India’s banking sector has grown rapidly over the past few years. According to the predictions, it is going to follow the same pattern in the future. As per 2020 estimates, the number of ATMs in India is 2.10 lakhs, which may go over 4.07 lakhs by the end of this year. When we talk about cyber security, we understand it as a process of keeping an IT system safe from unauthorised access, damage, or attacks. Considering the banking sector’s role in the Indian economy, banks cannot afford to adopt a lazy attitude towards the security of their systems. As the saying goes, with great power comes great responsibility. A bank’s most important responsibility is to ensure that their customer’s personal and confidential information remains safe and secure.
What does our law say?
Section 43A of the Information Technology Act, 2000 provides for compensation when a body corporate fails to protect sensitive personal data. Body corporates shall ensure that they follow reasonable security practices. The term body corporate includes an association of individuals engaged in commercial or professional activities. The banking institutions directly fall within the ambit of this provision. Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as the 2011 Rules), define sensitive personal data. Section 43A provides civil compensation in cases where body corporates fail to protect individuals’ sensitive personal data.
Banks and Cyber Security Measures
The 2011 Rules is a good starting point for banks to implement reasonable security practices. According to Rule 8, a bank’s cyber security measures should include:
- A comprehensively documented information security programme. This programme should define operational, managerial, and technical controls, along with the bank’s incident response strategy. A bank should also document how they are implementing various security controls.
- Compliance with an internationally recognised standard such as ISO 27001:2013. This ensures that a bank follows the best practices.
- Adopt an industry-accepted self-regulation code, duly approved by the Central Government.
Apart from these measures, the sector regulator – Reserve Bank of India – has also issued various guidelines and frameworks. The Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) is one example. This framework divides UCBs into different levels as per their digital depth and interconnectedness to the payment landscape. It then provides a baseline for each level that a bank must meet. Highlights of this framework include:
- Training programs for employees on phishing and good security practices
- Reporting mechanisms for reporting unusual security incidents
- Network segmentation to have different networks for banking operations and ATMs
- Access level for employees wherein minimum access should be granted
- Periodic vulnerability assessments and penetration testing
While this framework does not prescribe any punitive actions, it is still a step in the right direction.
After the government imposed lockdown, there was a sudden shift to digital payment modes. With an ever-increasing user base and transactions, cyber security for banks is of utmost relevance today. Over the course of the last 12 months, we have observed a significant increase in phishing/vishing cases being reported. At present, digital transactions account for close to 90% of the total transactions. In such a situation, banks’ inherent responsibility is to ensure that their digital ecosystems remain secure. I hope that banks remain vigilant about the security of their IT infrastructure.