ICICI ESG Report - Managing Cyber Security and Privacy

Managing Cyber Security and Privacy

We believe that in the modern digital age, cyber security is vital to protect the Bank’s as well as its customers’ assets and to ensure continued trust of our stakeholders. In line with this, we have adopted a multi-dimensional approach to cyber security. The triad of confidentiality, integrity, and availability lie at the heart of the information security framework implemented at the Bank.

The Bank’s information/cyber-security governance framework consists of leadership, organisational structures and processes that help us to mitigate cyber-security threats. Our cyber-security governance encompasses management oversight at various levels with the ultimate responsibility assumed by the Board of Directors.

Governance Structure for Information Technology

The governance structure for management of information/cyber security risk is helmed by the IT Strategy Committee, the Risk Committee and Audit Committee, all being Board-level Committees and chaired by Independent Directors. At the executive management level, there are specialised Committees for reviewing key areas of IT and cyber risk. These include the Information and Cyber Security Committee, IT Steering Committee and the Business Continuity Management (BCM) Steering Committee which have diverse cross-functional members and well-defined terms of reference. Proceedings of these Committees are reported to the IT Strategy Committee.

As part of our Secure by Design philosophy, we ensure that every new piece of infrastructure or application inducted is put through rigorous security testing. In addition, we also perform continuous scanning of our IT infrastructure and application landscape to identify any potential issues. The Bank has a 24x7 Security Operation Centre (SoC) for monitoring and surveillance of IT systems.

Considering the criticality and vitality of data protection, we have deployed a Data Leakage/ Loss Prevention (DLP) system with data protection rules for sensitive data exposure from the Bank’s endpoints, emails and web gateways.

During the outbreak of Covid-19, the first priority of the Bank has been to make sure that customer services are least disrupted. To address this and to ensure employees’ safety is also not compromised, we made arrangements for all key activities to be performed on a work from home (WFH) model through secure VPN (Virtual Private Network) and Virtual Desktop Interface (VDI). The Bank has rolled out one of the largest WFH infrastructures in the country within a few weeks from the onset of the pandemic.

During this period, the Information Security Group has also issued detailed advisories on Do’s and Don’ts for staff to follow when they work from home. This is also being followed up with regular snippets on information security best practices. We are continuously auditing the work from home setup for our security controls including aspects such as identity and access management, data protection, and other parameters. Our 24x7 Security Operation Centre has also configured specific rules to continually monitor logs from VPN services and generate alerts in case of any unusual events. Further, DLP rules have been enhanced to avoid sensitive data exposure by employees. There were no material incidents of security breaches or data loss during fiscal 2021.

The Bank also lays emphasis on customer protection aspects such as phishing, adaptive authentication and awareness initiatives. We have been a pioneer in enabling customers to easily configure control parameters related to their cards such as limits, international access and other parameters on a self-service and real-time basis from the internet and mobile channels of the Bank. This enables customers to protect their cards from misuse.

Read Less

The triad of confidentiality, integrity, and availability lie at the heart of the information security framework implemented at the Bank.

There were no material incidents of security breaches or data loss during fiscal 2021.

Data Protection and Privacy

ICICI Bank is committed to protect the privacy of individuals whose personal data it holds, and processing such personal data in a way that is consistent with applicable laws. It is important for employees and businesses to protect customer data and follow the applicable privacy laws in India and overseas locations to ensure safety and security of data. We believe that the data privacy framework should be in line with the evolving regulatory changes and digital transformation.

The Bank has a global presence in several overseas jurisdictions including Hong Kong, Singapore, United States, United Kingdom, Canada, China, Dubai International Financial Centre and Bahrain. We are committed to ensuring compliance with applicable laws across these jurisdictions. We have an integrated and centralized strategy for achieving data privacy compliance across all jurisdictions. A set of principles have been defined with respect to handling customer data. There is a mechanism in place for reporting any form of personal data incident which is accessible to all employees in the Bank. The Personal Data Incident Handling Forum (PDIHF) comprises of the Data Protection Officer and senior members from the Information Security Group, Operational Risk Management Group, Fraud Management Group, Human Resources, Compliance and the Legal Team.

Any kind of personal data related incidents reported through the service request undergoes a detailed investigation and a report of the same is presented to PDIHF on a monthly basis.

We have a dedicated Data Privacy Team headed by a Data Protection Officer (DPO), which oversees all privacy related developments for the Bank as a data processor for international banking business and as a data controller for NRI and remittance businesses. Various data privacy awareness initiatives and periodic trainings are conducted by the Data Privacy team. A Privacy Steering Committee meets every quarter, and oversees various privacy related initiatives. Further, the Bank’s Code of Business Conduct and Ethics provides the guidelines on customer privacy and confidentiality of data.

Read Less