In June 2016, the Reserve Bank of India (RBI) sent to CEOs of Indian banks an important circular, the Cyber Security Framework in Banks. The document states that banks have an urgent need to put in place a robust cybersecurity/resilience framework and ensure adequate cybersecurity preparedness on a continual basis. Issuing cybersecurity guidance is not new for RBI, which issued a similar document in 2011. However, this particular document is timely and essential. Information technology (IT) is now part of banks’ operational strategies, essential for both them and their customers. At the same time, as RBI points out, the number, frequency, and impact of cyber incidents on Indian banks has increased substantially. Like their peers globally, Indian banks are committed to maintaining customer trust, protecting financial assets, and preserving their own brand and reputation as the industry will remain a top target of cybercriminals using increasingly sophisticated methods. Thus, it is urgent that banks continue to improve their cyber defenses.
The RBI guidance consists of the overall/introductory framework and guidance and three annexes:
- An indicative set of baseline cyber security and resilience requirements.
- Information on setting up and operationalising a cyber security operation centre (C-SOC).
- A template for reporting cyber incidents to the RBI.
Within the range of instructions and recommendations in the guidance, three things rise to the top as notable.
First, the guidance instructs banks to involve their boards of directors and other senior management in cybersecurity. Boards must approve their banks’ cybersecurity policies and strategies and, more generally, they need to be brought up to speed on potential cybersecurity impacts, including their banks’ preparedness, and the need to manage cyber risks. At the same time, the guidance notes that managing cyber risk requires awareness and commitment among staff at all levels. We agree wholeheartedly. Executives can no longer delegate the whole cybersecurity agenda to the IT division. Because the value of a bank’s brand can be directly affected by security incidents, security needs to become an integral part of the company strategy at the highest possible level, actionable at every branch and corporate site and supported by greater employee awareness. Through our recent book, Navigating the Digital Age, and our online community, SecurityRoundtable.org, Palo Alto Networks seeks to share best practices, use cases and expert advice to guide executives on managing cybersecurity risks.
Second, the guidance directs Indian banks to take a risk management approach to cybersecurity. RBI notes that the size, IT systems, technological complexity, stakeholders, and other factors vary from bank to bank, and thus banks must identify their own inherent risks and needed controls to adopt an appropriate cybersecurity approach. We agree. No “one size” cybersecurity solution will fit all banks. However, there are some best practices that will improve overall cybersecurity hygiene.
Third, the guidance emphasises prevention. For example, the guidance says that banks should not allow unauthorised access to networks and databases, should take necessary preventive and corrective measures, and should endeavor to stay ahead of the adversary. We agree. Given that banks everywhere are constantly under siege from cyber attackers, a prevention-minded philosophy to cybersecurity is needed. Detection and remediation are too little and far too late to properly protect the financial assets and information of banks’ clients. This is where the SOCs called for by RBI will be extremely helpful. Per the guidance, a bank’s SOC should “keep itself regularly updated on the latest nature of emerging cyber threats” and be “well-prepared to face emerging cyber threats such as zero-day attacks”. However, SOCs are just part of the solution. Including cybersecurity in the overall network or enterprise architecture will also contribute to a preventive posture. Palo Alto Networks is focused on preventing successful cyberattacks and can be part of such a layered defense approach.
The guidance’s baseline cybersecurity and resilience requirements are helpful. They include recommendations to meet many of the goals laid out above, such as a requirement to have advanced real-time threat defense and management. However, as RBI notes, the list is indicative and not exhaustive. As they seek to manage their ever-evolving risks, it is critical that banks retain the flexibility to ascertain and deploy the most advanced technologies and processes to ensure the best possible protection of client data and financial assets.
Today’s digital way of life puts immense pressure on the financial services industry. Individuals, institutions and governments demand an unprecedented level of access to their financial assets and information. Clients must trust that their financial assets and information are safe yet also readily available. This trust is best built and maintained with a breach prevention-based mindset for cybersecurity.
[Palo Alto Networks Research Center]