On June 2, the Reserve Bank of India (RBI) announced draft regulations for payment system operators (PSOs), in a move intended to safeguard digital payments amid emerging cyber risks, Economic Times reports.
The RBI proposed that such norms would be implemented from April 1, 2024, for large non-bank-PSOs. For medium-sized non-bank PSOs, the deadline for implementing the regulation will be April 1, 2026, and April 1, 2028, for smaller PSOs.
The draft directions issued by the regulator will reportedly cover robust governance mechanisms for identifying, assessing, monitoring and managing cyber security risks.
“The directions will also cover baseline security measures for ensuring system resiliency as well as safe and secure digital payment transactions,” the RBI said.
“However, they shall endeavour to migrate to the latest security standards. The existing instructions on security and risk mitigation measures for payments done using cards, Prepaid Payment Instruments (PPIs) and mobile banking continue to be applicable as hitherto.”
The PSO will define appropriate key risk indicators (KRIs) to identify potential risk events and key performance indicators (KPIs) to assess the effectiveness of security controls, according to the draft norms.
The board of the PSOs has been made responsible for ensuring adequate oversight over information security risk. However, the primary oversight can be delegated to a sub-committee of the board, which should meet once a quarter, the draft norms said.
In addition, the RBI reportedly said that the PSO should undertake a cyber-risk assessment exercise relating to the launch of new products, services, and technologies or the undertaking of major changes to the infrastructure or processes of existing products and services.
“Action points emanating from such assessment will be implemented under the oversight of the CISO or equivalent executive,” it said.
The central bank has sought feedback on the draft norms by June 30.
The draft norms said that existing instructions concerning security and risk mitigation for card payments, prepaid payment instruments (PPIs) and mobile banking will remain in effect.
The PSO has reportedly been asked to formulate a board-approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy should be reviewed annually.
The draft norms mandated that the PSO develop a business continuity plan (BCP) based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed. The BCP should reportedly be reviewed at least once a year and include a comprehensive cyber incident response, resumption and recovery plan, to manage cyber security events or incidents.
“The BCP shall be designed to enable rapid recovery from any adverse event and facilitate safe resumption of critical operations aligned with Recovery Time Objective (RTO) and Recovery Point Objective (RPO) while ensuring the security of processes and data. The PSO shall strive to achieve near-zero RPO,” the draft norms said, adding that a Disaster Recovery (DR) facility should be in a different geographical area than the Primary Data Centre (PDC).
In terms of cyber security preparedness, the PSOs have been asked to prepare a specific board-approved cyber crisis management plan (CCMP) to detect, contain, respond and recover from cyber threats and cyberattacks.
The norms stated that responsibility and accountability for implementing the information security policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO should be given to a senior-level executive such as chief information security officer (CISO).
The PSO should include measures to protect its network and systems from external threats, the draft norms said.
The PSO must also reportedly put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information (both in transit and at rest) in respect of data available with it or at vendor-managed facilities, commensurate with the criticality and sensitivity of the information held/transmitted.
“Application and database security controls shall focus on secure handling, storage and protection of data, in particular, Personally Identifiable Information. Data in transit and rest shall be secured through either data or channel encryption or both,” the RBI said.
Source: Economic Times
(Quotes via original reporting)
On June 2, the Reserve Bank of India (RBI) announced draft regulations for payment system operators (PSOs), in a move intended to safeguard digital payments amid emerging cyber risks, Economic Times reports.
The RBI proposed that such norms would be implemented from April 1, 2024, for large non-bank-PSOs. For medium-sized non-bank PSOs, the deadline for implementing the regulation will be April 1, 2026, and April 1, 2028, for smaller PSOs.
The draft directions issued by the regulator will reportedly cover robust governance mechanisms for identifying, assessing, monitoring and managing cyber security risks.
“The directions will also cover baseline security measures for ensuring system resiliency as well as safe and secure digital payment transactions,” the RBI said.
“However, they shall endeavour to migrate to the latest security standards. The existing instructions on security and risk mitigation measures for payments done using cards, Prepaid Payment Instruments (PPIs) and mobile banking continue to be applicable as hitherto.”
The PSO will define appropriate key risk indicators (KRIs) to identify potential risk events and key performance indicators (KPIs) to assess the effectiveness of security controls, according to the draft norms.
The board of the PSOs has been made responsible for ensuring adequate oversight over information security risk. However, the primary oversight can be delegated to a sub-committee of the board, which should meet once a quarter, the draft norms said.
In addition, the RBI reportedly said that the PSO should undertake a cyber-risk assessment exercise relating to the launch of new products, services, and technologies or the undertaking of major changes to the infrastructure or processes of existing products and services.
“Action points emanating from such assessment will be implemented under the oversight of the CISO or equivalent executive,” it said.
The central bank has sought feedback on the draft norms by June 30.
The draft norms said that existing instructions concerning security and risk mitigation for card payments, prepaid payment instruments (PPIs) and mobile banking will remain in effect.
The PSO has reportedly been asked to formulate a board-approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy should be reviewed annually.
The draft norms mandated that the PSO develop a business continuity plan (BCP) based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed. The BCP should reportedly be reviewed at least once a year and include a comprehensive cyber incident response, resumption and recovery plan, to manage cyber security events or incidents.
“The BCP shall be designed to enable rapid recovery from any adverse event and facilitate safe resumption of critical operations aligned with Recovery Time Objective (RTO) and Recovery Point Objective (RPO) while ensuring the security of processes and data. The PSO shall strive to achieve near-zero RPO,” the draft norms said, adding that a Disaster Recovery (DR) facility should be in a different geographical area than the Primary Data Centre (PDC).
In terms of cyber security preparedness, the PSOs have been asked to prepare a specific board-approved cyber crisis management plan (CCMP) to detect, contain, respond and recover from cyber threats and cyberattacks.
The norms stated that responsibility and accountability for implementing the information security policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO should be given to a senior-level executive such as chief information security officer (CISO).
The PSO should include measures to protect its network and systems from external threats, the draft norms said.
The PSO must also reportedly put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information (both in transit and at rest) in respect of data available with it or at vendor-managed facilities, commensurate with the criticality and sensitivity of the information held/transmitted.
“Application and database security controls shall focus on secure handling, storage and protection of data, in particular, Personally Identifiable Information. Data in transit and rest shall be secured through either data or channel encryption or both,” the RBI said.
Source: Economic Times
(Quotes via original reporting)