2 Nov 2015

RBI Decides To Set Up An IT Subsidiary To Deal With Cyber Crimes And Cyber Security Related Issues

India is treading on the digital highway and very soon most of the public services would be delivered through use of information and communication technologies (ICT). This is clear from the enthusiastic implementation of Digital India project that needs some fine tuning to get the best results. Nevertheless there is no escape from the reality that Digital India would be the face of Indian economy and culture very soon.

With this increased and omnipresent digital culture, cyber crimes and cyber security breaches would be the norm in future. This is the reason why the Delhi Police has decided to launch a mobile application that would help in filing of online FIR for economic frauds and cyber crimes. Now the Reserve Bank of India (RBI) has also showed its commitment to fight against cyber crimes and financial frauds by declaring that an information technology driven subsidiary would be established by it to deal with cyber nuisances. This IT subsidiary of RBI would also deal with cyber security and related issues with a special focus upon banking related technology issues. The IT subsidiary of RBI would also evaluate the technical capabilities of banks that is almost missing as on date.

We at Perry4Law Organisation (P4LO) welcome this move of RBI and extend our full techno legal support and expertise in this regard. As per the cyber security trends of India 2015 by P4LO cyber security related issues must be taken care of by various stakeholders including banks in India. Although RBI has announced many effective cyber security related initiatives for banks in India yet cyber security for banks in India is still not in good shape. Some of the initiatives already undertaken by RBI in this direction include formulation and implementation of Internet banking guidelines, formation of a RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI Recommendation on Information Security and its implementation in India, etc.

RBI has also prescribed establishment of Steering Committees on Information Security by Banks in India and appointment of Chief Information Officers (CIOs) for all banks in India.  However, banks in India have failed to comply with the directions of RBI so far. As on date there is neither a legal framework nor any compulsion to ensure cyber security of banks in India. This gives little incentive to the banks to ensure cyber security of online banking system of India. On top of it, banks in India are not following cyber security due diligence and cyber law due diligence (PDF) despite RBI’s directions.

If we take the example of western countries, sophisticated malware are targeting banks of these countries. These countries are heavily relying upon ICT for their functioning and this makes them vulnerable to cyber crimes and cyber attacks. India has not faced this heat so far because till now India did not adopt technology to that extent. However, after the adoption of Digital India, cyber security and cyber crimes investigation would become major issues for not only the law enforcement agencies but also banks of India. RBI seems to be aware of this reality and has taken a good step by deciding to establish an IT subsidiary that would take care of all these issues. However, we at P4LO believe that this IT subsidiary of RBI should not be a mere paper tiger but must actually work towards establishing a robust and resilient cyber security environment for banks of India.

Sophisticated botnet and malware like Dump Memory Grabber has been targeting Indian banks and POS Terminals. Similarly, the Gameover Zeus or GOZ botnet is also capable of stealing sensitive banking and financial information and details. Recently, the US Justice Department even charged a Russian national for creation of Gameover Zeus (GOZ) Botnet.

In these circumstances we must consider the proposal of India to adopt and use mobile banking, Internet banking and other online banking and financial transactions methods. So far India and RBI has not considered the issues of mobile banking cyber security, internet banking cyber security, legal aspects of Internet banking, cyber security of e-governance services, etc. In these circumstances, Indian online banking transactions are vulnerable to cyber attacks.

The cyber security for banking and financial sectors of India must be ensured as soon as possible. Online payment market of India and e-commerce and online business legal compliances have further increased the requirements of banking cyber security in India. Similarly, cyber due diligence for Paypal and online payment transferors of India must also be ensured by these stakeholders. These are some of the suggestions that P4LO has shared with Indian Government and RBI through this platform. More detailed suggestions would also be shared by P4LO at appropriate stage and platform.