Due Diligence: Chairman of Banks in India
Today two interesting news reports have appeared in
the news papers. These reports have come to my notice as common man and
if I was merely one of those "Mr Citizen" types, I would have perhaps
ignored the news or at best glanced through them and proceeded to more
interesting news of what Sachin says or Which new scam is on the table?
etc.
As an ex-Banker and presently a Techno Legal Information Security
Consultant as well as a Netizen activist, however, my thoughts run in a
different direction and I would like to point this out for the specific
notice of the Chairman of various Banks in India. Many of these Chairmen
are persons of my generation and not Information Technology experts.
They know more about NPA guidelines rather than Information Security
guidelines. They might have therefore missed an important action point
that arises when they read such stories in the news papers. The
objective of this article is to highlight this responsibility of the
Chairman of a Bank.
The first story I am referring is the news from Hindustan Times titled
"Writing on the wall spelt bad news for Dadar
bank" which reports that in one of the branches of Union Bank of
India at Dadar, Mumbai, there was a burglary in which the burglars
entered the cashier's room took the key to the strong room and opened
the strong room all in the night. Don't ask me why the key to the strong
room was left in the cashier's drawer. There is one more interesting
aspect in this incident. It appears that the Bank had set up a burglar
alarm system which was programmed to go off if the strong room is opened
even with the genuine key outside the designated hours. Police were
wondering why the alarm did not ring. It was later observed that on the
wall of the strong room a number had been written and this was actually
the PIN to deactivate the alarm system. It is reported that this existed
for the past 6 months on the wall and no body seems to have realized the
risk. Some times we blame customers of banks who write ATM PIN number on
the card itself and when they lose the card, the thief finds it
convenient to use the card to draw money from ATMs. We blame the
ignorance of the customers and express pride that "Banks system are
secure and it is only the ignorant customers who bring a bad name to
them". Now the customers of the Banks can also have their share of
making fun of Banker's sense of security.
The second report is the article in Deccan Herald titled "Hackers may
catch Indian banks napping" This article
carries a reaction of a CISO of a Bank on a security query which needs
some introspection. When informed of a security hole in the Bank's
system he is reported to have stated " Has a fraud happened? If not, why
worry?”. Well, it is not the worry of the security consultant that the
Bank is not concerned about a security flaw. It is the Customers of the
bank since the security hole is likely to reflect in Phishing attacks in
which they will lose money.
Under the circumstances when news reports such as these come to the
knowledge of a Bank's Chairman, or an Independent Director, it is
necessary for us to remind them of their fiduciary responsibilities.
Bank's Chairman is the CEO and he is ultimately responsible for the
security and when it goes wrong, he has to face the civil and criminal
liabilities that attaches to him in law as "Vicarious liability". The
independent Directors as well as other Directors are also equally
responsible for the management of the Bank and hence they also need to
be conscious of their liabilities for security lapses.
It should be noted that the management of the Banks involved in the above
two incidents as well as every other Bank which has come to know that
such a security lapse exists in the system now has the responsibility to
initiate a corrective action which qualifies as "Due Diligence" under
law.. For example, If I am the Chairman of Union Bank I need to
immediately take action to pull up the responsible executives and also
send circulars to all Branches to avoid such security lapses. I need to
call a meeting of the top executives, discuss, chart out a correction
plan and document the meeting. I also need to follow up with
disciplinary action against the erring personnel since blanker
condonement of a security lapse is not acceptable in security best
practice.
As regards the Deccan Herald report where the name of the bank is not
known, the first due diligence action which I as a Chairman of any Bank
should take is to call a meeting with my CISO and CIO (If there are
different persons handling the security of information system and
general security) and enquire if it was he who is referred to in the
report of Deccan Herald (where the name of the Bank is not known) and if
so what is the security hole and how it can be breached. I need to
document this meeting and follow up with a letter addressed to the CISO
for necessary action and reporting back before the next Board meeting
when it should be placed before the Board for information. I should also
send out a circular to all the executives pointing out to this report as
well as the Dadar Union Bank burglary report and initiate corrective
action and reporting back to the Board within a reasonable time. These
are the obligations cast on the Chairmen of Banks both under ITA 2008
and Gopalakrishna Working Group report. Related report in DH.
If I am an Independent Director of a Bank then I will raise this issue in
a letter which I will write today to the Chairman and also request him
to discuss this in the next Board meeting. This will be my part of "Due
Diligence". I will also raise in this letter what action has the Bank
taken to implement the G Gopalakrishna Working group report on E-Banking
on which the first deadline prescribed by RBI is October 31st".
I hope that some of the thoughts expressed by me here as an ex-Banker
groomed in the earlier physical Banking era and migrated to the area of
Information Security in the digital era are also the thoughts of the top
management in Banks who also belong to my generation, with the same
commitment on the safety of the customers though not with the same
exposure on security issues.
Naavi
July 13, 2011
Related
report in DH :
Related Report in HT
Comments are Welcome at
naavi@vsnl.com
