Cyber Security Policy Framework for

Cooperative Banks

By:
Adv. Jayashree Nangare
Cyber Law Expert
2
 INTRODUCTION
•Cyber Security means a set of techniques used to
protect the integrity of networks, programs and data
from attack, damage or unauthorised access.

•The core functionality of cyber Security involves

protecting information and systems from major cyber
threats.
THREATS OF CYBER CRIMES TO BANKS

Reputational Damage
Theft or Loss of Personal Information
IP Theft Data Theft
Service Disruption
Actual Financial Loss

Regulatory Risks
Cost of Investigation
IMPORTANCES OF CYBER SECURITY

RBI Guidelines
For
Cyber Security
Framework
 Need for Cyber Security Policy in Banks
• In banking sector, banks have adopted different level of technology.
Such as:
1. some bank offers digital products to its customers;
2. Some bank maintains their books of account in a standalone
computer and using e-mail for communicating with its
customers/supervisors/other banks.

• It was observed that it is necessary to implement a cyber

security/resilience framework at banks and to ensure adequate cyber-
security preparedness among banks on a continuous basis.

• It is essential to all cooperative banks to implement basic Cyber

Security guidelines issued by RBI in its circular no. RBI/2018-19/63, to
secure the business from cyber risks/attacks.
INTERNET BANKING ATTACKS
 Board’s approval for Cyber Security Policy
• Banks should prioritise to put in place a cyber-security policy
forming a strategy containing an appropriate approach to combat
cyber threats.

• A confirmation in this regard may be communicated to Cyber

Security and Information Technology Examination (CSITE) Cell of
Department of Banking Supervision, Reserve Bank of India.
Cyber Security Policy should be distinct and separate

• In order to address the need for the entire bank to

contribute to a cyber-safe environment, the Cyber Security
Policy should be distinct and separate from the broader IT
policy / IS Security policy.

• It can highlight the risks from cyber threats and the

measures to address/reduce these risks.

• Having a separate policy is important as to identify the risks

and to adopt appropriate cyber-security framework to
mitigate these risks.
I.T. SECURITY FRAMEWORK
 IT Architecture/Framework should be security
compliant
• The bank must-

1. Identify weak/vulnerable areas in IT systems and processes.

2. Allow restricted access to networks, databases and applications wherever
permitted, through well-defined processes and approvals.
3. Assess the cost of impact in case of breaches/failures in these areas. Address
with suitable Cyber Security System.
4. Specify and document clearly the responsibility for each of above steps .
5. Maintain proper record of entire process to enable supervisory assessment.
The cyber threats can Core Banking
be in many forms attacks
such as:
Identity Theft

Swift server Mobile

attack Banking
Web
Application
Defamation
Attacks
Payment Gateway
Firewall attacks
attacks
Ransomeware Phishing
 Basic Cyber Security Controls for Banks

1. Inventory Management of Business IT Assets

2. Preventing access of unauthorised software

3. Environmental Controls

4. Network Management and Security

5. Secure Configuration

6. Anti-virus and Patch Management

7. User Access Control / Management
8. Secure mail and messaging systems
9. Removable Media
10. User/Employee/Management Awareness and
Training
11.Customer Education and Awareness
12.Backup and Restoration
13.Vendor/Outsourcing Risk Management
 Cyber-security awareness among stakeholders /
Management / Board
• Managing cyber risk requires the commitment of the entire
organisation to create a cyber-safe environment. This
requires a high level of awareness among staff at all levels.

• Management and Board should have a high level of

awareness of cyber threats.

• Banks should proactively promote, among their customers,

vendors, relevant stakeholders, etc an understanding of the
bank’s cyber resilience objectives and require and ensure
appropriate action to support their synchronised
implementation and testing.
Legal Liabilities for Banks
 Do you handle
or collect
Sensitive
Personal
Information

Liable Under
Section 43 &
Negligence in implementing &

43 A IT Act
maintaining reasonable security
practices & procedures makes

2000 &
data holder liable for
compensation claims

Amendments
Do
You
Know?
 Do you
know about
Computer
related
offences

Liable Under
Section
Sec 66 IT Act
2000 & ITAA
Dishonestly
receiving
stolen
computer
resource
 Legal Liabilities for Banks
• Copyright Violation: Rs. 2,00,000 or 3 years of
Imprisonment
• According to I.T Act 2000:
1. Chapter 13, Section 85: If your policies are Not Up To
The Mark then……….. Rs. 10,00,000 or 5 years of
Imprisonment.

2. Chapter 9, Section 43: Penalties for Computer damage

can cause a compensation Rs. 1,00,00,000/-
 Rs. 5,00,00,000/-
That’s how much your client can demand by law if you
fail to protect their data
 15 Year Firm having team of:
Cyber Lawyers Cyber Crime Investigators Cyber Security
Consultant
40 years collective experience
more than 100 clients…

What we do

Training - IT Act 2011 Investigation – Cyber Crime

IT Act 2011 Compliance Litigation – Cyber Crime
21
 SERVICES
Expert Legal Opinion, Consulting & Litigation
• Consultation Litigation & Litigation support legal service, EXPERT LEGAL
OPINION on
• The IT Act, 2000, RBI guidelines, Department of Electronics &
Information Technology, PCI-DSS, IPR Laws, ISO/Ice 2700

Cyber Risk Assessment & Legal Compliance

• Find what potential financial exposure.
• Determine data privacy & network security coverage gaps.
• Identifying potential vulnerabilities of corporate data

Computer & Cyber Forensic Investigations

• Discover electronic data to acquire digital evidence
• Analyze facts & report on a case by examining digital devices by a
suitably trained computer forensic analyst in order to investigate a claim
or allegation.
Cyber Legal Protection for Banks
 Customer Awareness Program
• Why customer awareness is needed

– Fraudsters constantly creating more diverse & complex fraudulent

ruses using advanced technology and social engineering techniques
to access their victims’ accounts, spreading awareness among
consumers becomes imperative.

• Provide well formulated policies for every services they opt for

• Providing knowledge to identify frauds & if any fraud takes place

ways to mitigate with it.

• The steps to be taken while browsing any of the internet banking site
and what relevant information should be provided.
• The agreements must clearly mention the grievance
redressal mechanism to resolve customer complaints.
• Vendors’ service level agreements shall be periodically
reviewed for performance in security controls.

Cyber Security Model – P4 Approach

Address: Office No. 304, 3rd floor Vikram Gold Mine, Sudabhau Kelkar Path, FC Road,
Opposite to Venus Traders, Deccan Gymkhana, Pune, Maharashtra-411004
Phone : (020)(25521888), 08805010888
Website : www.cyberlawsolution .com
Email: admin@cyberlawsolution.com