EC No. 32 / DoS-07 / 2020 06 February 2020
Ref. No. NB.DoS.Pol.HO/ 3182 /J-1/2019-20
The Managing Directors/Chief Executive Officers of
All the State Cooperative Banks/
All District Central Cooperative Banks
Comprehensive Cyber Security Framework for Rural Cooperative Banks (RCBs) - A Graded Approach for time bound implementation
Please refer to our Circular NB.DoS.HO.Pol.No./4811/J-1/2017-18 dated 16 March 2018, issuing guidelines for implementing Cyber Security Framework (CSF) in Banks. On further examination a graded approach to implementation of the CSF has been formulated.
2. The RCBs have been categorised into four levels based on their digital depth and interconnectedness to the payment systems landscape. The levels are defined as below:
- Level Criteria Regulatory Prescription Remarks
- Level I All RCBs
- Level I controls prescribed in Annexure-I
In addition to the controls, the banks may test their preparedness on cyber security by administering the Vulnerability Index on Cyber Security (VICS) tool Annexure-IA
Level II All RCBs, which are sub-members of Central Payment System (CPS) and satisfying at least one of the criteria given below:
1. offers internet banking facility to its customers (either view or transaction based)
2. provides Mobile Banking facility through application (Smart phone usage)
3. is a direct Member of CTS/IMPS/UPI. Level II controls given in Annexure-II, in addition to Level I controls. Additional controls include Data Loss Prevention Strategy, Anti-Phishing, VA/PT of critical applications.
Level III RCBs having at least one of the criteria given below:
1. Direct members of CPS
2. having their own ATM Switch
3. having SWIFT interface Level III controls given in Annexure-III, in addition to Level I and II controls.
Additional controls include Advanced Real-time Threat Defence and Management, Risk based transaction monitoring.
Level IV RCBs which are members/sub-members of CPS and satisfy at least one of the criteria given below:
1. having their own ATM Switch and having SWIFT interface
2. hosting data centre or providing software support to other banks on their own or through their wholly owned subsidiaries Level IV controls given in Annexure-IV, in addition to Level I, II and III controls Additional controls include setting up of a Cyber Security Operation Center (C-SOC) (either on their own or through service providers), Information Technology (IT) and Information Security (IS) Governance Framework with higher responsibilities to be put in place within six months of issue of circular.
3. The Board of Directors is ultimately responsible for the information security of the bank and shall play a proactive role in ensuring an effective IT (Information Technology) and IS (Information Security) governance. The major role of top management involves implementing the Board approved cyber security policy, establishing necessary organisational processes for cyber security and providing necessary resources for ensuring adequate cyber security.
4. RCBs shall undertake a self-assessment of the level in which they fit into based on the criteria given in the table above and report the same to the NABARD Regional Offices concerned within 45 days from the date of issuance of this circular.
5. All RCBs shall comply with the control requirements prescribed in Annexure-I within three months from the date of issuance of this circular. Similarly, Level II, III and IV RCBs are required to implement additional controls prescribed in Annexures-II, III and IV respectively.
6. RCBs may adopt higher level of security measures based on their own assessment of risk and capabilities. Further, if an RCB, irrespective of its asset size already has a cyber security framework higher than the self-assessed level in which it fits, then, as a matter of best practice, it is desirable that it continues with the existing governance structure.
7. The Vulnerability Index for Cyber Security Framework (VICS) may be used as a guidance tool for establishing cyber security controls.
8. The primary responsibility of implementing cyber security framework rests with the bank itself. The District Central Cooperative Banks (DCCBs) sharing IT platform with the State Cooperative Banks (StCBs) may review all the prescribed cyber security controls issued in our circulars in consultation with the StCBs. Documentation of the roles and responsibilities of the StCBs and the DCCBs vis-a-vis cyber security framework may be maintained at both DCCB and StCB level.
9. As indicated in our circular dated 16 March 2018, RCBs should report immediately on occurrence, all cyber security incidents (whether they were successful or mere attempts) to CSITE cell, NABARD by email (firstname.lastname@example.org) with a copy endorsed to concerned Regional Office of NABARD. A quarterly NIL report shall be submitted in case no cyber security incidents/threats were observed during the quarter.
10. A copy of this circular may be placed before the Board of Directors in its ensuing meeting.
11. Please acknowledge receipt.
(K S Raghupathi)
Chief General Manager