RBI's New Cybersecurity Committee: Will It Have an Impact?Practitioners Offer Suggestions for Top Priorities
The Reserve Bank of India has formed a Standing Committee on Cyber Security in yet another effort to help strengthen data security in the sector. Security practitioners already are offering ideas for additions to the new group's agenda.
The formation of the 11-member, interdisciplinary committee is the result of recommendations from an expert panel on Cyber Security and Information Technology Examination chaired by Meena Hemchandra, RBI's executive director, last month.
The new committee will review threats inherent in existing and emerging technologies; study adoption of various security standards and protocols; interface with stakeholders; and suggest appropriate policy interventions to strengthen cybersecurity and resilience.
"While banks have taken several steps to strengthen their defenses, the diverse and ingenious nature of cyberattacks necessitates an ongoing review of the cybersecurity landscape and emerging threats," says Jose J. Kattoor, RBI's chief general manager.
Committee members are: Meena Hemchandra, executive director, RBI; Professor H. Krishnamurthy; principal research scientist, IISC; Dr. A.S. Ramasastri, director, IDRBT; Nandkumar Sarvade, CEO, ReBIT; Krishna Sastry Pendalaya, forensic scientist; R. Vittal Raj, founder and partner, M/s. Kumar & Raj, Chartered Accountants; Ashutosh Bahuguna, scientist-C, CERT-In; S. Ganesh Kumar, CGM-in-charge, RBI's Department of Information Technology; Nanda S. Dave, CGM, RBI's Department of Payment and Settlement Systems; R. Ravikumar, CGM, RBI's Department of Banking Supervision; and V. G. Sekar, GM, RBI's Department of Banking Supervision. RBI's Hemchandra will serve as chairperson.
Suggestions for Priorities
Security practitioners already are making suggestions for additions to the committee's agenda.
Sudeep Charles, product head, Asia Pacific and Japan, at Akamai, suggests that the committee should review the effectiveness of RBI's cybersecurity guidelines in light of recent breaches in the sector.
"Financial institutions need prescriptions regarding countermeasures against the latest threats; the committee should be able to guide banks to implement the guidelines uniformly across the board," Charles says.
He argues that the committee needs to gain input from CISOs and CIOs and also take into account data and recommendations from the National Critical Information Infrastructure Protection Centre.
Some practitioners argue that the standing committee must come up with a renewed cybersecurity program rather than just issue guidelines.
"The committee should lay down a new cybersecurity policy and create an independent agency with adequate powers to manage cybersecurity and enforce laws/guidelines not only with banks and FIs, but also among connected entities like merchants, government bodies, card networks and payment gateways," says risk management expert Sriram Natarajan, COO at Quatrro Processing Services.
Dinesh Bareja, president of Open Security Alliance, says the committee should establish an internal department at RBI that will exercise oversight on banks' compliance with security guidelines. "It will also be good to prescribe a maturity index of the security level at each bank to enable all banks to pull up their socks in ensuring cybersecurity and protecting customer data," he says.
Sivakumar Krishnan, former head of IT and IS at M Power Micro Finance, says the immediate priority should be to strengthen the security of the banking ecosystem by bringing in the security standards, while improving the efficiency of the payment and settlement system, which in the recent times has witnessed several breaches and, in some cases, financial losses as well.
"Interacting with the stakeholders in understanding the various standards that have been adopted by the banks and assessing how continuous monitoring and evaluation of the processes are carried out by these institutions should be the primary focus," Krishnan says.
Can a Committee Get Things Done?
Some practitioners question whether it's realistic to expect the new committee to take quick, meaningful action that generates results.
Bareja, for example, contends that many other panels and committees have had little success in helping to improve cybersecurity among banks.
"One should not forget that members of the committee have highly demanding day jobs," he says. "The amount of time they can spend on committee discussions and deliberations is questionable, and evolving a practical approach to address cybersecurity concerns is a big task."
Natarajan says committee members must learn lessons from other nations, and it must work with VISA, MasterCard and SWIFT to implement best security practices.
"The proposed committee should introduce a national-level alert mechanism and enable banks to access the same, which can help in monitoring and evaluating every threat emanating from every source," Natarajan notes.
Some security practitioners also suggest that the committee work on:
- Enhancing performance and security of online and mobile banking, particularly in the smaller cities where network connectivity challenges are substantial;
- Creating a working model to help banks evaluate security technologies and standards;
- Forming a realistic framework for collaborating with stakeholders.