On 2 June 2016, the Reserve Bank of India (RBI) published the Cyber Security Framework in Banks. Addressing an increasingly complex threat landscape, the framework aimed to bring banks’ cybersecurity strategies up to international standards. Through it, the RBI acknowledged the rapid growth of digitalization across the Indian banking sector and sought to guarantee that such efforts do not take any shortcuts when it comes to security and data protection.
The comprehensive Cyber Security Framework requires banks to take a proactive approach to cybersecurity measures and ensure that, among others, their networks and databases are secure, customer information is protected at all times and a mitigation plan is in place in case a security incident occurs. Most notably, banks only have 2 to 6 hours to notify the RBI after a data breach is detected.
The RBI has shown it means business when it comes to enforcing the Cyber Security Framework and has already issued fines for noncompliance to several Indian banks, most notably, 10 million rupees (approximately $137,000) to Corporation Bank in July 2019 and 30 million rupees (approximately $410,000) to SBM Bank in October 2019.
5 tips for RBI Compliance
While the Cyber Security Framework itself provides extensive guidelines for developing cybersecurity strategies, there are a few ways banks can make its implementation a smoother and more efficient process. Here are our tips.
1. Conduct a gap analysis
Before getting down to developing a cybersecurity strategy, banks should conduct an internal audit of existing policies, network architecture and implement solutions to identify gaps in their security measures. They should then weigh the gaps against the risks applicable to their particular environment and infrastructure.
In this way, banks know beforehand the areas where they need to focus on their new cybersecurity strategies and which vulnerabilities need to be addressed. The gap analysis also reduces the costs of implementing cybersecurity strategies through an efficient risk-based approach.
2. Educate employees
While the Cyber Security Framework stresses the need for banks to bring the Board of Directors and Top Management up to speed on cybersecurity threats and the need to address them, it is also essential that employees, especially those conducting banks’ daily operations, receive training about them.
Awareness of the potential impact of cyberattacks is not enough for individuals that might be targeted by malicious outsiders directly as they perform their daily tasks in the service of a bank. Phishing, social engineering, and negligent practices can also spell disaster for a bank’s compliance efforts. This is why employees need targeted training that explains the cyberthreats they might face and what they need to do when they identify them, raising their level of preparedness in case of a security incident.
3. Test your Cyber Crisis Management Plan
Developing a Cyber Crisis Management Plan (CCMP) is mandatory under the RBI’s Cyber Security Framework. Similar to data breach response plans, CCMPs require banks to take measures to promptly detect data breaches and effectively respond to them, thus reducing any potential fallout from them.
However, for CCMPs to be effective they should be tested beforehand. Having a plan on paper does not guarantee efficiency in the event a security incident actually occurs. By testing it, banks can make sure that the plan can be applied in a real emergency and employees are already prepared and aware of the steps they need to take to contain it.
4. Use Data Loss Prevention Solutions
The Cyber Security Framework dedicates an entire chapter to data protection. Banks are required to preserve the confidentiality, integrity, and availability of the sensitive data they collect, regardless of whether that data is locally stored on their networks, in transit within the organization, or with third-party vendors. To this end, banks need to put suitable systems and processes in place across the data lifecycle.
Data Loss Prevention (DLP) tools are the ideal solutions for dealing with these requirements. They allow banks to monitor and control the movement of sensitive data based on predefined but customizable policies. Banks can block or limit the transfer of personal information via unauthorized file-sharing services, messaging apps, websites, and more.
DLP solutions also come with data at rest scanning capabilities, meaning that banks can perform regular scans of data stored on employee computers to ensure that sensitive data has not been left exposed to a breach. When personal information is found in a vulnerable location, banks have the option to delete or encrypt the data automatically. Complete-package DLP solutions like Endpoint Protector go a step further and help banks control computers’ USB and peripheral ports, blocking or limiting their use to work-issued removable devices, another data protection required under the Cyber Security Framework.
5. Monitor data along with threats
One of the major requirements of the Cyber Security Framework is the need for banks to set up a Security Operations Centre (SOC) responsible for the continuous surveillance of emerging cyber threats and regular testing for vulnerabilities.
However, it is not only cyber threats that need to be monitored. For a data protection strategy to be effective, the movements of sensitive information also need to be continuously tracked. This is an effective preventive measure for insider threats and potential data leaks by careless employees.
Most DLP solutions also offer monitoring capabilities. This means that the movements of sensitive data are tracked and any attempts at policy violations are flagged. In this way, banks can identify potential insider threats or bad practices among employees that can then be corrected through targeted training.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.