Indian Bank Fined for Not Meeting RBI Security GuidelinesSome Security Experts Call for RBI to Sanction Executives
The Reserve Bank of India, the country's central bank, has imposed a fine of 10 million rupees ($139,000) on Indian Bank for failing to adhere to RBI's cybersecurity guidelines.
But some security experts are calling on RBI to do more than just issue financial penalties to banks with lax security, such as by punishing bank executives.
RBI did not describe the details of how Indian Bank failed to meet the cybersecurity guidelines, but spoke in general terms.
"This penalty has been imposed in exercise of powers vested in RBI under the provisions ... the Banking Regulation Act, 1949, taking into account the failure of the bank to adhere to the aforesaid guidelines and directions issued by RBI," says Ajit Prasad, RBI assistant adviser, in a statement. "This action is based on deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers."
Not A First
This is not the first time RBI has issued a major fine. Last year, the central bank fined Yes Bank INR 60 million ($831,000) for tardy breach reporting.
According to RBI notification rules, banks must report breaches within two to six hours of discovery even if a third party is responsible for the incident. The Yes Bank incident had affected 3.2 million debit cards. Basically, the bank was fined for non-compliance with the directions issued by RBI on Income Recognition Asset Classification norms and delayed reporting of information security incident involving ATMs of the bank.
Go Beyond Monetary Fines
Some security experts are commending RBI for fining Indian Bank, saying it reflects the importance of following RBI's security guidelines.
"Normally, organizations in India take regulatory compliance lightly due to laxity of regulators. Any regulator is supposed to take care of the interests of various stakeholders," says Rakesh Goyal, managing director at Sysman Computers, a CERT-In empaneled auditing firm. "It's a good sign that RBI, as a regulator, is showing a stick to law breakers. This will work in the interest of bank customers, government and society."
But other security experts argue that monetary penalties are not effective unless they are combined with other stronger punishments.
"The huge amount of monetary penalty is a welcome move, no doubt. But I strongly feel this is not sufficient," says Bangalore-based Na. Vijayashankar, cyber lawyer and advocate. "The monetary fine will be paid out of the resources of the bank which is the money of the public. Even if it is Rs 100 million, it will be paid without anybody becoming wiser. What needs to be done is to blacklist the chairman and ensure that he or she learns a lesson."
C.N. Shashidhar, founder at SecurIT Solutions, makes a similar observation: "We need to go beyond monetary penalties in order to make the banks more responsible for their actions," he says.
"RBI should announce that CEOs of banks which fail to meet security standards will be put behind bars if they suffer a breach. Only then will the management wake up to take security seriously. By just imposing monetary penalties or by naming and shaming a bank, little is achieved. In such cases, usually the CIO is made the scapegoat and is asked to resign and business continues as usual."
RBI Notifications Ignored?
The RBI on a regular basis notifies banks on the cybersecurity measures it needs to carry out.
A few months back, it issued a notice to all cooperative banks advising them to apply caution when deploying third-party core banking applications and check for appropriate security standards. It warned the banks to ensure the versions of third-party apps they're using meet adequate security requirements by using appropriate risk assessment methods.
But too often, banks of all sizes ignore RBI notifications, some security experts say.
"I have named chairpersons of several big banks who time and again conduct unsafe banking," Vijayashankar says. "There is little they are doing, and for many, investing in security is still [seen as] an additional cost. The only solution is to personally fine and shame the chairman."