RBIs circular on

cyber security

www.pwc.in
Background
6LQFHEDQNVLQ,QGLDKDYHUDSLGO\DGRSWHGQHZHU A paradigm shift has recently been observed in attacks
technologies and digital channels, with the underlying exploiting the source, behaviour, motives and vectors. This
REMHFWLYHRILQFUHDVLQJIRRWSULQWVDQGUHYHQXHV:HKDYHDOVR indicates that
seen customer preferences shift towards digital platforms. the traditional
There is a perception, though, that the adoption of advanced RBI realises that banks multilayered
cyber security practices has not kept pace with the rate of defence that
evolution of core business-enabling technology. While in
need to take a holistic banks already
FRPSDULVRQWRVHYHUDORWKHUVHFWRUVEDQNVDUHGHQLWHO\VHHQ and integrated approach have is not
to be more proactive in investing and improving security towards cyber security adequate.
practices, such measures may still be inadequate considering operation transformation. Globally, there
WKHFKDOOHQJHVWKDWWKHLQGXVWU\LVIDFLQJWRGD\6RPH is a rise in
challenges with the traditional approach to IT security are: cyber security
incidents and
 3UROLIHUDWLRQRIDWWDFNYHFWRUVDQGHQKDQFHGDWWDFNVXUIDFH several of them
 3UROLIHUDWLRQRIGLJLWDODQGVKLIWLQJFXVWRPHUSUHIHUHQFH have been large-scale breaches, frauds and heists. The impact
RIVXFKEUHDFKHVGRHVQRWHQGZLWKVHULRXVQDQFLDOORVVEXWLQ
 6RSKLVWLFDWLRQRIWKUHDW most cases, can also potentially erode substantial brand value.
actors and enhanced
targeting of banks
Inadequate
RBI has taken a step in the right direction by realising the
traditional IT inherent need for banks to strengthen their cyber security
4. Banking increasingly
operating as a boundary- security measures posture in the wake of the increasingly sophisticated nature
less ecosystem and quantum of attacks.

An opportunity for banks

to establish next generation
cyber defence
In many ways, through its circular, RBI holistically addresses several aspects
related to cyber security that a bank should put in place. The circular is quite CISO has a key
comprehensive in its coverage. It clearly recognises that cyber security focus is responsibility to act as an
distinct from a focus purely on information security. Further, it clearly lays out interface between business
WKHQHHGIRUVHWWLQJXSDF\EHUVHFXULW\RSHUDWLRQVFHQWUH62&DQGF\EHUDZDUH
board and top management, focussing on securing the ecosystem, creating a
and technology.
resilience framework and ensuring proactive information sharing.

In many ways, this is an opportunity for banks to take a step forward and assess themselves with a view to improving their cyber
VHFXULW\SRVWXUH&KLHILQIRUPDWLRQVHFXULW\RIFHUV&,62VRIWLHUEDQNVVKRXOGVHL]HWKLVRSSRUWXQLW\WRHPEDUNRQDMRXUQH\
WRHVWDEOLVKLQJWKHQH[WJHQHUDWLRQRIF\EHUVHFXULW\GHIHQFHZKLOH&,62VRIVPDOOHUEDQNVVKRXOGORRNWRPRYHIURPDQ
asset-centric security approach to establishing a holistic baseline security programme. We believe that banks should guard
against taking a compliance-centric approach to the circular.

We believe that this circular will shift the cyber security needle for the banking industry largely in the following areas:

Cyber-aware board and There is a need for a

establishment of strong governance Business-enabling
Complex
forward-looking cyber
threat
 3URWHFWLQJFXVWRPHUV technology is fast evolving security frameworkRBIs
landscape
circular is timely
 3URDFWLYHUHSRUWLQJDQG
collaboration within industry Cyber-aware
Building cyber Protecting
 [RSHUDWLRQVFHQWUHZLWK board and strong
resilience customers
governance
advanced real-time capabilities
FRQWLQXRXVVXUYHLOODQFH
24x7 operations
Building cyber resilience Focus on
centre with
Proactive
extended reporting and
Focus on extended ecosystem ecosystem advanced real- collaboration
time capabilities
 Cyber-aware board 24x7 operations
and establishment of centre with advanced
strong governance real-time capabilities
FRQWLQXRXVVXUYHLOODQFH
Banks will need to create programmes and interventions
to sensitise the board and management about the evolving There is a need for effective cyber security monitoring
threat landscape and the and detection capabilities that focus on building resilient
current and future state of systems that traverse a large volume of system events
their cyber security posture. Board-level and deduce intelligence. A resilient banking ecosystem is
This will help in setting awareness and characterised
the right tone at the top. It participation by banks ability
will make cyber security as to detect threats
critical Combating cyberthreats
important as investing in in advance,
business-enabling technologies. prevent cyber not possible without
incidents, continuous surveillance
The circular also calls for banks to strengthen enterprise-wide recover from an and real-time analytical
cyber security governance. It articulates aspects that need incident should
the approval/oversight of the IT subcommittee of the board. capabilities
one materialise
Further, there is a clear emphasis on the establishment of and learn
metrics to measure and monitor outcomes of cyber initiatives. from threat
intelligence to prevent
similar incidents.
Protecting Banks will have to refocus some of their security operations
customers SULRULWLHVDQGDXJPHQWWKHLUFXUUHQW62&WRPDNHLWPRUH
robust by focussing on cyberthreats on a real-time basis.
The current practice of analysing security logs passively
The circular lays emphasis on protecting customer data and
must be challenged to implement advanced systems or
SURWHFWLQJFXVWRPHUVDJDLQVWQDQFLDOFULPHV%DQNVDUH
improved such that analysis occurs real time or near real
required to put in
time. Banks would need to move from basic security
place strong controls
operations capabilities to setting up advanced next
to protect customer
Protecting customer generation security operations centres with capabilities
data across the life
information and such as analytics enabled by device and user behaviour
cycle regardless of
based machine learning and defence to ensure that lateral
customers themselves whether data is at
movement of malicious code is prevented on a real-
IURPQDQFLDOFULPHV rest or in motion,
WLPHEDVLVXVLQJLQWHJUDWHGKRQH\SRWV6WDWLFUXOHEDVHG
within the banks
systems will have to make way for dynamic and adaptive
environment or
security systems that draw intelligence based on behaviour
within the vendors environment. As banks are rapidly
analysis and detection capabilities across all categories of
adopting digital products, they are also mandated to take
interconnected systems.
stronger measures in areas such as authentication and risk-
based transaction monitoring to prevent fraud.

