RBI IT Guidance: The ImpactChallenges and Benefits of Compliance for Indian Banks
The guidance is largely driven by the need for mitigating cyber threats and challenges emerging from the growing usage of mobility, wireless networks and new service delivery models within the financial sector. The goal is to help banks combat issues concerning data leakage, lack of customer and employee awareness, malware attacks, loss of information controls and cyber fraud activities targeting online banking.
Essentially, as financial institutions are transitioning from a controlled environment to an unbounded network - where data is largely in the hands of end-users, clients, business partners and vendors - Indian banks need to be concerned about effective IT risk, access controls, authentication and incident response strategies.
"The biggest change these guidelines are bringing is in making information security a board level issue for all banks," says Kamlesh Bajaj, CEO of Data Security Council of India, a not-for profit organization that focused in developing security and privacy standards.
RBI's Recommendations are made in nine broad areas, including IT governance, audit, cyber fraud, IT operations, security outsourcing, information security, business continuity planning, customer education and legal issues. (Please view RBI's Guidelines: An Overview for more details.)
"It would be very difficult to make direct comparisons with guidelines established in other countries," says Vishal Salvi, chief information security officer at HDFC bank, a $52 billion private banking institution. However, the RBI guidelines are comprehensive and have incorporated input from best practices as well as existing International standards and frameworks.
This guidance is expected to improve how information security is practiced within the Indian banking industry, Salvi says. "What these guidelines are going to do is underline the CISO role across this whole ecosystem of the banking industry," Salvi adds.
Banks have one year to be fully in compliance with the new RBI guidelines, issued this past April. And experts find unique challenges and benefits in meeting this deadline.
Challenges for Banks and CISOsAmong the tasks that now face Indian banks:
- Implementing Specific Technologies: RBI has specified implementing of technologies such as network access control and two-factor authentication. Implementing these on a large scale across the bank's operation will be a huge challenge, says Kanwal Mookhey, a principal consultant at Network Intelligence, as well the founder of the Institute of Information Security. "It's the scaling that will be an issue for financial institutions."
Also, enterprise wide risk assessments, digital rights management initiatives and new identity access and management solutions are areas that might require more time for organizations to implement, depending on their level of compliance, Salvi says.
- Initiating Customer and Employee Awareness Programs: As electronic channels such as ATM, Internet and mobile banking become increasingly prevalent, banking customers are becoming targets of fraud, including phishing, keylogging, spyware and malware. So one of the key aspects of the guidance and the IT governance process for CISOs is to establish an effective customer awareness program that will help reduce these threats. This is a huge challenge, says Sameer Ratolikar, chief information security officer at Bank of India. In the past, banks have not been actively involved in taking up such initiatives and currently do not have resources in place to reach out to a growing customer base.
"This is a new learning ground for us," he says. "We have to understand what constitutes an effective awareness program and learn how to measure success and address the needs of our customers."
- Transitioning into a Strategic CISO Role: Today, as information security takes on a broader meaning for CISOs, they find it hard to structure their roles at a strategic level and translate security needs to ensure that security has become all-encompassing and a priority for business leaders. "Addressing information security as a business issue and getting that message across to those who make the final decisions is tough," Ratolikar says. Also, most security leaders in India are still involved largely in handling technical operations. "The biggest challenge for a CISO is in changing their thought process and role to drive independent assessment of security and risk for both IT and business," Bajaj says.
- Hiring Qualified Resources: is a big time challenge for banks, adds Mookhey. There is a huge demand for specialized security professionals to implement these best practices in areas of risk assessment, cyber awareness, forensics, incident response and penetration testing among, while the supply of qualified practitioners is limited at this point.
Both Salvi and Ratolikar are largely looking for full-time employees to fill these open positions and are partnering with certification and training organizations and establishing sub-committees as a means to reach out to potential candidates.
Benefits for Banks:Undoubtedly, one of the major benefits of the guidelines is the greater visibility and independence given to the CISO position at banks. RBI's best practices mandate the CISO to directly report to either the head of risk or the executive director to gain more independence in executing their roles and responsibilities effectively. As a result, they now have direct access to the board and are part of the strategic decision making at banks.
"This has increased my scope of operations and broadened the spectrum of what a CISO should look at from an information security perspective," Salvi says.
In the past, guidelines touched upon one or two specific areas within information security, i.e. mobile applications or authentication structure. However, the new principles provide a holistic approach in managing enterprise risk that covers all aspects of information security and clearly lays out what is the expected role of a CISO in spearheading these initiatives.
There are specifications on authentication, customer awareness, application security and the emerging area of consumerization, which has never been addressed in the past, Ratolikar says.
"For the first time, the entire scope of information security and its leadership role has received visibility and attention from a banking regulator," Ratolikar says.
To meet compliance, CISOs are directly working in collaboration with experts in legal, risk, audit, operations, and fraud in addition to IT to secure information and systems.
"I am looking into all touch points for managing risk," Salvi says. These guidelines have acted in aiding sponsorship for implementing security initiatives throughout the organization, which otherwise would have taken a long time, he says. At present, there are no penalties specified by the RBI for non-compliance by banks, but industry experts anticipate further direction from the regulatory authority next year to address this issue.
"RBI's guidelines are not negotiable," Mookhey says. "Banks and leaders cannot afford to pick and choose, they have to implement everything, so prioritizing and creating a road map will be a key factor for success."