On October 23, 2017, the Reserve Bank of India (“RBI”), India’s central banking institution, imposed a $1 million fine on Yes Bank Ltd. for failure to report a data breach within two to six hours as mandated by the “Cyber Security Framework in Banks” issued by RBI in June 2016. Under the framework, regulated banks must report all unusual cybersecurity incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank within a two-to-six hour timeframe and provide timely updates if new information comes to light.
In this case, information associated with up to 3.2 million debit cards was compromised between May 21 and July 11 of 2016 due to an exploited vulnerability in third-party software being used by Yes Bank ATMs, though notably, Yes Bank did not find out about the data breach until September 2016.
The action by RBI shows an increasing aggressiveness by regulators outside the U.S. in setting and enforcing strict cybersecurity requirements. The data breach also highlights the sophistication of malware affecting financial technology. With an increasing number of cyber-attacks against financial institutions, proper cyber diligence is growing in importance. The Yes Bank incident also demonstrates that RBI is willing to impose penalties on regulated entities for noncompliance even if noncompliance is tied to the actions of third-party service providers.
The RBI press release can be accessed here.
The RBI Cybersecurity Framework in Banks can be accessed here.