On November 7, the Reserve Bank of India (RBI) issued the Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices. This directive outlines IT and cybersecurity guidelines applicable to banks and other regulated entities. The new measures, along with updates and consolidations from previous circulars, have repealed the old guidelines. These provisions are set to be effective from April 1, 2024.
The directive applies to various entities, namely Scheduled Commercial Banks (excluding Regional Rural Banks), Small Finance Banks, Payments Banks, Non-Banking Financial Companies (excluding NBFC-Core Investment Companies), Credit Information Companies, and Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, and SIDBI). Collectively, these entities are referred to as regulated entities (REs) going forward.
Several key definitions are provided in the directive. Cybersecurity is defined as the preservation of confidentiality, integrity, and availability of information and/or information systems through the cyber medium, including properties such as authenticity, accountability, non-repudiation, and reliability. A cyber incident is described as any event adversely affecting the cybersecurity of an information asset, whether resulting from malicious activity or not. A cyber attack is characterized as malicious attempts to exploit vulnerabilities through the cyber medium to damage, disrupt, or gain unauthorized access to assets.
Regulated entities are required to adopt specific governance measures outlined in the directive. This includes the implementation of an IT Governance Framework, encompassing strategic alignment, risk management, resource management, performance management, and Business Continuity/Disaster Recovery Management. The framework should define the roles and responsibilities of the Board of Directors and incorporate oversight mechanisms for IT security risks.