Banks have also been asked to establish strong programmes

focussed on customer awareness to reduce the incidence of
Building cyber
attacks like phishing. resilience
As attack vectors are increasingly becoming sophisticated,
Proactive reporting the cost of launching an attack is going down, the
scale and
and collaboration velocity of
A cyber crisis attacks are
Financial institutions can only achieve so much by improving increasing,
management plan
their organisational cyber security capabilities based on and there
historical incidents and must address the entire is greater
generic threat intelligence. life cycle of incident recognition
Call for deeper of the
In its circular, RBI has detection, response,
recognised that collaborating collaboration possibility
containment
DQGFRQWULEXWLQJQDQFLDO within the of incidents.
and recovery. Accordingly,
LQVWLWXWLRQVFDQEHQHW industry and with
mutually and further help banks
others to make informed
the regulator not only need to strengthen cyber defence but also
decisions, thus enabling them build strong resilience. The RBI circular calls for the
to respond to attacks proactively and quickly. In many ways, HVWDEOLVKPHQWRID&\EHU&ULVLV0DQDJHPHQW3ODQ
the circular will move the industry to a new evolved state with to address the full life cycle of detection, response,
respect to cross-leveraging learnings from one another. containment and recovery.
 Focus on extended ecosystem
There is also a clear recognition that information cuts across boundaries and it is no longer adequate to have strong controls
with respect to security within the bank and a light-touch approach to the vendor ecosystem. The circular calls for strong
governance over the entire vendor life cycle with respect to cyber security. Banks would need to embed into their relationship

Challenges for Banks will need to take a risk-based approach while building

the industry baseline investments.

This circular will push the entire industry forward in terms

of strengthening cyber defence, and detecting and building
driven by this circular, though very exciting, is fraught
resilience both at the organisation and industry level. While
with several challenges that banks have to address. Banks
some leading banks already have programmes addressing
are already considering several cost reduction strategies to
many of these issues, they too would need to strengthen their
address cost pressures such as managing non-performing
posture on many fronts.
cyber security investment will not occur very easily. The From an implementation perspective, the details will still need
circular highlights several aspects that banks need to adopt
in working with leading banks to build reference guides.

About the authors

For deeper conversations, About PwC

please reach out to
Sivarama Krishnan
Leader,Cyber Security quality in assurance, advisory and tax services. Find out more
Tel: +91 (124) 626 6707 and tell us what matters to you by visiting us at www.pwc.com
sivarama.krishnan@in.pwc.com

Siddharth Vishwanath
Partner, Cyber Security www.pwc.com/in
Tel: +91 (22) 66691559
siddharth.vishwanath@in.pwc.com

Manu Dwivedi pwc.com/structure for further details.

Partner, Cyber Security
Tel: +91 (0) 80 4079 7027
manu.dwivedi@in.pwc.com

Sundareshwar Krishnamurthy
Partner, Cyber Security Data Classification: DC0

Tel: +91 (22) 6119 8171 This document does not constitute professional advice. The information
in this document has been obtained or derived from sources believed by
sundareshwar.krishnamurthy@in.pwc.com PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL
does not represent that this information is accurate or complete. Any opinions or
estimates contained in this document represent the judgment of PwCPL at this
Hemant Arora time and are subject to change without notice. Readers of this publication are
Executive Director, Cyber Security advised to seek their own professional advice before taking any course of action
Tel: +91 (124) 626 6717 or decision, for which they are entirely responsible, based on the contents of this
publication. PwCPL neither accepts or assumes any responsibility or liability to
hemant.arora@in.pwc.com any reader of this publication in respect of the information contained within it or
for any decisions readers may take or decide not to or fail to take.
PVS Murthy 2016 PricewaterhouseCoopers Private Limited. All rights reserved.
In this document, PwC refers to PricewaterhouseCoopers Private
Executive Director, Cyber Security Limited (a limited liability company in India having Corporate Identity
Tel: +91 (22) 66691214 Number or CIN : U74140WB1983PTC036093), which is a member firm of
pvs.murthy@in.pwc.com PricewaterhouseCoopers International Limited (PwCIL), each member firm of
which is a separate legal entity.
SUS/July2016-6734