admissions@cyberlawacademy.com | +91-XXXXXXXXXX
DPDPA ResourcesLegal Services
Part 3 of 6

RBI Cyber Security Framework

Navigate the Reserve Bank of India's comprehensive cyber security requirements for banks, NBFCs, and payment system operators. Understand policy requirements, SOC mandates, and incident reporting obligations.

Duration: ~90 minutes Sections: 4 Quiz: 10 Questions

3.1 Applicable Entities

RBI has issued multiple circulars on cyber security applicable to different categories of regulated entities. Understanding which circulars apply to which entities is the first step in compliance.

Key Circulars and Their Scope

CircularDateApplicable To
Cyber Security Framework for BanksJune 2016All Scheduled Commercial Banks
Master Direction - IT Framework for NBFCsJune 2017All NBFCs with asset size > Rs. 500 Cr
Cyber Security Framework for UCBsDecember 2018Urban Cooperative Banks
IT Governance Framework for Payment System OperatorsApril 2021All authorized PSOs
Master Direction on IT Governance for NBFCsNovember 2023All NBFCs (updated requirements)

Entity Categories and Requirements

Scheduled Commercial Banks (SCBs)

  • Subject to the most comprehensive cyber security framework
  • Board-approved cyber security policy mandatory
  • Security Operations Centre (SOC) required
  • CERT-In reporting for all cyber incidents
  • Regular vulnerability assessment and penetration testing

Non-Banking Financial Companies (NBFCs)

NBFC Tiering

NBFCs are categorized based on asset size. NBFCs with assets over Rs. 500 crore must implement comprehensive IT frameworks. Smaller NBFCs have proportionate requirements but must still maintain basic cyber hygiene.

Payment System Operators (PSOs)

  • Card networks (Visa, Mastercard, RuPay operators)
  • Prepaid Payment Instrument (PPI) issuers
  • BBPS operating units
  • ATM networks and White Label ATM operators
  • Cross-border money transfer operators
Data Localization

RBI mandates that all payment system data must be stored only in India. This applies to full end-to-end transaction data including processing information. Payment system operators must ensure complete data localization by the specified timelines.

3.2 Cyber Security Policy Requirements

RBI mandates a Board-approved Cyber Security Policy separate from the general IT/IS Policy. This policy must address specific areas and be reviewed annually.

Mandatory Policy Components

  1. Risk Assessment: Methodology for identifying and assessing cyber risks to critical assets
  2. Security Architecture: Network segmentation, firewall policies, access controls
  3. Security Operations: SOC functions, monitoring, log management
  4. Incident Management: Detection, response, recovery, and notification procedures
  5. Audit and Compliance: Internal audit, external audit, compliance monitoring
  6. Awareness Training: Employee training programs on cyber security

Governance Structure

IT Sub-Committee of the Board
Banks must constitute an IT Strategy Committee at Board level to approve IT strategy, policy, and review cyber security posture. The committee should meet at least quarterly.
CISO Appointment

Banks must appoint a Chief Information Security Officer (CISO) at senior management level. The CISO should report to the MD/CEO or CRO, NOT to the CIO/CTO, to ensure independence of security function from IT operations.

Policy Review Cycle

Annual Compliance Calendar

Quarterly
IT Sub-Committee meetings, review of cyber security incidents
Half-Yearly
VAPT reports, review of access controls
Annually
Cyber Security Policy review, IT audit, DR drill
As Required
Incident-triggered reviews, RBI inspection findings

Baseline Security Controls

  • Inventory Management: Complete inventory of hardware, software, data assets
  • Network Security: Firewalls, IDS/IPS, network segregation, DMZ
  • Access Control: Role-based access, privileged access management, MFA
  • Encryption: Data at rest and in transit encryption, key management
  • Patch Management: Timely application of security patches
  • Anti-Malware: Endpoint protection, email security, web filtering
  • Backup: Regular backups, offsite storage, periodic restoration testing

3.3 Security Operations Centre (SOC) Requirements

RBI mandates establishment of a Security Operations Centre for continuous monitoring and rapid incident response. The SOC can be in-house or outsourced to a managed security service provider (MSSP).

