow mechanism developed by the RBI from a security threat intelligence perspective to share insights about threats and incidents and suggest improved mechanisms to deal with cyber fraud.
Rajendran says the IT arm should focus on regulating the banks on cybersecurity. That means auditing the strengths and weaknesses of technology in banks, their sensitivity towards public grievances on cybercrime, their alertness towards cyber incidents, response in combating cyber-threats and putting in place a regulated control measure applicable to all banks, ensuring a cybercrime-free environment.
Ravi Chandran recommends a few priority areas:
- Creation of indigenous operating systems, storage locations, anti-virus, hard and software, etc;
- Proper systems to authenticate common users of the facilities, authenticate transactions and create a chain of accountability for every transaction. The existing systems are primitive;
- Legal infrastructure like Right to Privacy Act, and responsibility of banks for securing information. Separate courts for economic offenses is also a possibility;
- Putting down procedures and protocols for getting grievances settled expeditiously (non-existent at present).
Kundu says, "RBI's new entity should be able to define the scope of the security guidelines with more clarity and align with all the banks in the country in making appropriate recommendations to combat cyber-threats."