RBI’s New guidelines for UCBs to Give More Power to CISOs
In the wake of a rising number of cyberattacks in the recent past, the Reserve Bank of India (RBI), aims to bring the largest urban cooperative banks (UCBs) at par with other banks that run a full gamut of protection against online threats.
The Apex bank has laid down a set of new cybersecurity guidelines for UCBs keeping in mind the heterogeneity of the UCB sector in terms of size, regions, financial health, and digital depth. RBI in its statement that a ‘one size fits all’ approach may not be suitable while prescribing cybersecurity guidelines for UCBs and more importantly, as per the mandate, the UCBs with higher digital depth will now have to appoint Chief Information Security Officer (CISO).
In this context, CXOToday spoke to Brijesh Miglani, Security Consultant at Forcepoint, who believes it is a great step forward by RBI to strengthen the cybersecurity infrastructure of UCBs and will help enhance the security posture of UCBs in having mature cyber security practices against emerging cybersecurity threats.
RBI’s ‘Vision for Cyber Security’ for UCBs – 2023 includes a five-pillared strategic approach, which are governance oversight; utile technology investment; appropriate regulation and supervision; robust collaboration; and developing necessary IT, cybersecurity skills set. Meanwhile, for the UCBs with higher digital depth, the IT/IS Governance Framework would include appointing a Chief Information Security Officer (CISO) and setting up various committees such as IT Strategy Committee, IT Steering Committee, etc.
As Miglani believes, the most significant part of the new Technology Vision document is the fact that UCBs will now have to appoint CISOs and that boards will become responsible for cybersecurity.
The Cyber Security Framework for UCBs talks about setting up of a Cyber Security Operation Center (C-SOC). The SOC provides a setup for multiple technologies for better incident management, predictive and behavior analysis, and automation to help banks detect attacks at an early stage. This will help protect UCBs from cybersecurity breaches, particularly given that UCBs hold multiple data related to personally identifiable information (PII) and payment card industry (PCI).
Considering that implementation of the cybersecurity framework would be a cost-intensive process, the responsibility for implementation, monitoring, compliance, and the response would have to be assigned from the Board level and percolate down till the end-user, as per the RBI mandate.
“To address these real-world hacks and breaches, UCBs should adopt a behavior-based data protection approach that focuses on data and user behavior analytics. The risk-adaptive protection analyses human behavior to look for indicators of behaviors to identify risk. By focusing on individual users’ interaction with data, security teams can better understand, organize, manage and mitigate risk as it occurs,” added Miglani.
“The ultimate goal is to prevent the accidental or malicious use of organizations’ data, while combating threats from phishing attacks, compromised credentials and other potential vulnerabilities,” he summed up.