The working group was set up in April 2010 as part of the RBI governor’s Annual Monetary Policy Statement 2010–11, which recommended enhancing guidelines for information technology governance and information security.
The report warned that technology risks are growing for financial institutions in India.
“Technology risks not only have a direct impact on a bank as operational risks but can also exacerbate other risks like credit risks and market risks. Given the increasing reliance of customers on electronic delivery channels to conduct transactions, any security related issues have the potential to undermine public confidence in the use of e-banking channels and lead to reputation risks to the banks. Inadequate technology implementation can also induce strategic risk in terms of strategic decision making based on inaccurate data/information. Compliance risk is also an outcome in the event of non-adherence to any regulatory or legal requirements arising out of the use of IT”, the report said.
The working group issued over 60 recommendations for banks to improve their information security. Among those recommendations, the report says that banks should create a separate information security function and appoint a chief information security officer to oversee that function.
Banks should put in place an information security policy and review it annually. Also, banks should maintain an inventory of IT assets and conduct periodic risk assessments to identify IT vulnerabilities.
In addition, banks should conduct thorough background checks before hiring employees and should keep personnel up to date on information security through training and education.
The working group stressed that the recommendations should not be viewed as a “one-size-fits-all” approach. Implementation of these recommendations needs to be based on the nature and scope of the bank's activities and its technology environment, the report said.