Time for banks to scale up cyber security: RBI deputy governor

Banks need to put in place preventive measures such as appropriate controls framework around the systems, reconciliation of transactions in on real / near real time basis, controls over the message creation and transmission, applying timely security patches to the interfaces, if any, close monitoring of transactions and disabling USB, and internet access on the connected nodes, R Gandhi, deputy governor of the Reserve Bank of India (RBI) said at an Assocham event.

Citing the instance of the recent cyber attack on Union Bank of India, Gandhi said while there has been no monetary loss in the recent cyber incident at the bank, it is too early to conclude what and how of the incident at this juncture and the need for vigil over the sensitive systems like remittances is once again brought to the fore.

Last week, Union Bank of India had said that it had averted an attempt of cyber theft in its US dollar Nostro account - the offshore account - and also there was no financial consequence as the attack had been foiled.

Banks need to put in place preventive measures such as appropriate controls framework around the systems, reconciliation of transactions in on real / near real time basis, controls over the message creation and transmission, applying timely security patches to the interfaces, if any, close monitoring of transactions and disabling USB, and internet access on the connected nodes.

Equally important is the timely detective measures. It is pertinent to prepare ourselves to face such incidents, by having a robust crisis management plan, he said.

Equally important is the timely detective measures. It is pertinent to prepare ourselves to face such incidents, by having a robust crisis management plan. I am sure the banks are taking earnest steps to comply with the provisions of the circular as soon as possible, Gandhi said while inaugurating '9th annual summit on cyber and network security,' organised by Assocham.

"Information dissemination is a key facilitator in combating the menace of cyber related incidents. While the Reserve Bank obtains information from banks on cyber incidents, including those which did not fructify into loss of money or information, such information is also shared amongst the banks along with suggestions aimed at best practices," he added.

Gandhi said the recent RBI guidelines on Cyber Security Framework in banks are aimed at a focused attention to cyber threats and framework for mitigating the threats and to protect the information assets. He said information dissemination is a key in combating the cyber threat incidents and said the banks also share information about cyber attacks along with suggestions on best practices.

The Institute for Development and Research in Banking Technology also has a system to collate such information and share the generic aspects amongst the chief information security officer of banks, he said. "All these, I am sure will help the banks in further enhancing their cyber security related capabilities.

"The banking sector, similar to other sectors of the Indian economy, has always been very responsive to change and has adapted itself very well to meet the challenges which keep emerging frequently. It has also proved that it cannot only adapt well but also quickly so that response times are fast to prevent recurrence of negative incidents. The same fervor, I am sure, will be witnessed in the area of cyber security as well and will leave a mark of confidence in the minds of the customers of banks," Gandhi said.

He added, "The recent developments in banking as also payment and settlement systems have resulted in enhanced customer comfort and flexibility in terms of timing, location and choice of channels. These, however, also expose the customers as well as banks to risk of cyber-attacks. While the banks have better resilience in terms of risk mitigation structures and ability to absorb the losses and expenses, the customers may not be so privileged."

Cyber criminals and the attacks they launch on financial sector and its users come with different faces. There are organised criminals who are looking to attack the financial institutions, with a view to siphon away funds, illegally.

Then there are those who steal confidential data from financial institutions which may also include customer related information. The latter are more interested in ex-filtration of data, though no loss happens immediately.

These stolen data then land in the hands of cyber or other criminals, who defraud the banks directly or by enticing the customers to share more information such as passwords and pins where after actual loss takes place, said Gandhi.

"Yet another vicious cyber-attack, which we really tread is what is categorised as cyber warfare; this is expected to be of organized attacks, sometimes by backing of large terrorist organizations and often with covert state sponsorship, made against enemy country information assets," Gandhi concluded.

The strategy to build preventive and detective defences depends on the specific link in the asset that one is trying to protect.

The ecosystem for financial transaction not only includes banks and their customers, but also network service providers, IT infrastructure providers, providers of managed services such as data centres, software developers, providers of security solutions and providers of the end-point device which is used for accessing the financial service, including the ATMs which may or may not be bank-owned / managed devices.