Recently, the Reserve Bank of India (RBI) has imposed a hefty penalty of around 65 lakhs, roughly USD 80,000, on one of the Co-Operative banks from a southern state of India due to non-compliance with the RBI guidelines on Information Security.
A dedicated cyber team from the RBI investigated the matter and made a thorough audit of a data breach incident that happened one and a half years ago in an organization where hackers siphoned off 12.48 crore, roughly 1.5 million USD through phishing emails. These emails were sent to bank employees and upon clicking on the malicious emails, the employees unknowingly gave full access of the sensitive bank network to the cyber criminals.
The Vulnerable IT network in the banking sector
A special report, released by CNBC TV18 group a quarter back this year, says that there has been a 50% increase in data leaks and data breach incidents in the banking and financial sector. Earlier in 2022, Deloitte India’s banking survey also revealed 40% rise in cyber incidents in the banking industry.
The banking sector is a treasure trove of data and confidential information. Not surprisingly, the IT periphery of banks is always vulnerable to highly organized cyber-attacks. In addition, the banking sector is always exposed to compromised insiders and third-party IT users.
And such attacks are possible due to three reasons:
1. The workforce is not adequately trained regarding dos and don’ts to preserve the sanctity of data
2. The information security framework is not up to the mark
3. Banks fail to stringently comply with the RBI Guidelines on Information Security
Indeed, in this regard (compliance), the RBI has laid down a set of guidelines that succinctly explains what needs to be done, especially in the areas of Identity and Access Management.
The RBI Guidelines on Access Control
For instance, in the RBI circular, “Cyber Security Framework in Banks” (2016), it is mentioned in Annex I, point no. 8.1 that – “(banking organizations) Provide secure access to the bank’s assets/services from within/ outside bank’s network by protecting data/ information…”
Annex I, point no. 8.3 states that – “Disallow administrative rights on end-user workstations/ PCs/ laptops and provide access rights on a need-to-know basis and for specific duration when it is required following an established process.”
Annex I, point no. 8.4 states that – “Implement centralized authentication and authorization system or accessing and administering applications, operating systems, databases, network and security devices/ systems, point of connectivity (local/remote, etc.) including enforcement of strong password policy, two-factor/multi-factor authentication depending on risk assessment and following the principle of least privileges and separation of duties.”
Annex I, point 8.6 says, “Implement controls to minimize invalid logon counts, deactivate dormant accounts.”
And, Annex 1, point 8.7 says, “Monitor any abnormal change in pattern of logon.”
Building a robust IAM structure to comply with the RBI Guidelines
What these guidelines suggest is that every banking organization storing and processing all sorts of data across disparate technologies must have a unified approach to control, monitor and manage users’ access to sensitive information and classified information.
In this regard, ARCON’s unified Identity and Access Management platform (Converged Identity) which includes privileged access management, is at the core of building a robust IAM structure, meeting the RBI guidelines and enforcing security.
By implementing this solution, a banking organization can ensure a centralized engine to manage the lifecycle of an identity (joiner/mover/leaver) right from onboarding, discovering and governing –provisioning and deprovision all the digital identities across the IT set up. In addition, the security teams can apply adequate safeguards like granular controls, just-in-time privileges to establish the least privilege principle and grant access based on “need to know” and “need to do” basis. Furthermore, the solution offers best-in-class password vaulting technology to vault and randomize the passwords along with robust multi-factor authentication mechanism.
The banking industry is prone to threats like data breach and unauthorized access control because any financial data is vulnerable. Implementing unified IAM approach is necessary to effectively manage identity governance, access control along with creating a unified architecture and strategy to control people as well as processes and protect banks’ data, applications, and privileged systems, notwithstanding the hosted models.