The Reserve Bank of India (RBI) has told commercial banks to ‘immediately’ put in place a cyber security policy, duly approved by the board, in the wake of increasing cyber attacks in the financial system.
“Banks should immediately put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their board,” according to a statement from the regulator .
The policy would also include setting up an adaptive incident response, management and recovery framework to deal with adverse incidents/disruptions, if and when they occur, according to the central bank.
“There is an urgent need to bring the board of directors and top management in banks up to speed on cyber-security related aspects, where necessary and hence banks are advised to take immediate steps in this direction,” according to the statement.
Banks have been asked to formulate a Cyber Crisis Management Plan (CCMP) which should be a part of the overall board-approved strategy.
“CCMP should address the following four aspects—Detection, Response, Recovery and Containment.” The central bank has observed that with the use of technology by banks gaining momentum, the number, frequency and impact of cyber incidents/attacks had increased manifold in the recent past.
The regulator has emphasised that the cyber security policy should be distinct and separate from the broader IT policy/IS Security policy so that it can highlight the risks from cyber threats and the measures to address or mitigate these risks.
The Reserve Bank of India said it had observed banks were hesitant to share information on cyber security-related incidents.