This is as per RBI oversight Framework. (Please refer annexure A)
Annexure A
(ii) With continuous increase in number, frequency and impact of cyber incidents / attacks in the recent past,
and the urgent need to enhance the resilience of the banking system by improving the current defences in
addressing cyber risks, the RBI issued detailed guidelines in June 2016 advising banks to put in place an
adaptive Incident Response, Management and Recovery framework to deal with adverse incidents /
disruptions, if and when they occur. Banks were also advised to adhere to following:
a. Board approved Cyber-security Policy – A Board approved cyber-security policy elucidating the
strategy containing an appropriate approach to combat cyber threats given the level of complexity of
business and acceptable levels of risk.
b. Distinct Cyber Security Policy – The Cyber Security Policy should be distinct and separate from the
broader IT policy / IS Security policy so that it can highlight the risks from cyber threats and the
measures to address / mitigate these risks.
c. Continuous Surveillance – In order to ensure continuous surveillance, banks have been advised to set
up and operationalise a Security Operations Centre (SOC) to monitor and manage cyber risks in real
time.
d. Secured IT architecture – The IT architecture should be designed in such a manner that it takes care of
facilitating the security measures to be in place at all times.
e. An indicative, but not exhaustive, minimum baseline cyber security and resilience framework has been
provided for implementation by the banks.
f. Network and database security – Banks have been mandated to ensure that unauthorized access to
networks and databases is not allowed and wherever permitted, these are through well-defined
processes which are invariably followed.
g. Protection of customer information – Banks, as owners of such data, should take appropriate steps in
preserving the confidentiality, integrity and availability of the same, irrespective of whether the data
is stored/in transit within themselves or with customers or with the third party vendors.
h. Cyber crisis Management Plan – A Cyber Crisis Management Plan (CCMP) should be formulated as part
of the overall Board approved strategy. The traditional BCP/DR arrangements may be reviewed to
ensure coverage of cyber risks. CCMP should address the following four aspects: (i) Detection (ii)
Response (iii) Recovery and (iv) Containment. Banks have also been advised to take necessary
preventive and corrective measures in addressing various types of cyber threats including, but not
limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware,
destructive malware, business email frauds including spam, email phishing, spear phishing, whaling,
vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity
frauds, memory update frauds, password related frauds, etc.
i. Cyber Security preparedness indicators – Banks should develop indicators for assessing the level of
cyber risk / preparedness as well as for assessing its adequacy and adherence to cyber resilience
framework.
j. Sharing of information on cyber security incidents with RBI - Banks are required to report all unusual cyber�security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank.
k. Organisational arrangements – Banks should review the organisational arrangements so that the security
concerns are appreciated, receive adequate attention and get escalated to appropriate levels in the hierarchy
to enable quick action.
l. Cyber security awareness among stakeholders / Top Management / Board – Top Management and Board
should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation
may be organized. Banks should also proactively promote, among their customers, vendors, service providers
and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and
ensure appropriate action to support their synchronised implementation and testing