RBI: Banks Must Report Breach Incidents Within 6 HoursSecurity Experts Discuss Challenges Involved in Meeting New Requirement
The Reserve Bank of India has mandated that all banks must report all unusual cyber incidents within two to six hours of discovery to enable issuing suitable cautionary advisories to other banks.
RBI also has urged banks to have a CISO with a clearly defined role and to expedite breach detection and response.
"The RBI's mandated that all unusual cyber-incidents must be reported within 2 to 6 hours," says S.S. Mundra, RBI's deputy governor, who's also chairman of the task force providing direction and guidance to banks on cybersecurity. "We observe that banks take much longer. Once reported, the results of root cause analysis and findings of forensic audit must be shared promptly. You'd appreciate that timely reporting of cyber incidents is very crucial to issue cautionary advisories to other banks."
RBI has also warned banks that any delay in reporting and flagging loan fraud could result in banks and bankers being charged with abetting the criminal offense.
Security experts, however, say it's difficult for banks to report or respond to incidents within RBI's suggested time frame because the institutions have a shortage of resources and staff with the necessary skills.
"Banks don't have the required infrastructure and controls to report cyber breaches: It requires sophisticated network security mechanisms to respond quickly," says Sriram Natarajan, former chief risk officer at Quattro, a business process outsourcing organization and consultant on retail banking. It's also difficult for most banks to even detect an incident, he says.
RBI has also created a specialized cell, C-SITE, within its supervision department to conduct detailed examinations of banks' cybersecurity preparedness, identify gaps and monitor progress of remedial measures.
RBI took the action as a result of the recent increase in high-profile cyber incidents and the theft of personal information, as well as attacks on ATMs and distributed denial-of-service attacks on various banks in this region, Mundra says.
"While the Bangladesh Bank incident, which rattled banks/central banks, forced us to look more closely at cybersecurity risks, the attempt to defraud another bank by abusing the SWIFT messaging system (which thankfully could be salvaged post-event without any apparent monetary loss), has prompted us to issue guidelines on reporting breach incidents," he says.
RBI hopes banks will be more vigilant in detecting against cyber incidents - whether ransomware attacks, ATM/debit card incidents or unauthorized access to bank servers.
Some experts believe many banks are reluctant to report data breaches primarily because they fear it may impact their business opportunities.
Ashok K. Agarwal, head of IT audit at DCB Bank, says banks fear breach reports will hurt their reputations. But he acknowledges that many banks are unable to detect breaches early due to lack of properly trained staff. "The key reason is that banks manage cybersecurity in bits and pieces, not as a holistic strategy," Agarwal says.
Mundra says that cyber incidents result from failure of internal controls, non-adherence to key cybersecurity guidelines and reliance on disparate systems. Banks "must establish a mitigation plan to identify fraud risk, event reporting, control, allocation and mitigation framework," he says.
The CISO's Evolving Role
The RBI also has said that appointing CISOs is a must and clearly defining their role is crucial. "They must be sufficiently senior in hierarchy, understand technology well, appreciate security aspects of all technologies adopted by the bank ... responsive and sufficiently enabled to stall launch of unsecure products, whenever necessary," he says.
DCB's Agarwal says that CISOs must develop expertise in risk management to enable mapping business risks and create a risk mitigation plan.
Institute for Development and Research on Banking Technology director, Dr. A.S. Ramasastri says current efforts are insufficient to tackle the new threats; hence, the CISO office must be empowered to find new ways to handle them.
"One way is to take a risk-based approach by understanding and mapping organization risks and working out a cyber defense strategy to mitigate these and improve reporting capabilities," Sastri says.
Additionally, CISOs must have more autonomy to protect information assets and provide information assurance without being treated as a subset of IT, he says.
Natarajan says Indian banks must follow international norms, including those from the International Organization of Securities Commissions, the Financial Crimes Enforcement Network and the Financial Action Task Force.
Ramasastri believes banks need to establish a security governance structure with the right ownership, which can provide assurance to the organization on handling data breaches.
RBI is also requiring banks to establish a mechanism to respond to breaches.
Mundra says there should not be any delay by bankers in red flagging an exposure or cyber incident. "Banks and bankers could be charged for abetting the offense and fail to make adequate effort to detect/report fraud," he says.
Natarajan says establishing a breach response mechanism is a complex task. "I'd recommend banks to deploy stringent security built-in controls along with blockchain distributed ledger technology to prevent future threats," he says.
"Bringing in a culture of eternal vigilance, strong internal control and compliance is most critical for effective fraud management and breach prevention," Mundra says.
RBI says monitoring is paramount for incidence response. Steps to take, RBI says include: checking whether a port opened for a specific purpose was closed in time, carefully analyzing logs, monitoring how incidents are responded to and checking whether the security operations center is integrated with inputs from various systems.