Key Takeaways
- RBI Cyber Security Framework for Banks (2016) applies to scheduled commercial banks. Subsequent guidance extends to cooperative banks, NBFCs and payment infrastructure.
- Board-level governance: board-approved cyber policy, CISO independent of CIO, Information Security Committee, board-reviewed cyber risk dashboard.
- VAPT obligations: annual minimum baseline plus on material changes. Critical systems often quarterly or continuous.
- SOC requirements: 24x7 monitoring for larger entities, in-house or managed. Detection of anomalous activity and timely response.
- Incident reporting: typically 2 to 6 hours for material incidents. CERT-In additional notification under April 2022 directions. DPDP notification where personal data involved.
RBI Cyber Security Framework Overview
The RBI Cyber Security Framework was first issued in June 2016 for scheduled commercial banks. Subsequent guidance: Master Direction on IT Governance (2023), NBFC IT directions, UCB cyber framework, payment aggregator authorisation conditions referencing cyber controls. The Framework is broad and updated frequently.
Categories of regulated entity: scheduled commercial banks (Category I, II, III based on size and exposure), urban cooperative banks (UCBs) with cyber framework applicable, NBFCs categorised into base, middle, upper and top layers with proportionate IT governance expectations, payment aggregators and payment gateways with PA authorisation cyber conditions, prepaid instrument issuers, and several other regulated entity types.
Board-Level Cyber Governance
The Framework expects board-level oversight of cyber security. Specific expectations include: board-approved Cyber Security Policy reviewed at least annually, CISO appointed with reporting line independent of CIO, Information Security Committee at appropriate level, Board IT Strategy Committee or equivalent receiving regular cyber updates, periodic cyber risk dashboard reviewed at board level.
Indian banks have largely operationalised this; NBFCs are catching up under the 2023 IT directions. The CISO independence requirement is meaningful: many NBFCs historically had IT security under the CTO, which the new directions explicitly disfavour.
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →VAPT and Audit Obligations
VAPT is mandatory at minimum annually for regulated entities. The scope covers internet-facing systems, internal critical systems, applications, infrastructure, and increasingly cloud configuration where the entity uses cloud. Material changes (new product, architectural change, cloud migration) trigger additional VAPT.
Information Systems audit (IS audit) by qualified external auditors is required. The audit covers the cyber framework implementation, control effectiveness, and management of risks. Reports are reviewed by the Information Security Committee and discussed at board level. RBI inspections may sample IS audit findings during regulatory inspection.
SOC and Monitoring Requirements
Larger regulated entities are expected to operate 24x7 SOC capability. The Framework does not prescribe in-house versus managed; either is acceptable provided the capability is real and demonstrable. Smaller NBFCs and UCBs are increasingly expected to have at least baseline monitoring (SIEM, log retention, alerting) even if not full 24x7.
Critical controls expected: log retention (minimum periods specified by various directions, typically 6 to 12 months for security logs, longer for financial transaction logs), alerting on anomalous activity, integration with incident response, threat intelligence consumption, regular tuning of detection content. See our SOC blog for the operating model.
Incident Reporting to RBI
Material cyber incidents must be reported to RBI within prescribed timelines, typically 2 to 6 hours for high-severity incidents affecting customer-facing services, critical financial transactions or material data exposure. The reporting includes nature, scope, immediate actions, communication with affected customers, and remediation plan.
Parallel notifications fire to CERT-In (6 hours per April 2022 directions for specified incident types), DPDP Data Protection Board where personal data is involved, and to the entity's own board. The IR plan must handle these in parallel; a well-designed incident response template (see our IRP blog) makes this manageable under stress.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →Third-Party Risk Management
RBI Master Direction on Outsourcing of IT Services explicitly addresses third-party cyber risk. The regulated entity remains accountable for the cyber posture of every outsourced service, vendor, fintech partner, cloud provider, and downstream subcontractor.
Practical implementation: complete vendor register with classification by risk and access, cyber clauses in service agreements, vendor cyber attestation (ISO 27001, SOC 2, PCI DSS, BAA as applicable), audit rights including right-to-audit clauses, exit data destruction and continuity, integration into the IR plan. Inspections specifically sample vendor management.
RBI Cloud Computing Guidance
RBI has issued specific guidance on use of cloud services by regulated entities. Key themes: data residency considerations, shared responsibility documentation between cloud provider and customer, exit strategy and portability, audit rights and inspection access, encryption with customer-controlled keys where applicable.
Major Indian banks and NBFCs run on AWS, Azure and GCP with RBI-aligned reference architectures published by each provider. Codesecure helps regulated entities translate the cloud reference architecture into compliant deployment with documented evidence the RBI inspector can verify.
Frequently Asked Questions
Does the RBI Cyber Security Framework apply to small NBFCs?
The NBFC IT Master Direction 2023 categorises NBFCs into base, middle, upper and top layers. The cyber framework applies proportionately to layer; base-layer NBFCs have lighter obligations, top-layer NBFCs have the full framework. Even smallest NBFCs should plan for material cyber expectations.
How often does RBI inspect cyber controls?
Cyber is part of every RBI inspection cycle for regulated entities (typically annual or biennial depending on entity category). Special-purpose inspections may be triggered by incidents, complaints or risk-based selection. Inspections increasingly include cyber specialists alongside general inspectors.
Can a managed SOC satisfy RBI requirements?
Yes, when the managed SOC arrangement is documented, the regulated entity retains accountability and oversight, and the entity can demonstrate operational visibility into SOC operations. Codesecure delivers RBI-aligned managed SOC for Indian fintechs and NBFCs.
What VAPT frequency does RBI require?
Annual minimum baseline plus on material changes plus risk-based additional testing for high-risk systems. Most regulated entities benefit from semi-annual or continuous VAPT on customer-facing and payment-critical systems.
How does RBI relate to CERT-In and DPDP?
All three operate in parallel for regulated entities. RBI handles entity-specific regulatory reporting. CERT-In handles cross-sector cyber incident reporting. DPDP handles personal data protection. A single material incident often triggers all three notifications. The IRP must manage parallel timelines.
Can Codesecure deliver RBI-aligned programmes?
Yes. Codesecure delivers RBI-aligned cyber programmes, VAPT, SOC design, IS audit support, vCISO services and incident response readiness for Indian banks, NBFCs, payment aggregators and other RBI-regulated entities.
Be RBI-Inspection Ready Every Day, Not Just At Audit
Codesecure delivers RBI-aligned cyber programmes, VAPT, managed SOC, IS audit support and incident response for Indian banks, NBFCs and payment infrastructure. ISO/IEC 27001:2022 certified delivery, named consultants, fixed-price proposals.
