EC No. 33 / DoS-08 / 2020
06 February 2020
Ref. No. NB. DoS. Pol. HO. / 3184 / J- 1/ 2019-20
All Regional Rural Banks
Dear Sir / Madam
Comprehensive Cyber Security Framework for Regional Rural Banks (RRBs) – A Graded Approach for time bound implementation
Please refer to our Circular NB. DoS. HO. Pol. No. / 4813 / J – 1 / 2017 – 18 dated 16 March 2018, issuing guidelines for implementing Cyber Security Framework (CSF) in banks. On further examination, a graded approach to implementation of the CSF has been formulated.
2. The RRBs have been categorised into four levels based on their digital depth and interconnectedness to the payment systems landscape. The levels are defined as below:
Level Criteria Regulatory Prescription Remarks
Level I All RRBs
Level I controls prescribed in Annexure-I
In addition to the controls, the bank may test their preparedness on cyber security by administering the Vulnerability Index on Cyber Security (VICS) tool Annexure-IA.
Level II All RRBs, which are sub-members of Central Payment System (CPS) and satisfying at least one of the criteria given below:
1. offers internet banking facility to its customers (either view or transaction based)
2. provides Mobile Banking facility through application (Smart phone usage)
3. is a direct Member of CTS/IMPS/UPI. Level II controls given in Annexure-II, in addition to Level I controls. Additional controls include Data Loss Prevention Strategy, Anti-Phishing, VA/PT of critical applications.
Level III RRBs having at least one of the criteria given below:
1. Direct members of CPS
2. having their own ATM Switch
3. having SWIFT interface Level III controls given in Annexure-III, in addition to Level I and II controls.
Additional controls include Advanced Real-time Threat Defence and Management, Risk based transaction monitoring.
Level IV RRBs which are members/ sub-members of CPS and satisfy at least one of the criteria given below:
1. having their own ATM Switch and having SWIFT interface
2. hosting data centre or providing software support to other banks on their own or through their wholly owned subsidiaries Level IV controls given in Annexure-IV, in addition to Level I, II and III controls Additional controls include setting up of a Cyber Security Operation Center (C-SOC) (either on their own or through service providers or Sponsor Banks), Information Technology (IT) and Information Security (IS) Governance Framework with higher responsibilities to be put in place within six months of issue of circular.
3. The Board of Directors is ultimately responsible for the information security of the bank and shall play a proactive role in ensuring an effective IT (Information Technology) and IS (Information Security) governance. The major role of top management involves implementing the Board approved cyber security policy, establishing necessary organisational processes for cyber security and providing necessary resources for ensuring adequate cyber security.
4. RRBs shall undertake a self-assessment of the level in which they fit into, based on the criteria given in the table above and report the same to their Sponsor Bank and NABARD, Regional Offices concerned within 45 days from the date of issuance of this circular.
5. All RRBs shall comply with the control requirements prescribed in Annexure - I within three months from the date of issuance of this circular.
Similarly, Level II, III and IV RRBs are required to implement additional controls prescribed in Annexures - II, III and IV, respectively.
6. RRBs may adopt higher level of security measures based on their own assessment of risk and capabilities. Further, if an RRB, irrespective of its asset size already has a cyber security framework higher than the self-assessed level in which it fits, then, as a matter of best practice, it is desirable that it continues with the existing governance structure.
7. The Vulnerability Index for Cyber Security Framework (VICS) may be used as a guidance tool for establishing cyber security controls.
8. The primary responsibility of implementing cyber security framework rests with the bank itself. The RRBs sharing IT platform with Sponsor Banks may review all the prescribed cyber security controls issued in our circulars in consultation with their Sponsor Bank. Documentation of the roles and responsibilities of the Sponsor Bank and the RRB vis-a-vis cyber security framework may be maintained at RRB level.
9. As indicated in our circular dated 16 March 2018, RRBs should report immediately on occurrence, all cyber security incidents (whether they were successful or mere attempts) to CSITE cell, NABARD by email (firstname.lastname@example.org) with a copy endorsed to concerned Regional Office of NABARD. A quarterly NIL report shall be submitted in case no cyber security incidents / threats were observed during the quarter.
10. A copy of this circular may be placed before the Board of Directors in its ensuing meeting.
11. Please acknowledge receipt.
(K S Raghupathi)
Chief General Manager
Encl: As above.