The landscape of financial regulations is ever-evolving, driven by the need to adapt to emerging threats and technological advancements. On November 7, 2023, the Reserve Bank of India (“RBI”) took a significant stride in this direction with the issuance of the Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023(“Directions”) in compliance with its powers under Section 35A of the Banking Regulation Act, 1949 read with Section 45L of the Reserve Bank of India Act, 1934 and Section 11 of the Credit Information Companies (Regulation) Act, 2005.
In February 2022, the RBI issued the Statement on Developmental and Regulatory Policies and requested comments from all stakeholders on the Draft Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices in October 2022. Pursuant to considering the comments of the stakeholders, the RBI has released these guidelines to update and consolidate the instructions relating to Information Technology (IT) Governance and Controls, Business Continuity Management, and Information Systems Audit.
These Directions apply to a wide spectrum of entities within the financial sector, encompassing commercial banks, non-banking financial companies ("NBFC")[1] , credit information companies[2], EXIM Bank[3] , National Bank for Agriculture and Rural Development ("NABARD")[4] , National Bank for Financing Infrastructure and Development ("NaBFID")[5] , National Housing Bank ("NHB") and Small Industries Development Bank of India ("SIDBI")[6] ("Regulated Entities"). Further, these Directions do not apply to the local area banks and the NBFC-core investment companies.
The Directions mandatethe Regulated Entities to implement an information technology (IT) governance framework touching strategic alignment, risk management, resource management, performance management, and Business Continuity/ Disaster Recovery Management. The IT governance framework must specify (i) governance structure, (ii) roles and responsibilities of the board of directors/senior management of Regulated Entities, and mechanisms to ensure accountability and mitigation of IT and cyber/ information security risks.
The Directions require the Regulated Entities to have strategies and policies for IT, Information Assets, Business Continuity, Information Security, and Cyber Security (including Incident Response and Recovery Management/ Cyber Crisis Management) which must be approved and annually reviewed by the board of directors of the Regulated Entities.
The Regulated Entities must sept-up a board-level IT strategy committee ("ITSC") consisting of (i) a minimum of three directors (having technical competency) as members; and (ii) an independent director (having substantial IT expertise) as chairman.The Regulated Entities must establish an IT steering committee with representation at the senior management level from IT and business functions.
The Regulated Entities must implement risk assessment processes and controls proportionate to (i) mitigate the risk, (ii) eliminate or address any conflict of interest, (iii) mitigate risks associated with a single point of failure; (iv) comply with applicable legal, and regulatory requirements and standards to protect customer data; (v) provide high availability (for uninterrupted customer service); and (vi) manage supply chain risks effectively.
The Regulated Entities are required to assess the risk and ensure the security of their information assets by using recognized security standards and IT control frameworks. The Regulated Entities must annually review their security infrastructure and policies. This review should take into account their specific experiences, along with the evolving landscape of threats and risks, to effectively counteract and mitigate the impact of cyber-attacks, including phishing and spoofing.
For safeguarding critical information systems, especially those with customer interfaces in the De-Militarized Zone ("DMZ"), Regulated Entities must conduct vulnerability assessments ("VA") every six months and penetration testing ("PT") annually. These assessments should cover the entire lifecycle of the information systems, including pre-implementation and post-implementation phases, and after any significant changes. A risk-based approach determines the necessity and frequency of VA/PT for non-critical systems. These assessments must be carried out by trained, independent security experts to ensure unbiased results. Following the assessment, identified vulnerabilities must be promptly addressed, with actions documented and compliant with standards like those in the Common Vulnerabilities and Exposures ("CVE") database
Regulated Entities must have a robust cyber incident response and recovery management policy. This policy should outline procedures for classifying and assessing incidents, communicating effectively during incidents, and achieving rapid recovery. It's essential for Regulated Entities to analyze cyber incidents thoroughly to understand their impact and root causes and take both corrective and preventive actions to minimize business disruption. Written procedures for responding to and recovering from incidents are crucial, including clear roles for staff and communication plans for escalating incidents to the board, senior management, and, if necessary, customers. Additionally, incidents should be reported to regulatory bodies as required. Regulated Entities should continuously refine their incident response and recovery capabilities through lessons learned from past incidents and regular testing and drills with all stakeholders.
The Regulated Entities must adopt business continuity and disaster recovery policiesto combat impact of the disruptive incidents and maintain business continuity. The policies must be designed to its resilience objectives and enable it to rapidly recover and securely resume its critical operations (including security controls) post-cyber-attacks/ other incidents. The Regulated Entities must conduct half-yearly disaster recovery drills for critical information systems.
The new RBI Directions usher in a comprehensive framework to strengthen the information security posture of Regulated Entities across the financial sector. Key provisions include mandates for IT governance, strategic alignment, risk management, and third-party arrangements. Furthermore, the emphasis on risk assessment, vulnerability testing, and incident response underscores the RBI's commitment to mitigating cyber threats. By adhering to these directives, regulated entities can fortify their defenses, enhance resilience against evolving cyber risks, and ensure the continuity of critical operations.