Reserve Bank of India in tune with its policy to prepare Urban Co-operative Banks (UCB) for meeting the challenges of modern technological ways of extension of banking through Urban Co-operative banks issued a detailed communication dated 24th September 2020 titled ‘Technology vision for cybersecurity for urban co-operative banks’. It introduces the UCBs to get prepared for preventing, detecting, responding, and recovering from cyber-attacks. Many urban areas like Tiruchirappalli, Tamil Nadu, Unnao, Uttar Pradesh, or Din Digul, Tamil Nadu have become big urban centers and UCBs are expected to offer the best banking services competing with even the State Bank of India. This commercial aspect also attracts the enemies living abroad to plan for cyberattacks to wreck normal life in those cities that used to be peaceful cities. A copy of RBI communication is appended below:
Let us learn its narrations and its adherence to security features from cyber- attacks. It bases its instructions on the risk exposure of the UCBs in terms of prodigious digital services offered by them.
It has left it’s earlier “one size fits all” motto towards the exact requirements of each UCB. The purpose is to ensure that the UCBs with high IT penetration/ and offering all payment services would be brought at par with other banks having mature cybersecurity infrastructure and practices. Most of the banks sitting on a lane may attract the customers, most of them walk-in with the option to use the best bank for meeting their commercial requirements.
For clearer reasons, one could comprehend its decision to assign the Board of each UCB to use its powers to itemize their Cybersecurity requirements and ensure implementation, monitoring, compliance, and response to the end-user at the branch level. The IT/IS Governance Framework would include appointing a Chief Information Security Officer (CISO) also to monitor the whole process throughout the year. With massive criminal elements springing up everywhere, even an Automatic Teller Machine with its myriad features has become a security issue at every center and the removal of the entire machinery at any point of time on a 24-hour scale. Not a day passes when some criminal element does not remove the machinery itself at its convenience.
The leadership of CISO is expected to be used for setting up of various committees such as IT Strategy Committee, IT Steering Committee, etc. for UCBs with higher digital depth. The main purpose is to have a clear cybersecurity arrangement with smooth operations.
Let me mention the vision for cybersecurity for UCBs as visualized by RBI.
‘Vision for Cyber Security’ for UCBs – 2023
“Enhancing the cybersecurity posture of the Urban Co-operative banking sector against evolving IT and cyber threat environment through a five-pillared strategic approach GUARD., viz., – Governance Oversight, Utile Technology Investment, Appropriate Regulation and Supervision, Robust Collaboration and Developing necessary IT, cybersecurity skills set.”
Now that the vision has been clearly spelled, what will be the action points as visualized by RBI?
Focus on Board Oversight over Cybersecurity IT Vision document.
The mission statement also incorporated the following action points for translating the visualization to real actions.
1. RBI has already advised in the “Comprehensive Cyber Security Framework for UCBs” that the Board of Directors shall play the most important role of an effective IT (Information Technology) and IS (Information Security) governance in UCBs. RBI has decided that the matters related to cybersecurity needs to be part of the discussion in the Board meetings and that the instructions will be issued to banks to include the review on cybersecurity posture along with specific indicators, as part of the calendar of reviews to be submitted to the Board of Directors during its meetings.
2. It is also understood that RBI would monitor the role of BOD regularly, now much easier with the implementation of the most up to date computer systems implementation and usage of the latest MIS for Board oversight.
3. Vision statement to be developed by each UCB at its pace: RBI’s instructions to UCB is reproduced for better understanding since it sets the goals on a time scale:
“Today, almost every UCB is at some stage of technology adoption including expanding their footprint on digital delivery channels: Core banking solution (CBS), or digital delivery channels such as internet banking, mobile banking, and ATMs. UCBs could play a crucial role in furthering financial inclusion. Technology is increasingly becoming the key business driver for the banking sector including UCBs to deliver their services to its customers. Therefore, UCBs need to develop their own technology vision document outlining their plans to incorporate IT solutions into their business in a secure manner. This vision document shall provide guidelines that can be used by the banks to design, develop, and implement IT operations not only as an organizational capability but as a strategic asset. The vision document should compulsorily have timelines for achieving the desired results. The banks should put in place a mechanism to review the vision document on a periodic basis to reflect the changes as mandated by the regulator from time to time.”
