Cybersecurity Governance

ICICI Bank believes in providing services to its customers in the safest and in a secure manner keeping in mind that protection of data of its customers is as important as providing quality banking services across the spectrum. The triad of ‘Confidentiality’, ‘Integrity’, and ‘Availability’ is at the heart of building a comprehensive information security framework.

The Bank also lays emphasis on elements like protection from phishing, adaptive authentication, and provide easy-to-use protection and risk configuration ability in the hands of customers. In addition, the Bank undertakes campaigns to create awareness among customers on security aspects while banking through digital channels.

class="wow fadeInUp"Cyber risks form an integral part of the Bank’s enterprise risk management framework. The Bank is committed to working towards aligning itself with the changing threat landscape and has a dedicated team, Information Security Group (ISG), for cyber/information risk management.

Governance Structure for Information Technology

The Bank has an information/cybersecurity governance framework with representation from the leadership, consisting of organisational structures and processes that help us in mitigation of growing cybersecurity threats. There is robust oversight by the Board through regular updates from ISG. A monthly risk-based detailed dashboard capturing the various Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) and offenses summary is prepared which is reviewed by the Chief Information Security Officer (CISO) and the Chief Risk Officer (CRO) of the Bank.

The Bank also has well-defined policies, namely, Information Security Policy, Cyber Security Policy and Information Security Standards and Procedures which provide the framework for effective governance and management of IT risks. These policies have been designed by drawing from several standards and regulations including the RBI Cyber Security Framework, NCIIPC Guidelines for protection, FFIEC Cyber security assessment tool, the SEBI Cyber Security and Resilience Framework for Stock Brokers/Depository participants, IRDA Guidelines on Information and Cyber Security for insurers, Unusual Cyber Security Incidents framework. The Bank has also incorporated industry best practices such as the National Institute of Standards and Technology (NIST) and the regulatory requirements of some other jurisdictions in which the Bank operates. Further, periodic internal and external audits are undertaken and inputs from these assessments are incorporated.

Deploying of Data Loss Prevention System

Considering the criticality and vitality of data protection and security, the Bank has deployed Data Leakage/Loss Prevention (DLP) system with data protection rules for sensitive data exposure from the Bank’s endpoints, emails and web gateways. The Bank has also deployed Digital Rights Management system to define access rights (Read/Write) with pre-defined validity and ensuring the recipients use the data only for its intended purpose.

The Bank also performs endpoint security posture testing while connecting to the Bank’s network. A proxy agent is present on all endpoints to ensure that all computers are connected to the internet securely as per rules laid down by the Bank. Further, DLP has been implemented and all endpoints have been hardened as per the Bank’s policy.

Controls for IT Infrastructure

Preventive Control

  • Application Security Life Cycle (ASLC),Vulnerability Assessment and Penetration Testing (VAPT), Antivirus, Vendor Risk
  • Assessment, Firewall,
  • Intrusion Detection System (IDS)
  • Access Management
  • Distributed Denial of Service (DDoS) Mitigation

Detective Control

  • Security Operation Centre (SOC) Monitoring
  • Web Application Firewall
  • Network Operation Centre (NOC) Monitoring
  • RED Teaming Exercises

Responsive Control

  • Incident Response Plan
  • Cyber Crisis Management Plan (CCMP)
  • Forensic Agreements with Partners

Participation in External Cyber-attack Simulations

The Bank conducts and participates in several cybersecurity attack simulation drills such as spear phishing drills on employees, Distributed Denial of Service (DDoS) attack drills for Internet Service Providers (ISPs), social engineering-based attacks on data centre staff to gain physical access etc. The Bank participates in cyber drills organised by the Institute for Development and Research in Banking Technology (IDRBT) annually in India. The Bank conducts Breach Attack Simulation exercises on its infrastructure with a focus on the crown jewels of the Bank.

The Bank periodically conducts cyber maturity assessments through a third party, which is a comprehensive risk assessment of the cybersecurity posture of the Bank. The last such assessment and benchmarking with global banks was undertaken in fiscal 2022, and the Bank’s cyber posture was at par with global banks.

In view of rapid digitisation and growing cyber threats, it has become imperative to respond quickly and effectively when security incidents occur. As part of incident response, the Bank has a dedicated Cyber Security Incident Response Team (CSIRT).

The Bank’s Data Centre is ISO 27001 certified.

There were no material incidents of security breaches or data loss during fiscal 2023.

ISO 27001 is an international standard for information security management

Customer Awareness on Cybersecurity

ICICI Bank regularly conducts customer awareness campaigns through social media, notifications on mobile apps, e-mails and SMS regarding safe banking, cybersecurity as well as modus operandi of frauds prevalent in the society. In addition to proactively carrying out campaigns, the Bank creates awareness using other means like:

  • Safe Banking Tips - detailed ‘Do’s and Don’ts’ are updated on the website www.icicibank.com
  • Messages along with statement of accounts, physical and online
  • Messages printed on the Bank’s stationery and inserts in deliverables
  • SMS alerts
  • Message on phone banking when the customer calls
  • Posters at branches and ATMs

The Bank also displays relevant messages at its offices/business centres (branches) for the attention of customers.

During fiscal 2023, the Bank, through ICICI Foundation, conducted an extensive public awareness campaign on fraud prevention on television and social media during the International Fraud Awareness Week which was well-received. The campaign created an impact with its new approach to story-telling. As a three-part series featuring noted National Award winning Indian actor Tabu, we used an interesting approach to educate users about how frauds work.

The campaign was run across the Bank's digital and social media channels garnering over

318 million

Views

1.02 million

Likes

34,000

Shares

Supported by ICICI Foundation

GO TO TOP