The Ministry of Electronics and Information Technology (MeitY) has designated specific computer resources associated with the Core Banking Solution and UPI Switch of Paytm Payments Bank Ltd as “protected systems” under the Information Technology Act, 2000. This designation signifies the critical nature of these systems in the functioning of the bank and imposes restrictions on access to them.
Access to these protected systems is strictly limited to authorized personnel, including designated employees of Paytm Payments Bank Ltd who have received written authorization from the bank to access these resources. Additionally, team members from contractual managed service providers or third-party vendors can access the protected systems based on specific needs and written authorization from the bank. Consultants, regulators, government officials, auditors, and stakeholders may also access the protected systems but only after receiving individual written authorization from Paytm Payments Bank Ltd on a case-by-case basis.
The scope of the “protected systems” includes not only the core infrastructure but also the computer resources of its associated dependencies. This move aims to enhance the security and integrity of these critical financial systems, mitigating the potential risk of cyber threats and attacks. Given that these systems store sensitive customer data, limiting access to only authorized personnel is crucial to avoid any unauthorized breaches that could have severe consequences.
As per the notification, Paytm Payments Bank Ltd and its associated stakeholders are required to comply with the government’s directives to ensure the protection of their computer resources. Similar notifications have been issued for other financial institutions, such as Indian Bank, YES Bank, IDBI Bank, and Central Bank of India, designating their critical computer resources as “protected systems” under the IT Act.
With this development, financial institutions may need to implement additional security measures to safeguard their protected systems. Maintaining a record of authorized personnel with access to these systems and their specific permissions may be required. Any instances of unauthorized access to the protected systems should be promptly reported to the relevant authorities to ensure comprehensive cybersecurity and data protection measures are in place.