ICICI Bank believes in providing services to its customers in the safest and secure manner keeping in mind that data protection for its customers is as important as providing quality banking services across the spectrum. The CIA triad of Confidentiality, Integrity, and Availability is at the heart of building a comprehensive information security framework. The Bank also lays emphasis on customer elements like protection from phishing, adaptive authentication, awareness initiatives, and provide easy to use protection and risk configuration ability in the hands of customers. The Bank also undertakes campaigns to create awareness among customers on security aspects while banking through digital channels.
The key elements of the security strategy at ICICI Bank are:
Cyber risks form an integral part of the Bank’s enterprise risk management framework. The Bank is committed to work towards aligning itself with the changing threat landscape and has a dedicated team for cyber/information risk management. There is robust oversight by the Board, with regular updates from the Information Security Group (ISG) of the Bank. A monthly riskbased detailed dashboard capturing the various key performance indicators and key risk indicators associated with Security Operations Centre operations and offenses summary for the month is prepared which is reviewed by the CISO and the Chief Risk Officer of the Bank.
ICICI Bank has an information/cybersecurity governance framework consisting of leadership, organisational structures and processes that help us in mitigation of growing cybersecurity threats. Our cybersecurity governance encompasses management oversight at various levels with the ultimate responsibility assumed by the Board of Directors.
The Executive Committees have diverse crossfunctional members and well-defined terms of reference. Proceedings of these Committees are reported to the IT Strategy Committee. Additionally, the Bank has multiple dashboards to review system stability, continuity and availability and network uptime. The Bank also has a well-defined Information Security Policy, Cyber Security Policy and Information Security Standards and Procedures. These policies have been designed by drawing from various standards and regulations including the Reserve Bank of India's Cyber Security Framework, NCIIPC Guidelines for protection, FFIEC Cybersecurity assessment tool, the SEBI Cyber Security and Cyber Resilience Framework for Stock Brokers/ Depository Participants and the IRDAI Guidelines on Information and Cyber Security for Insurers. The Bank has also incorporated industry best practices such as the National Institute of Standards and Technology (NIST) and the regulatory requirements of various jurisdictions in which the Bank operates. Further, periodic internal and external audits are undertaken and inputs from these assessments are incorporated from time to time. The Bank’s data centre is ISO:27001 certified.
ISO:27001 is an international standard for information security management.
Considering the criticality and vitality of data protection and security, the Bank has deployed Data Leakage/Loss Prevention (DLP) system with data protection rules for sensitive data exposure from the Bank’s endpoints, emails and web gateways. The Bank has also deployed Digital Rights Management system to define access rights (Read/Write) with pre-defined validity and ensuring the recipients use the data only for its intended purpose.
The Bank has made arrangements for all key activities to be performed in a work-from-home environment, through secure Virtual Private Network (VPN) and Virtual Desktop Interface (VDI) and access provided through Two-Factor Authentication. The Bank also performs endpoint security posture testing while connecting to the Bank’s network. A proxy agent is present on all endpoints to ensure that all computers are connected to the internet securely as per rules laid down by the Bank. Further, Data Leakage/Loss Prevention (DLP) has been implemented and all endpoints hardened as per the Bank’s policy.
ICICI Bank conducts and participates in several cybersecurity attack simulation drills such as spear phishing drills on employees, Distributed Denial of Service (DDoS) attack drills for Internet Service Providers (ISPs), social engineering-based attacks on data centre staff to gain physical access etc. The Bank participates in cyber drills organised by the Institute for Development and Research in Banking Technology (IDRBT) annually.
The Bank conducts an external ‘Breach Assessment Exercise’ or a ‘Red Teaming Simulation’ on its infrastructure with a clear and precise focus on the crown jewels of the Bank. There is an ongoing reinforcement of vigilance and awareness through ethical hacking exercises conducted on employees. Business continuity and recovery drills are conducted to assess the Bank’s ability and readiness to combat disasters, to ensure continuity of critical business processes at an acceptable level and limit the impact of the disaster on people, processes and infrastructure.
The Bank conducts comprehensive security awareness programmes to enhance the level of cybersecurity awareness among its customers and employees. The Bank is using multiple channels to reach customers, such as social media, internet banking website, ATM, SMS, emails and posters in branches, among others. The Bank also regularly issues email advisories and conducts quiz on themes like Phishing Attacks, Malwares, System & Asset Security, Display Name Spoofing, Access, Protect Digital Identity, etc. for employees. The increased awareness among employees has also increased the overall cyber resilience of the Bank.
In view of rapid digitation and growing cyber threats, it has become imperative to respond quickly and effectively when security incidents occur. As part of incident response, the Bank has a dedicated Cyber Security Incident Response Team (CSIRT). The incident response process consists of distinct phases such as preparation, prevention, detection and escalation, containment, investigation, eradication, recovery, and post-incident analysis. Further, the Bank periodically conducts mock drills to assess the efficacy of the Incident Response Plan and continuously make improvements.