RBI IT Guidance: The Impact

Challenges and Benefits of Compliance for Indian Banks
RBI IT Guidance: The Impact
The Reserve Bank of India's Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds are aggressive and pushing banks to be better prepared for dealing with the threat landscape that continues to evolve and gain sophistication.

The guidance is largely driven by the need for mitigating cyber threats and challenges emerging from the growing usage of mobility, wireless networks and new service delivery models within the financial sector. The goal is to help banks combat issues concerning data leakage, lack of customer and employee awareness, malware attacks, loss of information controls and cyber fraud activities targeting online banking.

Essentially, as financial institutions are transitioning from a controlled environment to an unbounded network - where data is largely in the hands of end-users, clients, business partners and vendors - Indian banks need to be concerned about effective IT risk, access controls, authentication and incident response strategies.

"The biggest change these guidelines are bringing is in making information security a board level issue for all banks," says Kamlesh Bajaj, CEO of Data Security Council of India, a not-for profit organization that focused in developing security and privacy standards.

RBI's Recommendations are made in nine broad areas, including IT governance, audit, cyber fraud, IT operations, security outsourcing, information security, business continuity planning, customer education and legal issues. (Please view RBI's Guidelines: An Overview for more details.)

"It would be very difficult to make direct comparisons with guidelines established in other countries," says Vishal Salvi, chief information security officer at HDFC bank, a $52 billion private banking institution. However, the RBI guidelines are comprehensive and have incorporated input from best practices as well as existing International standards and frameworks.

This guidance is expected to improve how information security is practiced within the Indian banking industry, Salvi says. "What these guidelines are going to do is underline the CISO role across this whole ecosystem of the banking industry," Salvi adds.

Banks have one year to be fully in compliance with the new RBI guidelines, issued this past April. And experts find unique challenges and benefits in meeting this deadline.

Challenges for Banks and CISOs

Among the tasks that now face Indian banks:

  • Implementing Specific Technologies: RBI has specified implementing of technologies such as network access control and two-factor authentication. Implementing these on a large scale across the bank's operation will be a huge challenge, says Kanwal Mookhey, a principal consultant at Network Intelligence, as well the founder of the Institute of Information Security. "It's the scaling that will be an issue for financial institutions."

    Also, enterprise wide risk assessments, digital rights management initiatives and new identity access and management solutions are areas that might require more time for organizations to implement, depending on their level of compliance, Salvi says.

  • Initiating Customer and Employee Awareness Programs: As electronic channels such as ATM, Internet and mobile banking become increasingly prevalent, banking customers are becoming targets of fraud, including phishing, keylogging, spyware and malware. So one of the key aspects of the guidance and the IT governance process for CISOs is to establish an effective customer awareness program that will help reduce these threats. This is a huge challenge, says Sameer Ratolikar, chief information security officer at Bank of India. In the past, banks have not been actively involved in taking up such initiatives and currently do not have resources in place to reach out to a growing customer base.

    "This is a new learning ground for us," he says. "We have to understand what constitutes an effective awareness program and learn how to measure success and address the needs of our customers."

  • Transitioning into a Strategic CISO Role: Today, as information security takes on a broader meaning for CISOs, they find it hard to structure their roles at a strategic level and translate security needs to ensure that security has become all-encompassing and a priority for business leaders. "Addressing information security as a business issue and getting that message across to those who make the final decisions is tough," Ratolikar says. Also, most security leaders in India are still involved largely in handling technical operations. "The biggest challenge for a CISO is in changing their thought process and role to drive independent assessment of security and risk for both IT and business," Bajaj says.

  • Hiring Qualified Resources: is a big time challenge for banks, adds Mookhey. There is a huge demand for specialized security professionals to implement these best practices in areas of risk assessment, cyber awareness, forensics, incident response and penetration testing among, while the supply of qualified practitioners is limited at this point.

    Both Salvi and Ratolikar are largely looking for full-time employees to fill these open positions and are partnering with certification and training organizations and establishing sub-committees as a means to reach out to potential candidates.

Benefits for Banks:

Undoubtedly, one of the major benefits of the guidelines is the greater visibility and independence given to the CISO position at banks. RBI's best practices mandate the CISO to directly report to either the head of risk or the executive director to gain more independence in executing their roles and responsibilities effectively. As a result, they now have direct access to the board and are part of the strategic decision making at banks.

"This has increased my scope of operations and broadened the spectrum of what a CISO should look at from an information security perspective," Salvi says.

In the past, guidelines touched upon one or two specific areas within information security, i.e. mobile applications or authentication structure. However, the new principles provide a holistic approach in managing enterprise risk that covers all aspects of information security and clearly lays out what is the expected role of a CISO in spearheading these initiatives.

There are specifications on authentication, customer awareness, application security and the emerging area of consumerization, which has never been addressed in the past, Ratolikar says.

"For the first time, the entire scope of information security and its leadership role has received visibility and attention from a banking regulator," Ratolikar says.

To meet compliance, CISOs are directly working in collaboration with experts in legal, risk, audit, operations, and fraud in addition to IT to secure information and systems.

"I am looking into all touch points for managing risk," Salvi says. These guidelines have acted in aiding sponsorship for implementing security initiatives throughout the organization, which otherwise would have taken a long time, he says. At present, there are no penalties specified by the RBI for non-compliance by banks, but industry experts anticipate further direction from the regulatory authority next year to address this issue.

"RBI's guidelines are not negotiable," Mookhey says. "Banks and leaders cannot afford to pick and choose, they have to implement everything, so prioritizing and creating a road map will be a key factor for success."

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.