Banks face multiple guidelines from various authorities on cybersecurity incident reporting. Consistent, documented procedures (SOPs) are essential for effective response, regardless of timing or personnel involved.
Action Plan:
- Understand the Line of Business
- Identify Relevant Regulators and Authorities
- Identify Incident Reporting Guidelines
- Identify Organizational Policies and Top Management Expectations
Documentation and Review:
Compile findings into a document with reporting templates and contact details. Review with stakeholders and the Information Security Committee.
Practice:
Conduct tabletop exercises with dummy contacts and role plays to ensure preparedness.
Scope and Applicability
The plan covers the entire organization, including all locations (data centers, on-premises, co-located, or cloud), internal and external applications, IT service providers, and business service providers.
Reporting Obligations
Mandatory Reporting:
Incidents must be reported to authorities such as RBI, CERT-In, IDRBT, IB-CART, Cybercrime/Police, SEBI, IRDA, Data Protection Board of India, NPCI, Visa/MasterCard, SWIFT, and NCIIPC.
Discretionary Reporting:
Incidents may also be reported to cyber insurers, first responders, forensic investigators, crisis management teams, the board, customers, key partners/stakeholders, media, and international bodies.
Importance of Third-Party Reporting
Third-parties and service providers must report incidents within six hours to allow bank officials to analyze and report to regulators within the stipulated time. This requires revisiting agreements to include regulatory requirements and penalties for non-compliance.
Examples:
- Data compromise at an analytics firm.
- Ransomware attack at a software and support vendor.
Comments