date-line 14/11/2024

As information technology becomes increasingly integrated into all aspects of our society, the risk of wide-scale or high-consequence events that could harm or disrupt bank services increases. Cyberspace is difficult to secure due to several factors: the ability of malicious actors to operate from anywhere in the world, the connections between cyberspace and physical systems, and the complexity of reducing vulnerabilities and consequences in intricate cyber networks.

Implementing strong cybersecurity best practices is essential for individuals as well as organizations of all sizes, especially banks. Using strong passwords, updating software regularly, thinking before clicking on suspicious links, and enabling multi-factor authentication are basic "cyber hygiene" practices that can significantly improve online safety.

The Reserve Bank of India (RBI) has issued a Cybersecurity Framework that briefly outlines guidelines and best practices to help banks. Key points are outlined below:

Protect Customer Data

  • Safeguard sensitive information and ensure customer data is protected.

Enhance Cyber Resilience

  • Build resilience against cyber threats and ensure the integrity of operations.

Comply with RBI Regulations

Banks must ensure compliance with regulatory standards, which include the following:

  • A Board-approved cybersecurity policy separate from the IT policy. This policy should outline the framework and strategy for managing cyber threats based on the level of complexity of business operations and acceptable risk levels at the bank.
  • A Cyber Crisis Management Plan.
  • A security-compliant IT architecture framework.
  • Organizational arrangements
  • Cybersecurity awareness programs for board members, top management, and other relevant parties.

Create a Cyber-Safe Environment

Banks should also:

  • Promote cybersecurity resilience objectives to customers, vendors, service providers, and other stakeholders.
  • Ensure stakeholders take appropriate action to support the implementation and testing of cyber resilience objectives.
  • Educate board members and top management on cybersecurity best practices.

RBI Cybersecurity Guidelines for Financial Institutions

The RBI has issued several key guidelines for financial institutions (including public sector, private sector, and urban cooperative banks), which include the following:

  • Use of Removable Media - Banks must restrict the use of removable media (USBs, external hard drives, etc.), ensuring they are scanned for malware before connecting to any computer. Use of removable media should be limited to a select few persons as per the cybersecurity policy.
  • Preventing Access to Unauthorized Software - Banks must implement strict controls to prevent unauthorized software from being installed or executed on their systems. This includes using software whitelisting, application control tools, and continuous monitoring to block malicious or unapproved software from being introduced to the network.
  • Environmental Controls - Securing the physical location of critical assets, providing protection from natural and man-made threats & mechanisms for monitoring of breaches/compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts (power supply, telecommunication, servers), access logs, etc.
  • Continuous Monitoring and Alerting of Network, Systems, and Security Threats - to detect any anomalies, vulnerabilities, or threats in real-time. Automated alerts must be set up to notify relevant stakeholders about potential security incidents, enabling prompt response and mitigation actions.
  • Customer Data Protection - Banks must protect customer data at all stages—whether it's in motion or at rest—and ensure it remains secure both within the bank's environment and that of third-party vendors.
  • Fraud Monitoring - Banks must set up a real-time or near-real-time fraud monitoring solution to identify suspicious activity.
  • Authentication - Banks should implement stronger authentication measures to prevent fraud.
  • Customer Awareness - Banks must establish programs to educate customers about cybersecurity threats such as phishing.
  • Employee Training - All banks should conduct regular training programs on information security for employees and vendors.
  • Cloud Services - Banks and other entities using cloud services must implement a cloud operations policy.
  • CCO Reporting - The Chief Compliance Officer (CCO) must have a direct reporting line to the bank's Managing Director (MD), CEO, or the Board/Board Committee (ACB).
  • CCTV - Banks should install CCTV cameras at entry and exit points of strong rooms, common operational areas, including ATM rooms, and preserve recordings for at least 180 days.
  • Cardholder Information - Personal information (e.g., name, address, account details) must be kept confidential and only accessible to authorized personnel.

Four Key Aspects of Cyber Threat Management

Banks need to focus on four core aspects of cybersecurity as part of their crisis management plan to quickly detect, respond to, recover from, and contain the fallout of cyber incidents:

  • Detection
  • Response
  • Recovery
  • Containment

Cyber Crisis Management Plan

Banks should create a comprehensive plan to handle cyber incidents. This plan should define roles and responsibilities, communication protocols, and procedures for detecting, responding to, and recovering from cyber threats.

Business Continuity Planning

Banks must develop business continuity and disaster recovery plans to protect sensitive information and mitigate potential threats.

Safeguards in Digital Banking

  • Never share sensitive information such as your account number, login ID, password, PIN, UPI-PIN, OTP, ATM/Debit/Credit card details with anyone. If in doubt, visit your branch directly.
  • Beware of phone calls/emails threatening to block your account on the pretext of non-updation of KYC. Fraudsters often ask you to click a link to update your KYC. Do not respond to such offers. Always access the official website of your bank or contact the branch directly.
  • Avoid downloading unknown apps on your phone or device, as they may secretly access your confidential data.
  • Transactions involving receipt of money do not require scanning QR codes or entering MPIN. Be cautious if asked to do so.
  • Always use the official bank website for contact details. Numbers found through internet searches may be fraudulent.
  • Check URLs and domain names in emails or SMS for spelling errors. Use only verified, secure, and trusted websites or apps for online banking. Only visit websites starting with "https://". If in doubt, notify local police or the cybercrime branch immediately.
  • If you receive an OTP for a transaction you didn’t initiate, inform your bank or e-wallet provider immediately. If you receive a debit SMS for a transaction you didn’t make, contact your bank immediately to block all debit methods, including UPI. If you suspect fraudulent activity, check for new beneficiaries added to your internet/mobile banking account.
  • Do not share your email password linked to your bank or e-wallet account. Avoid using the same password for email and banking/social media accounts. Avoid banking on public or free networks.
  • Do not use common passwords like "password" for your email, especially if linked to your bank account. Your email password should be unique and used only for email access.
  • Beware of fraudulent investment schemes offering high returns in a short period, including promises of foreign remittances, commissions, or lottery wins.
  • Regularly monitor your accounts and report any unauthorized transactions to your bank immediately to block your card/account/wallet and prevent further losses.
  • Secure your cards by setting daily transaction limits. You can also activate/deactivate domestic or international usage, reducing the risk of fraud.
  • Be cautious of part-time job offers or online advertisements promising high returns. These may be part of a scam or Ponzi scheme.
  • Do not click on suspicious investment links shared through chat or messaging platforms.
 

Written by

Babu Venkitachalam
Advisor - Security & Compliance
M. Com, CAIIB, CeISB, Dip. Cyber Law
ISO 27001(2013) - IRCA Certified ISMS Auditor (SGS-UK)

Recent Posts

Fraud Risk Management in the Digital Age: Addressing New Threats in Online Transactions
Fraud Risk Management in the Digital Age: Addressing New Threats in Online Transactions date-line 26/11/2024
Agency Banking Technology: Key Features to Look for in a Reliable Solution
Agency Banking Technology: Key Features to Look for in a Reliable Solution date-line 26/11/2024
A Commentary on Worldline India Digital Payments Report for 1H 2024
A Commentary on Worldline India Digital Payments Report for 1H 2024 date-line 24/10/2024
UPI 123Pay Explained
UPI 123Pay Explained date-line 24/10/2024

To see how our expertise can help you, let’s talk

Discuss your unique business challenges and get technology recommendations.