How can RBI’s latest guidelines help Indian banks combat cybercrime?
Rising cybercrime in India is no secret. According to a report by Symantec, India now ranks third in the world, after the US and China, as a source of malicious activity.
In fact, the National Crime Records Bureau data reveals that in the three years up to 2013, registered cases of cyber crime were up 350%, from 966 to 4356. Dubious distinctions both, and give banks and the financial sector in India cause for worry.
Keeping in mind the dramatic swell in online economic crimes, India’s central bank – Reserve Bank of India (RBI) – issued a comprehensive circular in mid-2016 to all banks in India urging them to implement a cybersecurity framework. It prescribes the ideal approach for banks on taking concrete measures to combat cybercrime, fraudulent activities online and thereby retain customer confidence, reduce financial losses and ensure business continuity.
Cybersecurity measures for banks as outlined by RBI’s circular
In light of the rising frequency and impact of cyber attacks, the RBI circular to banks urges them to take adequate measures that are robust and resilient which address and tackle risks posed by cyber criminals, and in the meantime also put in place an adaptive Incident Response Management and Recovery framework to deal with adverse disruptions if and when they occur.
The foundation for fighting cyber crime would stem from a Bank Board approved cyber security policy that outlines the approach for combating cyber crime. This policy is not to be confused with the IT policy or IS security policy and its strategy should encompass some of the following:
- Identify and assess risks, technologies adopted, regulatory compliance, delivery channels (online/mobile etc), organisational culture, internal and external threats, and processes and policies in place to manage and combat risk.
- Continuous surveillance by testing for vulnerabilities through a SOC (Security Operations Centre) that is constantly updating on the nature of emerging cyber threats.
- IT architecture to be conducive to security measures to be implemented by the bank post assessment of readiness and ensure that network connections to database are allowed through a well defined process and by authorised personnel only.
- Ensuring the confidentiality, integrity and security of customer data is preserved, without any compromise of the same.
- Formulating a Cyber Crisis Management Plan (CCMP) whose primary focus should be: detect, response, recovery and containment to address various types of cyber threats including and not limited to: distributed denial of services (DDoS), ransom-ware/crypto-ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, “zero” day attacks, remote access threats and more.
Baseline cybersecurity requirements – an indicative list
Banks need to fortify the measures adopted to achieve baseline security and resilience. For instance:
- monitor logs and incidents in real time or near real time;
- configure hardware and software appropriately;
- automate network discovery and management;
- use the right tools and mechanisms to detect unusual activities in servers, end points and network devices;
- protect customer access credentials such as logon user-ID, authentication information and tokens, access profiles, etc. against leakage/attacks;
- implement controls to minimise invalid logon counts, deactivate dormant accounts;
- monitor any abnormal change in pattern of log-on.
The RBI circular mandates a detailed list of cyber defence apparatus. It is evident that a large majority of these measures and requirements can be fulfilled by robust software tools and products that are built for specific purposes. But banks must also remember that from a day-to-day operations’ perspective, it is imperative to have a system that monitors, tracks, alerts and preempts any anomalies that occur in banking transactions, in real time.
“Detect and prevent” as it happens and not wait for end-of-the-day reporting of incidents that are suspicious. In fact RBI’s circular lists out the implementation of risk-based transaction monitoring or surveillance process as part of fraud risk management system across all delivery channels.
In addition to optimising available technology to strengthen controls for effective risk and fraud management, banks need to conduct employee and management awareness workshops, encourage them to report any suspicious behaviour to the incident management team, and conduct targeted training for key staff in operations/management roles and evaluate awareness periodically.
In parallel, banks need to conduct awareness programmes for their customers and encourage them to report phishing mails/phishing sites, highlight the risks of sharing their online account credentials, passwords, and other measures they can take to protect themselves from fraudsters and people with mala fide intent.
The RBI circular also touches upon the topic of governance aspects which include dashboards, intelligence, proactive monitoring and management capabilities with sophisticated tools for detection, quick response and backed by data and tools for sound analytics. In addition, banks must keep in mind several other issues while equipping themselves to fight cyber attacks: technology issues, people related issues and process related issues.
It would be fair to assume that if Indian banks were to proactively implement an intelligent, cross-channel anti-fraud defense mechanism, the impact of cybercrime (if/when it occurs) can be vastly minimised.