Cyber Security in Banks

Why cyber security is so important in the Banking sector considering the rapid digitisation?

The banking sector in India has rapidly grown over the past few years. The most pertinent aspect to note is that this sector is going to continually grow even in the future. On that note, as per an article titled, “Banking Sector in India” the total number of ATMs in India have increased to 2,10,263 and is further expected to increase to 4,07,000 by 2021. The aforementioned data is as recent as 31^st January, 2020.

Introduction

Cyber security when explained in brief is the process of keeping any system safe from unauthorised access, damage or attacks. With the increase in e-banking and the rapid growth of banking sectors as mentioned in the first paragraph, cyber security has become a focal point for all banking sectors.  The ever-growing banking sector reminds me of a popular quote, “with great power comes great responsibility.” The most important responsibility of a bank towards its customers would be assuring safety and security of their personal information thereby making cyber security important.

As established in Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (herein after referred to as rules, 2011) it is the duty of any body corporate to ensure that reasonable security practices are maintained. As mentioned in the explanation of section 43A the definition of body corporate includes an association of individuals engaged in commercial or professional activities, which makes banking sectors directly fall within the ambit of Section 43A and Rules, 2011. Banking sectors deal with financial information associated with a particular individual which falls within the category of sensitive personal data as defined in Rule-3 of the Rules, 2011. This increases the responsibility of such sectors to keep customer information safe and free from data breach. Section 43A also poses a civil liability on such body corporates in case of default.

Cyber Security measures to be taken by Banks

As per Rules, 2011 all body corporates must adhere to some measures to avoid data breach and loss whether monetary or informational. These measures as mentioned in Rule 8 from Rules, 2011 include:

1. Having a comprehensive documented information security programme.

The reason for having the same is to have a written flow of discharge of responsibilities- operational, managerial and technical to establish control even after a data breach. Further, such document can pose as base in case of breach where the bank would have to prove how their security control measures were implemented.

2. Abiding by the international Standard IS/ ISO/ IEC 27001.

This would ensure best practices that meet international standards are being followed.

3. By getting security practices approved and notified by the Central Government.

This point is again put to practice to set a level of security standards that should be positively maintained as per Government guidance.

4. The all the above points are implemented and regularly audited by an independent auditor, duly approved by the Central government then all the best practices for data protection are said to be met.

Further, banks have a certain cyber resilient framework to be met as mentioned in the RBI Guidelines on Comprehensive Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) published in public domain in December, 2019. This guideline has divided all UCBs into levels as per their digital depth and interconnectedness to the payment systems landscape. This guideline then provides a baseline for each level that must be met so as to ensure the customer’s data is secured.

The most common points of security that must be entailed into the bank’s framework, irrespective of its level, are:

1. Educate all employees about phishing emails.
2. Reporting mechanism to ensure that customers can instantly report unusual cyber security incidents.
3. LAN Segments within the banks and the ones in ATMs must be different to avoid access to a lot of networks at the same time in case of a hack.
4. Access Levels to be maintained to avoid low-level employees to have access to a lot of information.
5. Periodic vulnerability testing and penetration testing must be conducted. The period of such tests must be at least once in six months.

There is no punitive action mentioned in this document as the name itself suggests its merely a guideline. However, since the reasonable practices for data protection are mentioned in Section 43A of the IT Act as well, the repercussion of infringement of such practices would be that the body corporate would be liable to pay damages by way of compensation.

Relevance today

Cyber security in the banking sector is of utmost relevance today. During this pandemic social engineering attacks such as phishing, vishing, etc. have increased rapidly due to the sudden shift of all payments to remote online devices. Since people these days avoid point-to-point contact the exchange of physical cash has been cut down to a minimum and virtual transactions have taken up more than 90% of the total transactions. This shift demands an assurance to all the customers of a bank that the transactions that they conduct remotely or through the internet is a secure one. Thereby increasing the responsibilities of all the banks to ensure 24/7 security for all customer’s personally identifiable information, sensitive information and so on.

Conclusion

This article not only highlights the importance of cyber security in banking sectors but also the important measures all banks must have in place to ensure such security. These aspects are important to determine customer and bank liability in case of breach. Maintaining high security standards within banking sectors would only lead to increase and betterment of the Indian economy which thereby makes it a matter of utmost importance.