4. Creation of reserve/ fund for implementation of IT/ cybersecurity projects: Since the creation of IT projects would involve huge resources, RBI has advised UCBs to consider creating a reserve/ fund earmarked for implementing IT/ cybersecurity projects and that the reserve would be created out of its annual net profits over a period of time. They have been instructed to start with, an approach paper could be brought out by NAFCUB and Federations of UCB in Phase I and the creation of funds would be carried out in Phase II.
5. Management of Business IT Assets: The UCBs should have proper monitoring of the lifecycle of its IT assets, both hardware, and software to avoid the risk of operating obsolete hardware/ software. Therefore, UCBs have been advised to invest and upgrade their IT inventory with supporting IT infrastructure and facilities to ensure that IT infrastructure will not be exposed to risk due to obsolete hardware/software. Furthermore, a comprehensive process for Software License Management (SLM) should be implemented by the UCBs. It is expected that the Review and appraisal of IT assets (criticality, privilege access, password policy, etc.) would be conducted by UCBs at least on a yearly basis.
6. Banking services availability: To disrupt the creation of non-functioning of UCBs due to whatever technical reasons, they have been advised by RBI to have a Business Continuity Plan (BCP) for all processes covering the aspects not just limited to the availability of backup systems and ensure that it is well-communicated, well-rehearsed and reviewed periodically. It is expected that the focus would be on prioritizing systems and processes in terms of their importance for keeping business operating smoothly and safely.
7. Supervisory reporting framework: RBI has decided to set up effective offsite supervision of UCBs to monitor implementation of cybersecurity guidelines as well as to have an overall and up-to-date understanding of the cybersecurity posture of the UCB sector. Obviously, suitable digital regulatory reporting will also be developed by RBI immediately along with the implementation of cybersecurity regulations by UCBs.
8. How to give appropriate guidance in implementing secure practices? As per my expectation, RBI has informed us that a uniform ‘Cyber Security Hygiene’ document for all the cooperative banks shall be issued and that this document shall essentially cover various best practices seen across the supervised entities in different areas including Privilege access management, network segmentation, secure configuration, Security incident and event management which could be used by UCBs as a reference document for implementing applicable controls. This will vastly help the UCBs to update their technical skills on a uniform scale among themselves.
It is visualized that with the uniform up-gradation of cybersecurity systems among all UCBs, it will invariably result in the formation of a forum at the state level to act as a platform for UCBs in benchmarking their practices with peers, sharing of threat intelligence, exploring their strengths and weaknesses in combating cyber threats. The forum will meet at least on a half-yearly basis, to start with, to share best practices, and discuss practical issues and challenges in the adoption and implementation of controls.
Training of various personnel of UCBs with the latest usage of hardware and software skills to implement cybersecurity systems by involving various institutes or banking institutions is expected to take place along with the implementation of the above scheme. RBI would also develop programs for Certification for Directors of the Board, senior management, and employees of UCBs.
Who would have imagined that UCBs mostly struggling with less technology, and political interference at state levels will be advised by RBI to look at the arena of cybersecurity systems, implement them and use them to offer world-class service to the common man? This has been necessitated by the development of other institutions that have outgrown the performance of UCBs. Time will test their performance along with impending competition. The overall horizon looks promising and excellent services will be provided to the common man to retain his investment. Other stakeholders would also invariably involve themselves with the multi-fold involvement of technology in satiating their expectations.
Disclaimer: Being associated with commercial banks for over 5 decades, it is but natural that I am happy to collect the latest developments in the technological up-gradation of Urban Cooperative Banks to merge with the evolving competitive banking scene. All the views expressed by me are mine. Neither taxguru.in nor RBI is responsible for my views. Any serious-minded persons must look at various communications of RBI from its web site and also contact it for guidance