Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs)

Oct 22, 2018 | by Avantis RegTech Legal Research Team

The Reserve Bank of India (RBI) on October 19, 2018 has published Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs).

It has been observed by the RBI that the level of technology adoption has been different across the banks in this sector – some banks offering state of the art digital products to its customers and some banks maintaining their books of account in a standalone computer and using e-mail for communicating with its customers/supervisors/other banks. Hence, it has been decided by the RBI to issue basic cyber security guidelines applicable to all UCBs. However, any UCB, depending on its Self-Risk Assessment, complexity of its Information Technology (IT)/ Information Security (IS) systems, nature of digital products offered, etc. is free to adopt advanced cyber security norms as decided by their Boards.

·         Need for a Board approved Cyber Security Policy :

All UCBs should immediately put in place a Cyber Security policy, duly approved by their Board/Administrator, giving a framework and the strategy containing a suitable approach to check cyber threats depending on the level of complexity of business and acceptable levels of risk. On completion of the process of policy formulation by the Board, a confirmation shall be sent to Department of Co-operative Bank Supervision, Central Office, C-9, 1st Floor, BKC, Mumbai – 400051 by email within three months from the date of circular. It shall be ensured that the cyber security policy deals with the following broad aspects, keeping in view the level of technology adoption and digital products offered to the customers:

1)      Cyber Security Policy to be distinct from the IT policy/IS Policy of the UCB:

The Cyber Security Policy should be distinct from the IT/IS policy of the UCB so that it highlights the risks from cyber threats and the measures to address/reduce these risks. While identifying and assessing the inherent risks, UCBs should keep in view the technologies1 adopted, delivery channels2, digital products3 being offered, internal4 and external5 threats etc., and rate each of these risks as Low, Medium, High and Very High.

2)      IT Architecture/Framework should be security compliant:

The IT architecture/ framework which includes network, server, database and application, end user systems, etc., should take care of security measures at all times and this should be reviewed by the Board or IT Sub-committee of the Board periodically. For this purpose, UCBs may carry out the following steps: 

                                 i.            Identify weak/vulnerable areas in IT systems and processes,

                               ii.            Allow restricted access to networks, databases and applications wherever permitted, through well-defined processes and approvals including rationale for permitting such access,

                              iii.            Assess the cost of impact in case of breaches/failures in these areas and,

                             iv.            Put in place suitable Cyber Security System to address them,

                               v.            Specify and document clearly the responsibility for each of above steps.

A proper record should be kept of the entire process to enable supervisory assessment.

3)      Cyber Crisis Management Plan: 

                           i.            A Government of India organisation, CERT-In (Computer Emergency Response Team – India, a Government entity) has been taking important initiatives in strengthening Cyber Security by providing proactive/reactive services and guidelines, threat intelligence and assessment of preparedness of various agencies in different sectors, including the financial sector. CERT-In also has come out with National Cyber Crisis Management Plan and Cyber Security Assessment Framework. UCBs may refer to CERT-In/NCIIPC/RBI/IDRBT guidelines as reference material for their guidance.

                         ii.            UCBs should promptly detect any cyber intrusions (unauthorised entries) so as to respond/recover/contain impact of cyber-attacks. Among other things, UCBs, especially those offering services such as internet banking, mobile banking, mobile wallet, RTGS/NEFT/IMPS, SWIFT, debit cards, credit cards etc., should take necessary detective and corrective measures/steps to address various types of cyber threats.


·       Organisational Arrangements:

UCBs should review the organisational arrangements so that the security concerns are brought to     the notice of suitable/concerned officials to enable quick action.  

·         Cyber Security awareness among Top Management/Board/other concerned parties:

UCBs should actively promote among their customers, vendors, service providers and other concerned parties an understanding of its cyber security objectives. Security awareness among customers, employees, vendors, service providers, etc. about the potential impact of cyber-attacks helps in cyber security preparedness of UCBs.

·         Ensuring protection of customer information:

UCBs, as owners of customer sensitive data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with the third party vendors; the confidentiality of such custodial information should not be compromised in any situation. To achieve this, suitable systems and processes across the data/information lifecycle need to be put in place by UCBs.

·         Supervisory reporting framework:

UCBs should report immediately all unusual cyber security incidents (whether they were successful or mere attempts) to Department of Co-operative Bank Supervision by giving full details of the incident. A ‘NIL’ report shall be submitted on quarterly basis in case of no cyber security incidents.

A copy of the circular shall be placed before the Board of Directors/Administrator in its ensuing meeting and a policy on Cyber Security should be framed by the Board/Administrator immediately. After framing of the policy, UCBs are advised to implement basic Cyber Security Controls as indicated in Annex I (page 6) of the notification and report the same to respective Regional Offices of Department of Co-operative Bank Supervision on or before March 31, 2019.




acceptable levels


cyber threats

Government entity

concerned parties

sensitive data

service providers

IT policy

cyber security policy deals

National Cyber Crisis Management Plan

security concerns


customer information


Security awareness


Basic Cyber Security Framework

credit cards

financial sector

reference material

IT systems

Cyber Security Controls


entire process

various agencies

unusual cyber security incidents


quarterly basis

vulnerable areas

restricted access

Very High


organisational arrangements

Cyber Security Assessment Framework

basic cyber security guidelines

such access

different sectors

security norms

Central Office

Cyber Security

supervisory assessment

corrective measures

Cyber Security Policy


Cyber Security System

IT Architecture

external5 threats


security preparedness

reactive services

offering services

broad aspects



IT Sub



threat intelligence

Risk Assessment

third party vendors

IDRBT guidelines

suitable systems

Regional Offices


policy formulation

Top Management

mobile banking

technology adoption



standalone computer

Supervisory reporting framework


above steps

digital products

suitable approach

proper record

operative Bank Supervision


potential impact



other things

Reserve Bank

digital products3

various types

cyber security incidents

information lifecycle


user systems


cyber security objectives



Information Technology


appropriate steps

1st Floor

important initiatives

internet banking




unauthorised entries

Computer Emergency Response Team

other banks

mobile wallet

full details




security measures

quick action

delivery channels2


custodial information

Cooperative Banks

necessary detective

debit cards

cyber intrusions

mere attempts


India organisation

inherent risks

Related Updates

Alternate Text

Get updates on the go on RuleZbook Mobile App.