The Reserve Bank of India (RBI) has, by an order dated December 12, 2022, imposed a monetary penalty of ₹2.66 crore (Rupees Two crore sixty-six lakh only) on Bank of Bahrain & Kuwait BSC, India Operations (the bank) for non-compliance with directions issued by RBI on “Cyber Security Framework in Banks”. This penalty has been imposed in exercise of powers vested in RBI under the provisions of section 47 A (1) (c) read with sections 46 (4) (i) of the Banking Regulation Act, 1949 (the Act).

This action is based on the deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers.

Background

The Information Technology examination of the bank conducted by RBI in October 2021, cyber security incident reported by the bank to RBI and all related correspondences pertaining to the same revealed non-compliance with aforesaid directions to the extent, that the bank failed to (i) implement systems to detect unusual and unauthorized, internal or external activities in its database; (ii) implement Security Operations Centre for obtaining real-time / near-real time information and insight into the security posture of the bank; (iii) enable audit logs for database and operating system of servers; (iv) disallow administrative rights on end-points; (v) implement multi factor authentication for accessing the critical servers; (vi) implement appropriate systems and controls to allow, manage and monitor access to critical servers; (vii) have a Cyber Crisis Management Plan ; (viii) implement a system to generate alerts on real time basis, integrate logs with centralized monitoring solution & review alerts/logs; and (ix) put in place a mechanism to ensure the integrity of critical files of applications, databases and operating systems, all of which resulted in an unauthorized intrusion going undetected and the cyber security incident later. In furtherance to the same, a notice was issued to the bank advising it to show cause as to why penalty should not be imposed on it for failure to comply with the directions issued by RBI, as stated therein.

After considering the bank’s reply to the notice, oral submissions made during personal hearing and additional submissions made by it, RBI came to the conclusion that the charge of non-compliance with the aforesaid RBI direction was substantiated and warranted imposition of monetary penalty, to the extent of non-compliance with such directions.

(Yogesh Dayal)     
Chief General Manager

Press Release: 2022-2023/1408