Cybersecurity Risk Management and Strategy Disclosure
|
12 Months Ended |
Mar. 31, 2025 |
|---|
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] |
|
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
The Bank is certified under ISO 27001 and PCI DSS standards. The Bank has implemented various measures to mitigate risks that emanate from offering online banking to its customers. These are briefly enumerated below:
|
a) |
Phishing: We identify phishing sites and trojans targeting our customers and once identified, these sites are taken down. |
|
b) |
Our practice is to send awareness mails to our customers, to educate them about phishing and the measures they should take to protect themselves from falling victim to it. We launched the Vigil Aunty (“VA”) initiative, which encourages people across the country to practice safe banking habits. The customers are guided on safe banking do’s and don’ts via the adopted cast of VA. VA has her own WhatsApp number to connect with customers. In addition, customer ecommerce transactions and card transactions are continuously monitored. |
|
c) |
Hacking and Data Theft: We have implemented a network firewall, a web application firewall and an intrusion prevention system at the perimeter of our network, in order to block any attempts made to hack or breach our network. | We have also made significant advancements to further consolidate cyber security through initiatives such as the following:
|
• |
|
Next-generation Cybersecurity Operations Center (“CSOC”) has brought in significant advancements to improve the overall cyber security posture of the Bank by deploying predictive and proactive security monitoring of Bank IT infrastructure and applications. CSOC operates 24/7/365 to detect and remediate attempts made to breach the Bank’s technology landscape. We have developed an Incident Management Procedure (“IM”), Cyber Security Policy (“CSP”) and Cyber Crisis Management Plan (“CCMP”) that aims to ensure that relevant stakeholders are aware of their roles in the event of any incident. The Bank also carries out “table-top exercises” to test our incident response readiness. Key initiatives covered as a part of the Next Generation CSOC of the Bank are listed below: |
|
i) |
AI Powered Security Monitoring: Deployment of a next generation security incident event management (“SIEM”) solution augmented by artificial intelligence (“AI”) and machine learning (“ML”) capabilities along with strong User Entity Behavioral Analysis (“UEBA”) functionalities and built-in threat modelling. This helps in proactively identifying and addressing several potential threats before they proliferate. |
|
ii) |
Security Orchestration, Automation & Response (“SOAR”) to reduce incident response times by enabling automated triaging for better control, visibility, and preparedness against sophisticated attacks like ransomware. |
|
iii) |
Threat intelligence feeds and indicators of compromise received from government agencies, service providers and dark web monitoring vendors are logged in the security technologies deployed in our security operations center (“SOC”). |
|
• |
|
Attack Surface Management (“ASM”) : We are equipped with a dedicated program for ASM, which includes continuous attack surface discovery and probes for weaknesses on the discovered assets. There has been a continuous effort to ensure that all significant weaknesses are remediated within a reasonable timeframe. Additionally, vulnerability management of the Bank’s internet properties, antivirus / malware program, patch management, and penetration testing, among others, minimize the surface area for cyber security attacks and assist in fortifying the Bank’s assets (including infrastructure, applications and others). |
|
• |
|
We proactively assess our cyber assets for vulnerabilities through various periodic tests, which also include red team assessments. We aim to remediate any issues identified during the assessments in a timely manner to ensure that the banking services remain resilient and stay protected against the evolving threats. |
|
• |
|
Anti-DDOS services (Distributed Denial of Services): Subscription to anti-DDOS services for protection against distributed denial of services (“DDOS”) attacks. | The Bank has also undertaken other internal data security measures, and these are briefly enumerated below:
|
• |
|
Data Loss Prevention (“DLP”) : We have implemented enterprise solutions such as DLP to monitor sensitive data stored, transmitted and shared by users, and to prevent and detect data breaches. DLP agents are deployed on all laptops and endpoints. All endpoints have proxy agents configured to ensure that only authorized websites are accessed. All outgoing e-mails are monitored through the DLP solution. |
|
• |
|
Data encryption aims to ensure that business-critical and sensitive data is not misplaced, thereby preventing any reputational damage and curtailing monetary losses. Hard disk encryption is implemented on all laptops. |
|
• |
|
Identity and Access Management (“ IAM”): Access to sensitive systems is governed through strict IAM policies, built on the principles of least privilege and zero-trust model. Specialized privilege access management technologies are used to secure user accounts with privileged access rights. These measures limit the access to only authorized personnel and devices, minimizing the risk of unauthorized exposures. |
|
• |
|
: The Bank has adopted a zero-trust architecture approach to foster protection against cybersecurity incidents. |
|
• |
|
