The Reserve Bank of India (RBI) has released directives pertaining to the Cyber Security Framework. The objective of releasing RBI guidelines for cyber security improvement was to establish a state of cyber security readiness, emphasizing the necessity for financial institutions to possess a robust system dedicated to cyber security and resilience.

RBI has mandated that all listed banks (including private, foreign and nationalized banks) falling within the regulatory scope of the RBI, along with private sector cooperative banks registered with the RBI, establish individualized cybersecurity policies that align with their existing IT (Information Technology) or IS (Information Security) security protocols to guarantee satisfactory readiness for cyber security within the evolving financial sector of India.

This framework will guide the implementation of increasingly resilient security measures, adapting to the specific characteristics, scope and diversity of digital product offerings within the banking sector.

RBI Guidelines for Cyber Security and Improving Resiliency

The RBI guidelines for cyber security framework underscore the heightened targeting of the financial sector in India compared to those in other nations. The guidelines highlight the pressing need for enhanced training and preparedness. By integrating cyber crisis and incident response management into their existing framework, Indian banks can fortify their reputation through adept crisis management amid the escalating cyber threats in the country’s financial sector.

Banking CISOs in India are now mandated to furnish RBI’s CSITE Cell in Mumbai with a cyber-security policy/report outlining strategies to enhance security against cyber threats, focusing on specific areas of concern.

Furthermore, RBI has called upon security leaders to raise awareness about the impact of cyber attacks on specific institutions, particularly urging discussions on potential consequences arising from cyber incidents affecting banks.

Structure of RBI Guidelines for Cyber Security

The framework consists of 3 main domains that financial institutions should follow to establish healthy cyber hygiene.

Annex 1: Requirements for Cyber Security & Resiliency

This section of RBI guidelines for cyber security framework encompasses a suggestive inventory of information security prerequisites and cybersecurity readiness criteria that must be adhered to in order to establish robust protection against cyber attacks. They are as follows:

Inventory Management of Business IT Assets – Banks must maintain up-to-date records of their IT assets, encompassing both physical items like computers and office equipment, as well as intangible assets such as their banking platforms.

Preventing Execution of Unauthorized Software – Banks should ensure registered software for proper functioning and maintain records of authorized and unauthorized software and equipment.

Environmental Controls – Banks must establish robust computing security systems to safeguard physical and environmental elements from attacks.

Network Management and Security – Enforce network policies to secure Urban Cooperative Bank’s LAN, WLAN, and website, with daily network activity logging mandated for all team members responsible for network hardware/software development or maintenance, including business owners conducting similar activities using privately owned equipment.

Application Security Life Cycle – Enhance security within the banking Software Development Life Cycle (SDLC). This involves establishing a continuous integration pipeline to evaluate the security of open source dependencies for cloud-native banking applications.

Secure Configuration – Banks are required to document and implement fundamental security standards for all devices, including endpoints/workstations, mobile devices, operating systems, databases, applications, networks, security devices, and systems, among others.

User Access Control & Management – Banks need to exercise cautious discretion when granting access to customer data and any sensitive information that might be vulnerable to misuse for personal gain.

Data Leak Prevention Strategy – RBI has provided banks with a fresh directive outlining a strategy to safeguard customer data and prevent its potential exposure to unauthorized parties.

Maintenance, Monitoring and Analysis of Audit Logs – Banks should maintain access logs containing administrator IP addresses, timestamps, and intrusion attempts to promptly respond to unusual network activity, understand events and aid recovery from cyber attacks if necessary.

Vulnerability assessment & Penetration Test and Red Team Exercises – To safeguard against security breaches, banks need to regularly conduct penetration testing and security assessments on their systems, applications, and network assets.

Annex 2: Establishing Cyber Security Operation Centre (C-SOC)

This section suggests setting up a centralized and integrated security operations centre (SOC) for proactive monitoring and detection of cyber events as well as raising alarms, patch management, and so on. This section includes:

• Functional requirements for establishing C-SOC
• Governance structure and management framework of C-SOC
• Requirements to integrate C-SOC with cybersecurity solutions
• Specifications about the right skillsets
• Definition of C-SOC processes, operation manuals and playbooks
• Implementation of CSOC technologies like Security Information and Event Management (SIEM) integrated with threat intelligence feeds and services.

Annex 3. Process of Cyber Security Incident Reporting (CSIR)

This section specifies that banks are required to notify the RBI of security incidents within two to six hours upon discovery, with follow-up updates needed if initial reports were incomplete. The incident reporting template comprises six sections, including a timeline of events, root cause analysis and a targeted incident resolution date.

The RBI guidelines serve as a crucial roadmap for safeguarding the financial sector in the digital age. With these guidelines in place, Indian banks are better equipped to ensure the security, integrity, and resilience of their digital operations, contributing to a safer and more secure financial landscape for all stakeholders.

Prime Infoserv as a CERT-In empanelled auditor offers a suite of comprehensive solutions aligning with RBI guidelines for cyber security framework focusing on risk management, vulnerability detection and 24×7 attack surface monitoring. You may connect with us via info@primeinfoserv.com or +9133 4008 5677 in case you require assistance with safeguarding your critical assets in line with RBI guidelines.