The Reserve Bank of India (RBI) on Thursday released a cybersecurity vision framework for urban cooperative banks (UCBs). Considering the heterogeneity of the UCB sector in terms of size, regions, financial health, and digital depth, the central bank said a ‘one-size-fits-all’ approach may not be suitable while prescribing cybersecurity guidelines for UCBs. As a result, four guiding principles were taken into account while formulating the framework.
A differentiated tier-wise approach will be followed while prescribing cybersecurity controls for UCBs. The tiers would be decided based on risk exposure in terms of the digital services offered by UCBs. The approach will ensure that UCBs with high it brings its penetration and offering all payment services at par with other banks having mature cybersecurity infrastructure and practices. The board of the UCBs shall be assigned the primary responsibility for implementing the cybersecurity controls.
“Considering that implementation of cybersecurity framework would be a cost-intensive process, the responsibility for implementation, monitoring, compliance, and the response would have to be assigned from the board level and percolate down till the end-user,” the RBI said.
The regulator prescribed differentiated timelines for the implementation of each of the specific action points for various levels of UCBs. Instructions will be issued to banks to include the review on cybersecurity posture, along with specific indicators, as part of the calendar of reviews to be submitted to the board of directors during its meetings. This will be implemented in 2020. UCBs need to develop their own technology vision document outlining their plans to incorporate IT solutions into their business in a secure manner. For UCBs in levels 2 to 4, this will have to be achieved by 2021, while for those in level 1, the deadline is 2022.
Targeted skill-oriented training and certification programs would be designed to bring UCBs of different categories not only up to speed with the new framework in a time-bound manner, but also to manage the IT and security measures in the changing and challenging scenario.