The Reserve Bank of India's Master Directions on Information Technology (RBI MD on IT) consolidate IT governance, cybersecurity, and audit requirements for scheduled commercial banks, primary urban cooperative banks, NBFCs, and payment system providers. Here's what the Master Directions require and how regulated entities should approach compliance.
-
Who Must Comply
The RBI MD on IT applies to: scheduled commercial banks (including foreign banks operating in India), primary urban cooperative banks with assets above a threshold, Non-Banking Financial Companies (NBFCs), Payment System Providers, and certain credit information companies. Smaller cooperative banks and NBFCs may face proportionate requirements based on their size and systemic importance.
-
The Cybersecurity Framework Requirement
RBI requires each regulated entity to implement a Board-approved Cybersecurity Policy and establish a robust cybersecurity framework. The framework must include: governance structure with Board oversight, risk-based identification of critical systems, security controls aligned to the entity's risk profile, incident detection and response capabilities, and regular cybersecurity assessments.
-
IS Audit Requirements
Banks and NBFCs must conduct periodic Information Security Audits by CERT-In empanelled auditors. The IS audit must cover all critical IT systems, assess control adequacy, and produce findings that are reported to the Board's IT Strategy Committee or equivalent governance body. Audit findings must be tracked to closure with Board visibility on open items.
-
IT Governance Structure
RBI MD on IT requires a governance structure that includes: an IT Strategy Committee at the Board level; a management-level IT Steering Committee; an IS function with a designated CISO; and a Board-approved IT policy framework. For smaller NBFCs, proportionate governance arrangements are acceptable, but Board ownership of IT risk is non-negotiable.
-
Business Continuity and Resilience
Regulated entities must maintain Business Continuity Plans (BCP) and Disaster Recovery (DR) capabilities tested at least annually. RBI specifies Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for different categories of critical systems. DR testing must be documented and results reported to senior management and the Board.
-
VinfraSec's RBI Approach
VinfraSec implements RBI MD on IT compliance using IaC-based cybersecurity controls for Azure India or AWS Mumbai, IS audit preparation and evidence packaging, Board-level governance documentation, and unified log management that satisfies both RBI and CERT-In retention requirements in a single architecture.