SOC Functions

  1. Continuous Monitoring: 24x7 monitoring of security events across all critical systems
  2. Log Analysis: Centralized log management with correlation and analysis
  3. Threat Intelligence: Integration of threat feeds, IOC monitoring
  4. Incident Response: First-line response, escalation, containment
  5. Vulnerability Management: Continuous vulnerability scanning, prioritization

Technical Requirements

ComponentRequirement
SIEMSecurity Information and Event Management for log correlation
Log RetentionMinimum 1 year for security logs, 5 years for transaction logs
Monitoring CoverageAll critical systems including core banking, internet banking, mobile banking
Alert ResponseDefined SLAs for alert triage and escalation
ReportingRegular reports to CISO, Board, and RBI as required
Outsourced SOC

If SOC is outsourced to an MSSP, the bank remains responsible for compliance. Ensure the MSSP agreement includes: SLAs, data confidentiality, RBI audit access, incident escalation procedures, and right to inspect.

Cyber Crisis Management Plan (CCMP)

CCMP Requirements
Banks must have a documented CCMP covering: threat scenarios, escalation matrix, crisis communication, coordination with regulators/law enforcement, recovery procedures, and post-incident analysis.
  • Crisis Team: Defined roles for CISO, CTO, Legal, Communications, Business
  • Escalation Matrix: Clear triggers for escalation to Board and RBI
  • Communication Plan: Templates for customer, media, regulator communication
  • Recovery Procedures: Step-by-step recovery for various attack scenarios
  • Drill Frequency: Annual table-top exercises and simulations

3.4 Incident Reporting

RBI has mandated specific incident reporting requirements. Failure to report incidents within specified timelines can result in regulatory action.

Reporting to RBI

Reporting Timelines

Cyber incidents of severe/high impact must be reported to RBI within 2-6 hours of detection. All incidents must be followed up with detailed Root Cause Analysis (RCA) within 2-4 weeks.

Incident SeverityInitial ReportDetailed RCAReport To
Critical (data breach, system compromise)Within 2 hoursWithin 2 weeksRBI CSITE, CERT-In
High (attempted breach, malware)Within 6 hoursWithin 4 weeksRBI CSITE
Medium (policy violations, failed attacks)Next business dayMonthly summaryInternal CISO
Low (minor incidents)Weekly summaryQuarterly reviewInternal SOC

Reporting to CERT-In

Under CERT-In directions (April 2022), the following must be reported within 6 hours:

  • Targeted scanning/probing of critical networks
  • Compromise of critical systems/information
  • Unauthorized access to IT systems
  • Defacement of websites or intrusion
  • Malicious code attacks (ransomware, cryptomining)
  • Attacks on servers, critical infrastructure
  • Data breach or data leak
  • Fake mobile apps
Log Retention for CERT-In

All RBI-regulated entities must maintain logs of ICT systems for 180 days rolling. Logs must be maintained within Indian jurisdiction. This requirement applies from June 28, 2022.

Incident Classification Framework

What Constitutes a Reportable Incident
Any event that compromises or attempts to compromise: confidentiality, integrity, or availability of banking systems; customer data; payment transactions; or regulatory data. Includes both successful attacks and significant attempted attacks.

Customer Notification

  • Data Breach: Customers must be notified if their personal/financial data is compromised
  • Service Disruption: Proactive communication for extended outages
  • Fraud Alerts: Immediate notification of suspicious transactions
  • Channel: SMS, email, in-app notification as appropriate

Key Takeaways

  • RBI cyber security framework applies to banks, NBFCs, UCBs, and payment system operators with entity-specific requirements
  • Board-approved Cyber Security Policy separate from IT Policy is mandatory
  • CISO must be appointed at senior level with independence from IT operations
  • SOC (in-house or outsourced) required for continuous monitoring
  • Critical incidents must be reported to RBI within 2-6 hours
  • CERT-In log retention requirement: 180 days within Indian jurisdiction
  • Payment data localization is mandatory for PSOs

Part 3 Assessment Quiz

Test Your Knowledge

10 questions on RBI Cyber Security Framework

0/10
Questions Correct