Extended Detection and Response (“XDR”): We have implemented an XDR agent on all endpoints and servers in the Bank to protect from zero-day malware attacks. It is designed to detect, investigate, and respond to threats in real time across endpoints, servers, cloud and third party data sources using advanced analytics and machine learning. |
|
• |
|
File Integrity Monitoring (“FIM”): We have implemented file integrity monitoring on servers that continuously verifies the authenticity and integrity of files, systems, and applications by comparing them to a known, trusted baseline. It detects unauthorized changes, tampering, or corruption, helping to prevent and detect cyberattacks and data breaches. |
|
• |
|
Data Activity Monitoring (“DAM”): We have implemented DAM on a database server which tracks and analyzes all database activities in real time. It helps the Bank to identify and report unauthorized or suspicious activities, aiming to ensure data integrity and compliance. |
|
• |
|
We have implemented an antivirus on both endpoints and servers to protect by scanning and removing or quarantining known threats, as well as detecting and blocking new or unknown threats. Antivirus programs often run in the background and provide real-time protection, updating automatically to stay ahead of emerging threats. |
|
• |
|
: We have implemented application control on endpoints to control or prevent execution of unauthorized applications. It employs a “trust-based” and “policy-driven” approach, continuously monitoring and recording endpoint activity to prevent, detect, and respond to cyber threats. This reduces the risk of accidental execution and auto-execution of anonymous application thereby protecting from ransomware and malwares. |
|
• |
|
We have implemented a centralized patch management tool that automates the discovery, management, and remediation of endpoints and servers across various operating systems and environments for the available patches. It facilitates patching, software deployment, and compliance with security standards, thus reducing the risk of vulnerability introduction due to lack of timely patching. |
|
• |
|
A Domain-based Message Authentication, Reporting and Conformance (“DMARC”) system is implemented to guard against ‘email spoofing’ and unauthorized domain use. |
|
• |
|
Cloud Posture and Access Security Tools (“CSPM” and “CASB”) : With the growing use of cloud infrastructure, tools such as CSPM and CASB are used to detect misconfigurations, enforce compliance requirements, and proactively reduce cloud-related risks. |
|
• |
|
Web Application Firewall (“WAF”): We have deployed a cloud-based WAF to protect digital banking applications from online threats. This solution aims to ensure consistent protection while also maintaining optimal performance by dynamically adjusting during high-demand periods. The WAF is also being aligned with our API security initiatives to adequately guard interfaces required to be exposed. |
|
• |
|
The Bank has deployed a micro segmentation solution that helps to protect critical assets by providing granular control over network traffic and access to applications and data. By allowing only the necessary ports and processes we seek to ensure that only the required traffic is allowed, and the rest is blocked. |
|
• |
|
: Financial institutions regularly encounter a variety of data-related challenges involving issues such as data quality and accessibility. In today’s highly automated banking environment, such challenges can have serious effects on virtually all aspects of bank operations. Our data privacy program is a highly regulated initiative headed by the Data Privacy Officer (“DPO”) under the direct supervision of the Board and the Chief Data Officer. |
|
| Cybersecurity Risk Management Processes Integrated [Flag] |
true
|
| Cybersecurity Risk Management Processes Integrated [Text Block] |
The Bank has a mechanism to identify cybersecurity incidents and calculate associated materiality utilizing key risk indicators (“KRIs”) that have been integrated into the Bank’s overall risk management system.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] |
true
|
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] |
true
|
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] |
true
|
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] |
Despite the processes outlined here, we have in the past experienced and may in the future experience cybersecurity incidents from time to time. For a broader description of how risks from cybersecurity threats could materially affect us, including our business strategy, results of operations or financial condition, see “ Risk Factors—Technology Risks—We face cybersecurity threats, such as hacking, phishing and trojans, attempting to exploit our network to disrupt services to customers and/or theft or leaking of sensitive internal Bank data or customer information. This may cause damage to our reputation an d ad versely impact our bu sin ess and financial results. ” and “ Risk Factors—Technology Risks—A failure, inadequacy or security breach in our information technology and telecommunication systems may adversely affect our business, results of operations or financial condition. ” |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
The Bank has developed a Cybersecurity Policy (“CSP”) and Cybersecurity framework which aim to ensure that appropriate cybersecurity practices are followed across the Bank’s information systems. The CSP is approved by the Bank’s Board.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] |
To manage risks associated with these areas, we have constituted specialized committees, namely the IT Strategy Committee and the Information Security Committee, which are in addition to the Information Security Group, each with specific roles and responsibilities.
