NBFC

IT Policy for NBFC as per Reserve Bank of India

An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC. Non-Banking Financial Company (NBFCs) may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations whose responsibility is to ensure implementation of IT Policy NBFC to the operational level involving IT strategy, value delivery, risk management and IT resource management. To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available. NBFCs must have a board-approved IT Policy with the following basic creeds –

• Confidentiality – Ensuring access to sensitive data to authorized users only
• Integrity – Ensuring the accuracy and reliability of information by ensuring that there is no modification without authorization
• Availability – Ensuring that uninterrupted data is available to users when it is needed
• Authenticity – For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine.

Action Plan for NBFC

Formulating a Board approved IT policy NBFC – The policy shall be in line with the organizational objectives.

Develop an IT organizational structure – The structure shall be commensurate with the size, scale, and nature of business activities carried out by the NBFC.

Designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations – The responsibility of such officer shall be to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.

Formulate periodic assessment of the IT training requirements – To ensure technical competence at senior/middle-level management and to ensure that sufficient, competent and capable human resources are available.

The IS Policy must Provide for an is Framework with the Following Basic view

• Identification and Classification of Information Assets. NBFCs will sustain a detailed inventory of Information Asset with the distinct and clear identification of the asset.
• Segregation of functions: There should be segregation of the duties of the Security Officer/Group (both physical security as well as cybersecurity) dealing exclusively with information systems security and the Information Technology division which actually implements the computer systems. The information security function should be adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there should be clear segregation of responsibilities relating to system administration, database administration and transaction processing.
• Role-based Access Control – Access to information should be based on well-defined user roles system administrator, user manager, application owner, etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be a clear delegation of authority for the right to upgrade/change user-profiles and permissions and also key business parameters (eg. interest rates) which should be documented.
• Personnel Security – A few authorized application owners/users may have intimate knowledge of financial institution processes and they pose a potential threat to systems and data. NBFC should have a process of appropriate check and balance in this regard. Personnel with privileged access to the system administrator, cybersecurity personnel, etc should be subject to rigorous background check and screening.
• Physical Security – The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. NBFCs have need of creating a protected environment for the physical security of IS Assets such as the secure location of critical data, restricted access to sensitive areas like data center
• Maker-checker is one of the important principles of authorization in the information systems of financial entities. For each transaction, there must be at least two individuals necessary for its completion as this will reduce the risk of error and will ensure the reliability of the information.
• Incident Management – The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analyzing and responding to information security incidents.
• Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating the audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.
• Public Key Infrastructure (PKI) – NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication, and non-repudiation.

Cyber Security

• Need for a Board-Approved Cyber-Security Policy
  

NBFCs are required to lay in place a cyber-security policy illuminating the strategy comprising a suitable approach to battle cyber threats gave the level of complexity of business and acceptable levels of risk, duly approved by their Board. NBFCs must appraise the structural measures so that the security concerns are valued, obtain adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action.

• Vulnerability Management
  

A vulnerability can be defined as an inherent configuration flaw in an organization’s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such a strategy may clearly be communicated in the Cyber Security policy.

• Cybersecurity Preparedness Indicators
  

The capability & adherence to cyber flexibility framework must be assessed & measured through the development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The alertness amongst the stakeholders including employees may also form a part of this assessment.

• Cyber Crisis Management Plan
  

A Cyber Crisis Management Plan (CCMP)^[1] should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond/ recover/contain the fallout. NBFCs are predictable to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services, crypto ware, destructive malware, business email frauds containing spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

• Cyber-Security Awareness Among Stakeholders / Top Management / Board
  

It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized. NBFCs should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of their cyber resilience objectives, and require and ensure the appropriate action to support their synchronized implementation and testing.

• Digital Signature

A Digital Signature Certificate authenticates an entity’s identity electronically. It also provides a high level of security for online transactions by ensuring absolute privacy of the information exchanged using a Digital Signature Certificate. NBFCs may consider the use of digital signatures to protect the authenticity and integrity of important electronic documents and also for high-value fund transfer.

• IT Risk Assessment
  

NBFCs should undertake a comprehensive risk assessment of their IT systems at least on a yearly basis. The assessment should make an analysis of the threats and vulnerabilities to the information technology assets of the NBFC and its existing security controls and processes. The outcome of the exercise should be to find out the risks present and to determine the appropriate level of controls necessary for appropriate mitigation of risks. The risk assessment should be brought to the notice of the Chief Risk Officer (CRO), CIO and the Board of the NBFC and should serve as an input for Information Security Auditors.

• Mobile Financial Services
  

NBFCs that are already using or intending to use Mobile Financial Services should develop a mechanism for safeguarding information assets that are used by mobile applications to provide services to customers. The technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to-end encryption.

• Social Media Risks
  

NBFCs using Social Media to market their products must be well equipped in treating social media risks and threats. As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks.

• Training
  

Human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness program. The program may be periodically updated keeping in view changes in information technology system, threats/vulnerabilities and/or the information security framework. There needs to be a mechanism to track the effectiveness of training programs through an assessment/testing process. At any point in time, NBFCs need to maintain an updated status on user training and awareness relating to information security.