Cyber security of banks in India is not upto the mark. Whether it is phishing, cyber attacks, malware infection or any other cyber contravention, banks in India are not interested in bringing and establishing a cyber security environment. Even Reserve Bank of India (RBI) is trying to deal with contemporary cyber security issues pertaining to banks and financial institutions. RBI has in the past declared that it would establish an IT subsidiary dedicated to cyber security issues and matters. However, RBI needs to take a stringent approach towards non compliance of cyber security related guidelines and rules by banks in India. Banks in India have been given almost 5 years to ensure cyber security for their operations but there is little development on the part of banks in this regard.
For instance, RBI has been streamlining the financial and banking Sector of India. It constituted the RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Working Group). The Working Group issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (pdf) to be followed by banks of India. The guidelines have also directed that all banks would have to create a position of Chief Information Officers (CIOs) as well as Steering Committees on Information Security at the board level at the earliest.
Although the direction to have CIOs and Steering Committee is very clear yet till now banks in India has failed to comply with this direction. RBI said that the banks need to ensure implementation of basic IT organisational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011. The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated. Even after almost five years of these guidelines. Banks are still lagging far behind as far compliance with these guidelines is concerned.
Perry4Law Organisation (P4LO) suggested in the year 2011 that banks in India need to formulate a cyber security policy as soon as possible. Cyber security policy is an issue that is very important for banks of India. With the growing use of Internet banking, ATM machines, credit and debit cards, mobile banking, etc, banks of India must also upgrade their cyber security infrastructure and establish a cyber security policy. This is more so when Indian government is pushing digital India and mobile governance in India.
P4LO also recommended that banks and financial institutions must regularly engage in forensics audit and incidence response. Presently, banks and financial institutions engage in these “essential exercises” when something fraudulent or wrong have already taken place. If banks and financial institutions conduct regular cyber law due diligence (pdf) then incidences like Citibank fraud case could be minimised.
RBI has accepted many of the suggestions of P4LO and these suggestions have been incorporated into the cyber security framework for Indian banks (pdf) as prescribed by RBI. A notification (pdf) has been issued by RBI in this regard and now cyber security obligations of banks in India have significantly increased. This is in addition to the cyber law and cyber security obligations of directors of Indian companies as prescribed under the Indian Companies Act, 2013 (pdf). A dominant majority of directors in banking and non banking companies in India are ignoring the cyber security obligations as prescribed by the Information Technology Act, 2000, Indian Companies Act, 2013, etc.
RBI has also directed that banks must immediately formulate a techno legal cyber security policy that must have support and guidance of the top management. P4LO welcomes this initiative of RBI but there is a problem associated with cyber security of banks in India. Banks are not serious in ensuring cyber security for their businesses and RBI is also not inclined to punish the defaulting banks. Till the time there is a mandatory reporting system that RBI actually implements, the proposed cyber security policy would be just a paper document. RBI has to take the lead in ensuring cyber security for banks in India and if it finds any lacuna or inadequacy in the cyber security initiatives of Indian banks, the same must be taken very seriously by RBI.
RBI has given a deadline of September 30, 2016 to the Indian banks to implement techno legal cyber security policy. Let us hope that RBI would not be lenient and indifferent in this regard this time.