..
The Reserve Bank of India (RBI) has set up a new subsidiary for IT and Cybersecurity
The following is quoted from the official information release:
“Reserve Bank of India (RBI), a statutory organization established under the RBI Act, 1934 is in the process of setting up of an Information Technology (IT) Subsidiary to take care of the IT requirements including cyber security needs of the Reserve Bank and its regulated entities.
The IT Subsidiary would focus on IT and cyber security (including related research) with specific focus on the financial sector and assist in IT Systems audit and assessment of the RBI regulated entities; advise, implement and maintain internal or system-wide IT projects (both existing & new) of the Reserve Bank and manage the critical IT systems of the Reserve Bank as mutually decided between the Reserve Bank and the subsidiary.
The IT Subsidiary would act as a think-tank for innovation, big systems and new ideas. The focus would be on IT strategy for regulation and to create a think-tank for material of high intellectual caliber, apart from having the capability to guide the regulated entities on what needs to be done in the IT area of their operations, as also for the RBI’s IT related functions and initiatives.
Given the need for inter-operability and cross-institutional cooperation, the entity would be expected to be effectively participating in setting up of standards to strengthen Reserve Bank’s role as regulator. The entity shall have Advisory Committees to provide guidance on cyber security, current and futuristic requirements of entities regulated by the Reserve Bank, particularly from the regulatory and supervisory perspectives and to advise Reserve Bank on its IT Systems and its projects /procedures. The subsidiary would report periodically to apex level committees of the Reserve Bank including Board for Financial Supervision, Board for Payment and Settlement Systems and the IT Sub-committee of the Board as required, and to the RBI’s Central Board of Directors, whenever required.”
They have recruited Nandkumar Sarvade as the CEO and his role and responsibility can be viewed on the advertisement which was put out in November
Any move for security of Indian cyberspace is welcome and we hope that this organization will also work hard and contribute positively to the security of the financial sector in the country.
As we look at this today the yet un-named organization has a mandate which translates into the following four verticals :
1. Cyber Security
2. Research and Innovation including collaboration with other institutions including IDRBT, Hyderabad
3. IT Systems Audit and Assessment of RBI regulated entities
4. IT Project Management including Support and Advisory Services
For each of the above they will recruit an industry professional to be designated as “Vertical Head” or “Senior VP” – nice to have corporate designations and there are many accomplished professionals in the country who can capably fill these positions. We hope that the remuneration offered is really industry standard. Currently, the process of recruiting the vertical heads is on. More information is available and one can view the job advertisement.
However, questions which arise today are whether this body will have supervisory or regulatory authority on the RBI constituents else how will it fulfill mandate # 1, 2, and 4. Research is okay and one expects a lot in this area from these institutions.
Then, as indicated above, there is the requirement for this organization to report (whenever required) to apex level committees of the Reserve Bank, including,
1. Board for Financial Supervision,
2. Board for Payment and Settlement Systems
3. IT Sub-committee of the Board as required
4. RBI’s Central Board of Directors
This may be of concern to all concerned when one sees multiple reporting authorities and the persons who head them (may) be career bureaucrats / bankers who may not have matching vision and knowledge of the cyber domain as held by the CEO/SVP/VP et al. Is there a risk for conflict in the design or not will be speculative (to say the least) but then unknowns have this attribute that is generally termed FUD (fear uncertainty and doubt).
In any case we join the country in welcoming this organization and the CEO and wish him the best for his success. He leaves his previous position with DSCI pretty early but then NASSCOM is holding the data security torch “more” firmly than ever before. Earlier it was DSCI-NASSCOM and now (as he moves on) it is NASSCOM-DSCI but that’s another story. Time will unfold developments and for the present we look ahead with hope as Mr Sarvade starts on this new journey in government which is familiar territory for him – will the values and goals of transparency, innovation, cooperation, inter-operability, cross institutional cooperation, think tank for new ideas be upheld and bring forth the planned results; will the ‘system’ allow and follow change; will he overcome…
There is a lot to be done to secure the financial infrastructure and the country cannot wait for ‘swift type’ wake up calls, ATM thefts or data heists as a these have a debilitating effect on the economy and public confidence. Attacks will not diminish, and (as I had said years back) the worst may be yet to come and we are bound to see the rise and rise of organized gangs increasingly for theft, money laundering and more.
To re-iterate, our best wishes to all concerned and may the force be with you!