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] |
The cybersecurity strategies are periodically presented to the Information Security Committee and IT Strategy Committee of the Board. The cybersecurity risks and their mitigation plans are also presented to the Risk Policy and Monitoring Committee of the Board on a half-yearly basis
|
| Cybersecurity Risk Role of Management [Text Block] |
| |
• |
|
Cyber security and data privacy are of paramount importance to the Bank. To manage risks associated with these areas, we have constituted specialized committees, namely the IT Strategy Committee and the Information Security Committee, which are in addition to the Information Security Group, each with specific roles and responsibilities. We also have in place a cybersecurity framework and an information security program to oversee these risks and mitigate them adequately in order to protect customer information. Our Information Security and Cybersecurity policies lay down the guidelines for implementation of the security measures within the Bank. |
| |
• |
|
Information Security Committee (“ISC”): Chaired by the Chief Risk Officer, the ISC is tasked with reviewing information security policy dispensations, making strategic and financial decisions on information security plans, reviewing performance and monitoring the progress of the information security program. It also discusses any significant information security risks, determines actions for risk remediation and approves changes to the constitution and functioning of the ISC. The ISC convenes at least once every two months with representatives from Audit, Information Technology, Information Security Group, and other enabling functions and relevant business units. The CISO proposes and finalizes the ISC agenda, represents the current state of Information Security to the ISC, drives the implementation of the ISC approved ISMS agenda and also reports major security incidents faced by the Bank. The qualifications of our senior management are described under “ Management—Senior Management ”. |
| |
• |
|
The Bank has multiple KRIs to regularly monitor all critical aspects of technology risks. KRIs with high risks are m onit ored closely with a remedial action plan. These KRIs are reviewed through an Internal Capital Adequacy Assessment Process (“ICAAP”) by the ICAAP review committee. |
| |
• |
|
We also maintain oversight on the information security posture of the Bank, with its information security team publishing an “Executive Metrics” report to senior management on a monthly basis comprising key information security metrics. |
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] |
true
|
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
Chaired by the Chief Risk Officer, the ISC is tasked with reviewing information security policy dispensations, making strategic and financial decisions on information security plans, reviewing performance and monitoring the progress of the information security program. It also discusses any significant information security risks, determines actions for risk remediation and approves changes to the constitution and functioning of the ISC. The ISC convenes at least once every two months with representatives from Audit, Information Technology, Information Security Group, and other enabling functions and relevant business units. The CISO proposes and finalizes the ISC agenda, represents the current state of Information Security to the ISC, drives the implementation of the ISC approved ISMS agenda and also reports major security incidents faced by the Bank.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] |
The qualifications of our senior management are described under “ Management—Senior Management ”.
|
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] |
We also maintain oversight on the information security posture of the Bank, with its information security team publishing an “Executive Metrics” report to senior management on a monthly basis comprising key information security metrics.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] |
true
|