30 July,New Delhi
Banks need to put in place preventive measures such as appropriate controls framework around the systems, reconciliation of transactions in on real / near real time basis, controls over the message creation and transmission, applying timely security patches to the interfaces, if any, close monitoring of transactions and disabling USB, and Internet access on the connected nodes, said R. Gandhi, Deputy Governor RBI at an ASSOCHAM event.
Equally important is the timely detective measures. It is pertinent to prepare ourselves to face such incidents, by having a robust crisis management plan. I am sure the banks are taking earnest steps to comply with the provisions of the circular as soon as possible, said Gandhi while inaugurating ‘9th annual summit on cyber and network security,’ organized by ASSOCHAM.
“Information dissemination is a key facilitator in combating the menace of cyber related incidents. While the Reserve Bank obtains information from banks on cyber incidents, including those which did not fructify into loss of money or information, such information is also shared amongst the banks along with suggestions aimed at best practices,” he added.
The Institute for Development and Research in Banking Technology (IDRBT) also has a system to collate such information and share the generic aspects amongst the CISOs of banks. All these, I am sure will help the banks in further enhancing their cyber security related capabilities, said RBI Deputy Governor.
“The banking sector similar to other sectors of the Indian economy has always been very responsive to change and has adapted itself very well to meet the challenges which keep emerging frequently. It has also proved that it cannot only adapt well but also quickly so that response times are fast to prevent recurrence of negative incidents. The same fervor, I am sure, will be witnessed in the area of cyber security as well and will leave a mark of confidence in the minds of the customers of banks.”
“The recent developments in banking as also payment and settlement systems have resulted in enhanced customer comfort and flexibility in terms of timing, location and choice of channels. These, however, also expose the customers as well as banks to risk of cyber-attacks. While the banks have better resilience in terms of risk mitigation structures and ability to absorb the losses and expenses, the customers may not be so privileged”, said Deputy Governor RBI.
Cyber criminals and the attacks they launch on financial sector and its users come with different faces. There are organized criminals who are looking to attack the financial institutions, with a view to siphon away funds, illegally.
Then there are those who steal confidential data from financial institutions which may also include customer related information. The latter are more interested in ex-filtration of data, though no loss happens immediately.
These stolen data then land in the hands of petty criminals, who defraud the banks directly or by enticing the customers to share more information such as passwords and pins where after actual loss takes place, said Gandhi.
“Yet another vicious cyber-attack, which we really tread is what is categorized as cyber warfare; this is expected to be of organized attacks, sometimes by backing of large terrorist organizations and often with covert state sponsorship, made against enemy country information assets.”
The strategy to build preventive and detective defences depends on the specific link in the asset that one is trying to protect. The ecosystem for financial transaction not only includes banks and their customers, but also network service providers, IT infrastructure providers, providers of managed services such as data centres, software developers, providers of security solutions and providers of the end-point device which is used for accessing the financial service, including the ATMs which may or may not be bank-owned / managed devices.
The Reserve Bank has recently issued on June 2, 2016 a comprehensive set of guidelines for Cyber Security framework in banks. These guidelines built over the earlier work emphasize the importance of having a focused attention to cyber threats and framework for mitigating the threats and to protect the information assets.
“I would like to redraw your attention to the recent cyber incident at one of our banks. Apparently there has been no monetary loss in the recent incident. But it is too early to conclude what and how of the incident at this juncture; however, the need for vigil over the sensitive systems like remittances is once again brought to the fore, with particular focus on configuration of the systems and the human aspects in managing the systems.”