Reserve Bank of India (RBI) publicised mandatory cyber security policies for Urban Cooperative Banks on December 31, 2019. In accordance with the announcement, UCBs are directed to implement the below cyber security measures to ensure safe and secured banking.
- Conduct periodic security assessment of public-facing websites/applications
- Strengthen the cyber security incident reporting mechanism
- Set up Security Operations Centre (SOC)
- Implement bank-specific email domain
Level 1 - Bank Specific Domain
The central bank has recommended four levels of criteria to secure the banking transactions of Urban Cooperative Banks. All UCBs should implement level 1 security controls. It includes bank-specific email domain with DMARC controls (ABC Bank with mail domain abc.in) and two-factor authentication. The second factor should not be either a static password or associated with PC used for payment transactions.
RBI mandates UCBs to conduct a security review of computing systems used for accessing internet banking applications of Scheduled Commercial Banks, Core Banking Systems and network perimeter through a qualified information security auditor.
The central bank insists to have a robust password management policy for sensitive activities and it recommends UCBs to educate the employees on preventive measures of phishing attacks.
Level 2 - Additional Cyber Security Controls
UCBs which are sub members of Centralised Payment Systems and offers either internet banking facility or mobile banking facility through applications should deploy level 2 security measures. It prescribes to include data loss prevention strategy, anti-phishing and VAPT of critical applications.
RBI expects UCBs to maintain a centralized and up-to-date inventory of authorized devices connected to the network. With properly configured firewalls, proxies, DMZ (De-militarized Zone) perimeter networks and network-based IPS & IDS, boundary defences should be configured with multi-layered security controls.
Level 3 - Real-Time Threat Defence
Level 3 Urban Cooperative Banks are insisted to include advanced real-time threat defence & management and risk-based transaction monitoring. UCBs under level 3 should have at least one of the following criteria – direct members of CPS, having their own ATM Switch and SWIFT interface, hosting data center or providing software support to other banks on their own or through their own subsidiaries.
The banks are advised to implement a centralized authentication and authorization system through an Identity and Access Management Solution to access and administer critical applications, operating systems, databases, network and security devices.
Level 4 - Cyber Security Operations Center (C-SOC)
UCBs are mandated to set up a Cyber Security Operations Center which is generally called as SOC to ensure continuous surveillance of security events and to keep itself updated regularly on the latest threat intelligence. The SOC should have the ability to protect critical business and customer data from emerging cyber threats.
The SOC should be equipped with real-time or near-real-time information on the security posture of the UCB. The Security Information and Event Management System (SIEM) of the SOC should be integrated with various log types and log options.
These Cyber Security Guidelines for Urban Cooperative Banks enables the technology vision of RBI and can help the UCBs to tide over the upsurging cyber threats.