RBI releases cybersecurity vision framework for UCBs

 A differentiated tier-wise approach will be followed while prescribing cyber security controls for UCBs. The tiers would be decided based on risk exposure in terms of the digital services offered by UCBs.

The Reserve Bank of India (RBI) on Thursday released a cybersecurity vision framework for urban cooperative banks (UCBs). Considering the heterogeneity of the UCB sector in terms of size, regions, financial health and digital depth, the central bank said a ‘one-size-fits-all’ approach may not be suitable while prescribing cyber security guidelines for UCBs. As a result, four guiding principles were taken into account while formulating the framework.

A differentiated tier-wise approach will be followed while prescribing cyber security controls for UCBs. The tiers would be decided based on risk exposure in terms of the digital services offered by UCBs. The approach will ensure that UCBs with high IT penetration and offering all payment services are brought at par with other banks having mature cyber security infrastructure and practices. The board of the UCBs shall be assigned the primary responsibility for implementing the cyber security controls.

“Considering that implementation of cyber security framework would be a cost intensive process, the responsibility for implementation, monitoring, compliance and response would have to be assigned from the board level and percolate down till the end user,” the RBI said.

The regulator prescribed differentiated timelines for the implementation of each of the specific action points for various levels of UCBs. Instructions will be issued to banks to include the review on cyber security posture along with specific indicators, as part of the calendar of reviews to be submitted to the board of directors during its meetings. This will be implemented in 2020. UCBs need to develop their own technology vision document outlining their plans to incorporate IT solutions into their business in a secure manner. For UCBs in levels 2 to 4, this will have to be achieved by 2021, while for those in level 1, the deadline is 2022.

Targeted skill-oriented training and certification programmes would be designed to bring UCBs of different categories not only up to speed with the new framework in a time-bound manner, but also to manage the IT and security measures in the changing and challenging scenario.