The Bank also has well-defined policies, namely, Information Security Policy, Cyber Security Policy and Information Security Standards and Procedures which provide the framework for effective governance and management of IT risks. These policies have been designed by drawing from several standards and regulations including the RBI Cyber Security Framework, NCIIPC Guidelines for protection, FFIEC Cyber security assessment tool, the SEBI Cyber Security and Resilience Framework for Stock Brokers/Depository participants, IRDA Guidelines on Information and Cyber Security for insurers, Unusual Cyber Security Incidents framework. The Bank has also incorporated industry best practices such as the National Institute of Standards and Technology (NIST) and the regulatory requirements of some other jurisdictions in which the Bank operates. Further, periodic internal and external audits are undertaken and inputs from these assessments are incorporated.

Deploying of Data Loss Prevention System

Considering the criticality and vitality of data protection and security, the Bank has deployed Data Leakage/Loss Prevention (DLP) system with data protection rules for sensitive data exposure from the Bank’s endpoints, emails and web gateways. The Bank has also deployed Digital Rights Management system to define access rights (Read/Write) with pre-defined validity and ensuring the recipients use the data only for its intended purpose.

The Bank also performs endpoint security posture testing while connecting to the Bank’s network. A proxy agent is present on all endpoints to ensure that all computers are connected to the internet securely as per rules laid down by the Bank. Further, DLP has been implemented and all endpoints have been hardened as per the Bank’s policy.

Participation in External Cyber-attack Simulations

The Bank conducts and participates in several cybersecurity attack simulation drills such as spear phishing drills on employees, Distributed Denial of Service (DDoS) attack drills for Internet Service Providers (ISPs), social engineering-based attacks on data centre staff to gain physical access etc. The Bank participates in cyber drills organised by the Institute for Development and Research in Banking Technology (IDRBT) annually in India. The Bank conducts Breach Attack Simulation exercises on its infrastructure with a focus on the crown jewels of the Bank.

The Bank periodically conducts cyber maturity assessments through a third party, which is a comprehensive risk assessment of the cybersecurity posture of the Bank. The last such assessment and benchmarking with global banks was undertaken in fiscal 2022, and the Bank’s cyber posture was at par with global banks.

In view of rapid digitisation and growing cyber threats, it has become imperative to respond quickly and effectively when security incidents occur. As part of incident response, the Bank has a dedicated Cyber Security Incident Response Team (CSIRT).

ISO 27001 is an international standard for information security management

Customer Awareness on Cybersecurity

ICICI Bank regularly conducts customer awareness campaigns through social media, notifications on mobile apps, e-mails and SMS regarding safe banking, cybersecurity as well as modus operandi of frauds prevalent in the society. In addition to proactively carrying out campaigns, the Bank creates awareness using other means like:

• Safe Banking Tips - detailed ‘Do’s and Don’ts’ are updated on the website www.icicibank.com
• Messages along with statement of accounts, physical and online
• Messages printed on the Bank’s stationery and inserts in deliverables
• SMS alerts
• Message on phone banking when the customer calls
• Posters at branches and ATMs

Supported by ICICI Foundation