Overwhelmed by a thicket of demanding rules, banks will miss the January 1 deadline set by the capital market regulator to put in place a cybersecurity framework.
Last week, several banks, particularly the multinational lenders offering custody and investment banking services, asked the Securities & Exchange Board of India (SEBI) for more time to implement the onerous measures that involve frequent software audit, challenges of dealing with IT firms providing the services, fast response time in case of disruptions, formation of an internal panel with independent expert to make sure the rules are being followed, along with a slew of time-defined reporting requirements among other things.
In the highly regulated world of financial services, a failure to report means a compliance lapse — a tag that no bank, particularly international banks, would like.
According to the SEBI guidelines on ‘cybersecurity and cyber resilience framework’ issued last August, regulated entities (REs) shall keep the “regulatory data available and ‘easily accessible in legible and usable form, within the legal boundaries of India”. Since data is typically kept in encrypted form, SEBI said that if the data retained within India is not in “readable form”, the REs must maintain an application (or system) to read and analyse the retained data.
According to Kunal Pande, KPMG’s National Leader for Digital Trust (financial services), “Banks are trying to come to terms with the regulatory norms. First, there are new requirements. Second, existing requirements have become more rigorous, data driven, and demanding on governance. Besides measuring on a granular basis, it calls for frequent assessment and corresponding remediation, and reporting in a strict time-bound manner. Not reporting would mean not demonstrating compliance, and no entity would want that. Also, the target spend on cyber security and tech risk for a category of REs is 10% of IT budget.”Bankers told ET they are yet to grasp the 200-page SEBI circular that lays down the detailed rules on storage of data within the country and ring-fencing them from cyber threats. However, they have sensed it means a change of systems and processes, besides more money. They need 6 more months to carry them out. While banks have long given up the cavalier attitude they once had on cyber security and data, SEBI’s new regulations could keep them on their toes.
For instance, in the event of disruption of any one or more of the critical systems, the RE shall, within 30 minutes of the incident, declare that incident as ‘disaster’ based on the business impact analysis. Accordingly, the RTO (recovery time objective) — the time taken to restore the system — shall be two hours as recommended by IOSCO for the resumption of critical operations. And, according to the guideline, the ‘recovery point objective’ (or, RPO) shall be 15 minutes for all REs. Typically measured in minutes, RPO captures the quantum of data that would be lost or must be reentered due to the disturbance. Thus, an RPO of 15 minutes means that the maximum amount of time for data loss after a disruption is 15 minutes. For this, a bank must back up the system every 15 minutes.
“There could be multiple challenges depending on the respective situation of banks and their legacy system issues. This may relate to audits of software solutions used by a bank which are outsourced — here there may be issues in getting permission from these external entities. VAPT (Vulnerability assessment and penetration test) must be conducted in case of every major change in software as defined by SEBI. Since multiple data have to be stored, classified and segmented in the right buckets, their accesses have to be defined as per job profile. Here, there may be complications if the data is stored externally. Also, a bank must make sure what kind of controls that entities providing the outsourced activities have,” said P Shreekanth, IT Partner, Chokshi & Chokshi, a tax and forensic audit firm.
Twice a year, REs will have to conduct scenario-based cyber-resilience tests, involve critical third-party service providers, market intermediaries, and linked REs in such exercises, and submit the results before their IT Committees. Banks are in the process of implementing the payment data rules of RBI. Now, banks acting as custodians of institutional investors and in merchant banking would have to execute the cyber and storage data norms of SEBI, the relevant regulator for such services.
“It’s a detailed guideline. For instance, several things have to be prepared in a prescribed format, complications due to third-party engagements have to be addressed, and credit scores based on Cyber Capability Index (CCI) have to be arrived at from 23 parameters… Understandably, banks would need some time,” said Vishal Jain of Deloitte.
CCI, which would rate the preparedness and resilience of the cybersecurity framework (based on a string of features including budget, training, media sensitisation) would have to be submitted to SEBI on demand.
“Lastly,” said Shreekanth, “a bank has to ensure that the data is encrypted at full desk and file levels, and there is encryption of interfaced data among various entities and systems. Though not an immediate challenge, banks have to keep in mind the possible launch of quantum computing such as Willow which may pose a risk as and when it gets implemented.”
Regulators and central agencies have become more and more alert on cyber risks, with continuous advisories spelling out the dos and don’ts. Last week, the National Critical Information Infrastructure Protection Centre (NCIIPC) reached out to several private sector banks to follow the compliance standards laid down by the security agency.