Study Material | Test Series
Drishti IAS
call1800-121-6260 / 011-47532596
Drishti The Vision Foundation
(A unit of VDK Eduventures Pvt. Ltd.)
RBI Mandates Cyber Security Policy
Jul 09, 2016

The  Reserve Bank of India (RBI) recently directed all banks to immediately frame cybersecurity policies approved by their respective boards. The policies must discuss strategy, acceptable level of risks and an appropriate approach to combat cybersecurity threats.

In a notification on its website the regulator has said, “In view of the low barriers to entry, evolving nature, growing scale/velocity, motivation and resourcefulness of cyber threats to the banking system, it is essential to enhance the resilience of the banking system by improving the current defences in addressing cyber risks.” Further,  the policy should focus on aspects such as setting up security operations centres for continuous surveillance and management of cyber threats and protection of customer information.

Main features:

  • The cybersecurity policy must be separate from the bank’s overall technology and security policy.
  • The policy will help to highlight the risks from cyber threats and the measures to address and mitigate these risks. Banks are required to send a confirmation to RBI about setting up such a policy by 30 September.
  • While identifying and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online/mobile products, technology services, organizational culture and internal and external threats..
  • Depending on the level of inherent risks, banks will be required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorization.
  • Riskiness of the business component also may be factored into while assessing the inherent risks.
  • There is a need to review the network and database security within a bank to ensure that they are not vulnerable to any cyber attacks.
  • It is essential that unauthorized access to networks and databases is not allowed and wherever permitted, these are through well-defined processes which are invariably followed.
  • Responsibility over such networks and databases should be clearly elucidated and should invariably rest with the officials of the bank.
  • While talking about customer information, banks will have to put in place suitable systems and processes to ensure that sensitive information is not compromised irrespective of whether the data is stored or in transit within banks, with customers or even when with third-party vendors.
  • Apart from the board-approved security strategy, banks will also have to create a cyber crisis management plan.
  • Banks are expected to be well prepared to face emerging cyber threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.
  • Banks will need to take necessary preventive and corrective measures in addressing various types of cyber threats such as denial of service, distributed denial of services, ransom-ware or crypto ware, destructive malware, business email frauds including spam, phishing, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, among others.
  • Banks will need to report all unusual cybersecurity incidents—whether they were successful or were attempts that did not fructify.
  • Banks are also required to conduct an immediate study of any major gaps in preparedness against a cyber attack, proposed measures to tackle them, effectiveness of these proposed measures and milestones with timelines for implementinghem.


Helpline Number : 87501 87501
To Subscribe Newsletter and Get Updates.