The Reserve Bank of India (RBI) has mandated all banks to immediately put in place cybersecurity policies approved by their boards to combat cyber threats.
The regulator said that in face of the increasing number of cyber attacks, banks must immediately sketch out a cyber crisis management plan that will form a part of the overall Board approved strategy.
The plan should address four key aspects including detection, response, recovery and containment.
"In view of the low barriers to entry, evolving nature, growing scale/velocity, motivation and resourcefulness of cyber-threats to the banking system, it is essential to enhance the resilience of the banking system by improving the current defences in addressing cyber risks. These would include, but not limited to, putting in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur," the regulator said in a notification.
The regulator further said that the cyber security policy should be segregated from the bank’s broader IT policy, and should help highlight the risks from cyber threats and the measures to eliminate the risks.
"While identifying and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal & external threats. Depending on the level of inherent risks, the banks are required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorisation," RBI said.