RBI lays down new tier-wise cybersecurity guidelines; says ‘one size fits all’ approach not suitable

The Reserve Bank of India today laid down a set of new cybersecurity guidelines for urban cooperative banks, in the wake of a rising number of cyberattacks in the recent past. RBI said that it has become essential to enhance the security posture of UCBs to prevent, detect, respond to, and recover from cyber-attacks. The central bank further said that considering the heterogeneity of the UCB sector in terms of size, regions, financial health, and digital depth, it was recognised that a ‘one size fits all’ approach may not be suitable while prescribing cybersecurity guidelines for UCBs.

New guidelines for UCBs

Based on risk exposure in terms of the digital services offered by the UCBs, a differentiated tier-wise approach will be followed while prescribing cybersecurity controls for UCBs. The Reserve banks said that the approach will ensure that the UCBs with high IT penetration and offering all payment services are brought at par with other banks having mature cybersecurity infrastructure and practices. The Board of the UCBs will have the responsibility to implement the cybersecurity controls.

Also Read: How new labour codes change path for companies; contract staffing, universal minimum wage, other benefits

However, the cost of enhanced security may also reach to the bank customers. Considering that implementation of the cybersecurity framework would be a cost-intensive process, the responsibility for implementation, monitoring, compliance, and the response would have to be assigned from the Board level and percolate down till the end-user, RBI added. 

RBI’s ‘Vision for Cyber Security’ for UCBs – 2023 includes a five-pillared strategic approach, which are Governance Oversight; Utile Technology Investment; Appropriate Regulation and Supervision; Robust Collaboration; and Developing necessary IT, cybersecurity skills set. Meanwhile, for the UCBs with higher digital depth, the IT/IS Governance Framework would include appointing a Chief Information Security Officer (CISO) and setting up various committees such as IT Strategy Committee, IT Steering Committee, etc.