RBI Cybersecurity Framework: What Banks & NBFCs Must Comply With

The Reserve Bank of India (RBI) has issued several Master Directions that mandate comprehensive cybersecurity frameworks for banks, NBFCs, payment aggregators, and payment gateways. Non-compliance isn't just a regulatory risk — it can result in business suspension. Here's your practical guide.

📋 Key RBI Cybersecurity Directives

1. Master Direction on IT Governance, Risk, Controls and Assurance Practices (ITGRC)

This is the most comprehensive RBI IT directive, applicable to Scheduled Commercial Banks, Urban Co-operative Banks, and NBFCs. It covers:

• IT governance structure and IT Strategy Committee
• IT risk management framework
• Information Security policy and controls
• Business Continuity Planning (BCP) and Disaster Recovery (DR)
• IT Audit requirements and internal assurance
• Vendor and outsourcing risk management
• Data governance and data quality management

2. Cybersecurity Framework for Banks (2016 & Updates)

Originally released in 2016 and updated several times, this framework requires banks to:

• Establish a Board-approved Cybersecurity Policy
• Set up a Cybersecurity Operations Centre (CSOC) or equivalent
• Implement layered security architecture
• Conduct regular Vulnerability Assessments and Penetration Tests (VAPT)
• Implement Security Information and Event Management (SIEM)
• Report cyber incidents to RBI within prescribed timelines
• Implement Cyber Crisis Management Plan (CCMP)

3. RBI Master Direction for Payment Aggregators (PA) and Payment Gateways (PG)

Payment aggregators and gateways must comply with specific cybersecurity requirements including:

• PCI-DSS compliance for card data environments
• Annual VAPT by CERT-In empanelled auditors
• Fraud risk management systems
• Data localization — all payment data must be stored in India
• Baseline cybersecurity and resilience framework

4. NBFC IT Framework (Scale-Based Regulation)

Under RBI's Scale-Based Regulation for NBFCs, upper layer and middle layer NBFCs face enhanced IT governance requirements aligned with the ITGRC directions, proportionate to their scale and risk profile.

🔒 Minimum Cybersecurity Controls Required

Network Security

• Segmentation of internet-facing, DMZ, and internal networks
• Next-Generation Firewall (NGFW) deployment
• Web Application Firewall (WAF) for internet-facing applications
• Intrusion Detection and Prevention Systems (IDS/IPS)
• DDoS protection for critical services

Identity and Access Management

• Multi-Factor Authentication (MFA) for all privileged and remote access
• Privileged Access Management (PAM) for administrative accounts
• Role-Based Access Control (RBAC) with regular access reviews
• Segregation of duties for critical functions

Endpoint and Application Security

• Endpoint Detection and Response (EDR) on all endpoints
• Application whitelisting on critical systems
• Secure coding practices and application VAPT before go-live
• Mobile Device Management (MDM) for BYOD environments

Monitoring and Incident Response

• 24x7 CSOC with real-time monitoring capabilities
• Log retention for a minimum of 2 years (5 years for some institutions)
• Incident response plan with RBI reporting obligations
• Threat intelligence integration

⏱️ Incident Reporting Obligations

✅ Steps to Achieve RBI Compliance

1. Gap Assessment: Measure current controls against RBI's cybersecurity framework requirements
2. IT Governance Setup: Constitute an IT Strategy Committee and appoint a CISO
3. Policy Development: Draft or update Board-approved Cybersecurity Policy, IS Policy, BCP/DR Policy
4. VAPT by CERT-In Auditor: Conduct annual VAPT of all internet-facing systems and critical applications
5. CSOC Implementation: Establish or upgrade your security operations monitoring capability
6. Incident Response Plan: Document and test your Cyber Crisis Management Plan
7. IS Audit: Conduct annual IS Audit by a certified auditor and submit report to Board