In a recent development, the Reserve Bank of India (RBI) has issued a heightened alert to several banks, urging them to fortify their cybersecurity defenses against potential cyber attacks. This warning comes in the wake of the latest round of Cyber Security and Information Technology Examination (CSITE) conducted by the central bank.
The CSITE, an integral part of RBI’s vigilance efforts, delves deep into various aspects of banks’ IT systems, evaluating disaster management readiness, internet and mobile banking platforms, and fraud detection efficiency. Following the inspection, the RBI has provided detailed action points to address identified deficiencies.
A notable aspect of the CSITE is its independence from the regular annual risk assessment inspection conducted by the RBI. This focused review on cybersecurity frameworks began a few years ago as part of the central bank’s intensified surveillance.
Bankers familiar with the matter confirmed the RBI’s proactive stance, stating, ‘The RBI conducts a separate inspection to identify deficiencies in the cyber security capabilities of banks. This time, they met us and have given a list of action points where deficiencies need to be addressed.’
Despite attempts to reach the RBI for comment on the inspection findings and current assessment, no response has been received as of now.
RBI’s Deputy Governor T Rabi Sankar, during the Conference in Mumbai on February 9, emphasized the need for the banking sector to brace for new cybersecurity risks. He highlighted the necessity to balance customer convenience with stringent security measures.
Sankar pointed out the looming challenges related to artificial intelligence abuse, suggesting that banks might need to rebuild their encrypted systems to effectively mitigate such risks. ‘We also need to understand the problems with AI. And the ability to crunch huge data in a short time, you would have to completely rebuild your encrypted system,’ he stated.
This recent caution from the RBI follows a series of cyber security breaches in the banking sector over the past few years. Government data revealed that between June 2018 and March 2022, India’s banks reported 248 successful data breaches, primarily involving leaks of card details and theft of business and non-business information.
The breakdown of these breaches shows that 41 were reported by public sector banks, 205 by private banks, and two by foreign banks. In light of these incidents, the RBI has directed banks to reinforce their IT risk governance framework, stressing the active role of their chief information security officers and the involvement of the Board and IT committee in ensuring compliance with required standards.
Last year, UCO Bank based in Kolkata faced an issue where an erroneous credit of Rs 820 crore was made to account holders through Immediate Payment Service (IMPS). Following technical glitches, certain transactions initiated by holders of other banks resulted in erroneous credits to UCO Bank account holders. The bank managed to recover Rs 649 crore out of the Rs 820 crore, indicating the severity and complexity of such cybersecurity challenges.
To combat these risks, the RBI has put forth a dedicated Cyber Security Framework for Scheduled Commercial Banks. This framework mandates the implementation of robust cybersecurity and IT controls to prevent data leakage and enhance overall security measures within banks.
As digitization accelerates in the financial sector, both the Finance Ministry and RBI have been actively engaging with banks to sensitize them about cybersecurity vulnerabilities and the imperative of proactive measures.
The RBI’s recent alert serves as a reminder to banks to remain vigilant and take necessary steps to bolster their cybersecurity infrastructure, ensuring the safety and security of customers’ financial assets and sensitive information.
