RBI ReBIT Workshop for Urban Cooperative Banks
Agenda: Cyber Security Resilience in Urban Cooperative Banks (UCBs)
Date: 24 January, 2019
Associate Manger, Research Analyst, ReBIT
“The cost aspect should not be a hindrance while ensuring a resilient cyber security infrastructure, because in case of a cyber-attack, a bank may lose much more money in a few seconds,” remarked Ms Rosemary Sebastian, Executive Director, Reserve Bank of India. She was delivering the keynote address at the RBI-ReBIT workshop for Urban Cooperative Banks held at One IndiaBulls Centre, Lower Parel, Mumbai. The workshop was conducted for the senior management of the Urban Commercial Banks (UCBs). It primarily aimed to address queries, myths and doubts concerning the regulatory landscape surrounding UCBs’ cyber security requirements and preparedness. Mr R. L. Sharma, Chief General Manager, Department of Cooperative Banking Supervision delivered the opening remarks. He appreciated the enthusiastic participation of the senior management of the UCBs.
Ms Sebastian emphasized that with cyber security emerging as one of the top three risks globally, it cannot be ignored by organizations, irrespective of their size. She quoted observations from the DCBS, RBI and ReBIT joint study, which found that dependency on a single person in IT department, use of personal mail IDs for official communication and obsolete, ad-hoc technology were indicative of cyber security weaknesses in UCBs. She advised UCBs to stay vigilant in vendor outsourcing, to ensure that vendors are compliant with cyber security policies of the bank.
She explained that there is an ardent need for organisations to update, adapt and evolve cyber resilience framework as per their technological requirements and scale of operations.
Cyber Security Management for UCBs
Mr Jayaraman Pazhamalai, Senior Vice President, System Audit, ReBIT began the second session by noting that India is among the top three countries that are most vulnerable to cyber risks. He further talked about the various myths surrounding cybersecurity and stressed that only the CISO or IT departments should not be expected to take complete ownership of cyber security. He further added that security based solutions demand real time improvements and monitoring and that Customer PII (Personally Identifiable Information) protection cannot be driven by a single person.
He further added that people are the weakest link in the “People, process and technology” chain. Seconding Ms. Sebastian’s suggestion, he also noted the importance of checking vendor outsourcing, by observing that only the responsibility of a work is outsourced and not its accountability.
Further, Mr Jayaraman commented that there is a need for banks to equally focus on “prevention”, “detection/monitoring” and “response”.
Mr Nandkumar Saravade, CEO, ReBIT moderated an insightful panel discussion on ‘Building Cyber Security Culture in UCBs’. Mr Munjal, Partner, Deloitte Risk Advisory commented that the threat scenario is real as hackers are adept at finding vulnerabilities, and that being small does not make UCBs safer. Ms Sandhane, CEO, Saraswat Bank, discussed the various constraints faced by cooperative banks. She talked about “Project Satark” run in her bank which aimed at creating awareness among customers, vendors and service providers. She emphasized on the need to build a culture in cooperative banks with regards to their threat management, wherein even the junior most employee is aware.
Ms Sandhane also clarified the difference between an information security policy and a cyber security policy.
Mr Ramana Murthy, Chief Information Security Officer, State Bank of India, primarily dwelled on the governance aspect, procedural discipline and process control. He further emphasized on the action points of the RBI circular for the UCBs. He mentioned that the top five key performance indicators from CISO to the board should include patch management, port management, configuration, application security weakness and antivirus. He stressed on the need for analysing IT infrastructure right from centralized to endpoint units, to ensure that it is conducive for cybersecurity.
After the panel discussion, there was a Q&A session with Ms. Sebastian and Mr R. L. Sharma. They keenly interacted and engaged with the UCB representatives to address their concerns and queries.
The discussion covered issues like shared vendor management, lessons learnt from cyber security incidents in the past and how one should keep abreast of industry best practices. The participants also realised the importance of local forums and mutual coordination to understand and follow best practices in cyber security. After the discussion, the participants agreed that cyber security resilience needs to be built together at industry, government, management and employee level.
Ms Surabhi Tiwari, Senior Manager, System Audit thanked the distinguished speakers and participants of the workshop on behalf of the ReBIT team. The intent, initiative and the execution of the workshop was appreciated by all attendees.