Rajneesh De, Consulting Editor, APAC News Network
The urban co-operative banks (UCBs) in India have started traversing the digital walk in an attempt to keep pace with the rapidly changing banking landscape of the country. While this indeed is a sign of progress, unfortunately the UCBs have not been able to adequately secure their digital infrastructure. The rural co-operative banks are currently in an even worse state.
In a scenario, where even the highly digitized nationalized PSU banks as well as top notch private banks and the MNC banks are often vulnerable to cyber attacks, the cybersecurity readiness of the digitally novice UCBs is easily comprehensible. Unfortunately, this leaves a significant population of unsuspecting bank users for the co-operative banks totally vulnerable too.
Co-operative Banks: On the Dark Side of the Moon
After all, according to the RBI there are 1,544 urban co-operative banks and 96,248 rural co-operative banks in India. The rural co-operative banks account for 64.7% of the total assets of the co-operative sector. The asset value of urban co-operative banks, on the other hand, exceeds Rs. 563.2 crore.
RBI data shows that during the period 2008-22, banks in India faced 130,000 reported cases of cyber fraud involving an estimated Rs. 700 crore. In comparison to the asset value held by the banks this is really small, however, a severe cyberattack can result in bank failure even when no money is lost directly. In particularly, the cases involving the co-operative banks have been worse for the banking fraternity and customers.
In late 2018, Pune-based Cosmos Bank, India’s second largest co-operative bank, bore the brunt of weak cybersecurity measures, when hackers siphoned off over Rs. 94 crore through a malware attack on one of its servers. In December 2019, data leak from insiders led to the loss of Rs. 29 crores from Mumbai’s Shamrao Vithal Co-operative Bank.
The AP Mahesh Co-operative Urban Bank of Hyderabad witnessed a cyber scam in 2022 that saw cybercrooks siphon off nearly Rs 12 crore from its coffers. Even a bank as small and less known as the Chembur Nagarik Sahakari bank, which has only 10 branches and serves customers located in the Chembur suburb of Mumbai, has reported hackers trying to attack its servers.
There is no scope for complacency though as even these cases do not present an exhaustive picture of cybersecurity breaches in co-operative banks. A lot of incidents of similar proportions often go unreported either because the banks do not realize a data breach in the first place or more often just for the fear reputation loss. And this is just the tip of the iceberg.
What makes co-operative banks more vulnerable
Even most UCBs are extremely ill-equipped to confront cybercrooks. In many cases the bank servers are just connected to the Internet and most of the ports are left open, making them more vulnerable. With rural co-operative banks, the situation is even more pathetic. In Hindi parlance, the situation looks like an open offer of ‘aa bel mujhe maar’ from these banks to the cybercrooks.
Most of these co-operative banks, including even the large UCBs, do not have designated CISOs designing their cybersecurity strategy and roadmap. Instead, it is often the IT managers who double up as CISOs and there is absolute lack of skilled manpower resources. As a result, there is a lack of general awareness about the currently evolving threat landscape. Instead there is an over dependence on vendors or third party solution providers.
For most of these IT managers in UCBs, their cybersecurity world starts and ends with anti-virus only. Things might be even more primitive in the rural co-operative banks. Today’s cyberattacks are much more sophisticated than virus attacks. Unfortunately for those acting as cybersecurity custodians for these co-operative banks, of advent of ransomware attacks, malware attacks, RAT (Remote Access Trojan) attacks, advanced persistent threat (APT) attacks and zero-day attacks, among others would sound like Greek and Hebrew.
With budget being another constraint, these banks often try to secure themselves with low-cost solutions like anti-virus. Though this might have worked in an Utopian world, in today’s real cut-throat scenarios all co-operative banks would need banks needs advanced protection tools like Endpoint Detection and Response (EDR) or extended Detection and Response (XDR) tools.
Another key area of concern for co-operative banks remains the threats from insiders and disgruntled employees. There have been instances during the pandemic when bank employees have asked hackers to extract money from fozen accounts. The only solution is for co-operative banks to deploy proper Data Loss Prevention (DLP) tools that can allow banks to control data that users can access and transfer.
The RBI had made cybersecurity mandatory for banks and set up a protocol for security implementation and attack reporting as early as December 2019. However primarily fear of reputation loss often prevents these co-operative banks from reporting cyber attacks to the concerned authorities. In fact, there are plenty of such cases where co-operative banks fall prey to cyberattacks and lose money as well as data but such instances are never made public due to absence of a proper policy framework that mandate such disclosures.
RBI measures and mission vision
The RBI has categorised the UCBs into four Grades /Levels, Level I, Level II, Level III and Level IV based on the bank’s digital depth and interconnectedness to the payment system landscape. Now based on this gradation system, the RBI has formulated the Cybersecurity Framework based on the grade approach. The UCBs are not allowed to choose and pick from the framework but are mandated to implement the complete framework.
There is however no penalty clause mentioned in the circular for non-compliance by the UCBs, which might have acted as a strong deterrent. But it is mandatory for the UCBs to undertake a self-assessment of the level in which they fit into based on the criteria. The UCBs have to inform their level to their respective RBI Regional Office, Department of Supervision within 45 days from the date of issuance of the circular.
This approach ensures that the UCBs with high IT penetration/ and offering all payment services are brought at par with other banks private and nationalized banks having mature cyber security infrastructure and practices. The grades are often flexible based on risk exposure in terms of the digital services offered by the UCBs.
One good thing is that the RBI has mandated that the Board of the UCBs shall be assigned the primary responsibility for implementing the cyber security controls. In precise words of the RBI circular, “Considering that implementation of cyber security framework would be a cost intensive process, the responsibility for implementation, monitoring, compliance and response would have to be assigned from the Board level and percolate down till the end user. The IT/IS Governance Framework would include appointing a CISO, setting up of various committees such as IT Strategy Committee, IT Steering Committee, etc for UCBs with higher digital depth.”
The RBI Mission for cybersecurity in co-operative banks rests on the following pillars.
Governance Oversight
- Focus on Board Oversight over Cybersecurity
- IT Vision document
Utile Technology Investment
- Creation of reserve/ fund for implementation of IT/ cyber security projects
- Management of Business IT Assets
- Banking Services Availability
Appropriate Regulation and Supervision
- Supervisory reporting framework
- Appropriate guidance in implementing secure practices
Robust Collaboration
- Forum to share best Practices and discuss practical issues and challenges
- CISO Forum for UCBs
- Adoption of Cloud Services – Phase I
Developing necessary IT, cyber security skills set
- Imparting technical Skills to manage IT and Cyber Security
12. Providing awareness/ training for all UCBs on cyber security
Discussion about this post