Cyber Security Due Diligence For Banks In India

Reserve Bank of India (RBI) has recently constituted the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Working Group). The Working Group submitted its report in the recent past upon which public inputs were invited. After analysing the public inputs, the final draft has been recently released and notified by the RBI.

This “notification” has set a specific timeline for implementation of the final recommendations of working Group. While not all these recommendations are mandatory some of them are and banks of India must comply with the same till October 31, 2011. These mandatory recommendations pertain to policies and procedures which do not require extensive investment.

RBI has also directed that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. This direction was provided through the information technology vision document for 2011-17 (IT Vision 2011-17) and the recent notification of the draft report.

Now the October 31, 2011 deadline may include the setting up of the ICT strategy steering committee, cyber risk management committee and the ICT steering committee as well as designation of CIOs. The notification also suggests a quarterly review process and the first calendar quarter after the issue of the guideline falls on 30th June 2011.

The board of directors must comply with the recommendations of Working Group before the quarterly report would be analysed by RBI. The constitution of steering committee and appointment of CIOs must be put on records so that RBI may analyse the same.

RBI has also been taking non compliance of its recommendations seriously. Recently, RBI imposed penalty upon 19 commercial banks for non compliance of prescribed standards. Similar dedication is also required regarding the recommendations issued by RBI for ensuring cyber security infrastructure by Indian banks.

Further, RBI has also directed banks to seek information from their directors on any adverse strictures passed by financial sector regulators against them. This means if directors of banks are negligent in meeting various due diligence requirements, statutory obligations, cyber law and cyber security requirements, etc and any stricture is passed against them in this regard that would have to be reported. Non compliance of the recommendations of Working Group may result in passing of such stricture against the directors. It is in their own interest to comply with the recommendations of RBI as soon as possible.

Perry4Law and Perry4Law Techno Legal Base (PTLB) have been analysing these issues for long and they have been providing their suggestions in this regard. We believe that RBI must play a more pro active role in analysing whether its policies and recommendations are duly complied with. It seems the recommendations of the Working Group constituted by RBI have still not been implemented. A “Progress Report” must be sought from Banks of India in this regard by RBI as soon as possible.

Further, banks and financial institutions that are interested in complying with the cyber due diligence requirements under the cyber law of India, under the recommendations of RBI and working group or in any other case, may contact us in this regard. In any case banks must consider the recommendations of RBI very seriously in the larger interest of banks in general and their customers in particular.

Source: ICTPS Blog.