RBI's Master Direction on IT Governance (effective April 2024) mandates board-level oversight for every bank, NBFC, and financial institution. Close your compliance gaps before RBI's IT Examination finds them.
The RBI Master Direction (November 2023, effective April 1, 2024) consolidates India's banking IT governance requirements into a single, board-driven framework covering IT strategy committees, IS policy, cybersecurity controls, BCP/DR, third-party risk, and IS audits. Non-compliance surfaces through RBI's IT Examination and can trigger supervisory action and penalties.
Establish Board-level ITSC and management-level IT Steering Committee per Master Direction Clauses 10-12 with defined charters and quarterly reporting.
Develop the complete IS policy framework including IS policy, internet banking security, outsourcing security, and all annexure policies per Master Direction Annexures.
Annual IS risk assessment covering threat landscape, vulnerability posture, and control effectiveness per Master Direction Clause 16.
Assess IT governance and IS controls against all Master Direction domains, scoped to entity type (SCB, NBFC, AIFI, CIC).
Review network security, patch management, change management, and capacity planning per Master Direction Clauses 23-28.
Assess IT vendors against RBI outsourcing requirements per Master Direction Clauses 33-38, evaluating security posture and contractual controls.
Implement the full RBI Cybersecurity Framework for SCBs per Master Direction Clauses 17-22, including SOC, threat intel, and red teaming.
Design and implement 24/7 SOC meeting RBI detection, alerting, and response obligations per Master Direction Clause 19.
Implement 6-hour CERT-In reporting per CERT-In Direction 2022 plus IB-CART notification with templates and escalation runbooks.
Implement segmentation, firewall management, IDS/IPS, and secure remote access per Master Direction Clauses 23-28.
Implement BCP/DR frameworks per Master Direction Clauses 39-41 covering RTOs, alternate sites, and regular testing.
Implement patch and change management per Master Direction Clauses 25-26 with vulnerability timelines and rollback procedures.
Periodic cyber risk assessment per Master Direction Clause 16 covering evolving threats, vulnerabilities, and control effectiveness.
Coordinate annual IS audit per Master Direction Clause 42 with evidence collection, auditor liaison, and gap closure tracking.
Maintain 6-hour CERT-In notification procedures and IB-CART reporting with documented runbooks tested through tabletop exercises.
Track RBI circulars and master directions, assessing impact on compliance posture and implementing changes within regulatory timelines.
Role-based cybersecurity training for banking operations, IT, management, and board members with phishing simulation exercises.
Prepare for RBI IT Examination with evidence organisation, control rationale documentation, and mock examination exercises.
SCBs (including Small Finance Banks and Payments Banks) face the most comprehensive obligations covering all domains including the mandatory Board-level ITSC, 24/7 SOC, cybersecurity framework, BCP/DR, and CERT-In plus IB-CART incident reporting.
NBFCs in the Top, Upper, and Middle Layers under Scale-Based Regulation, and All India Financial Institutions (NABARD, SIDBI, NHB, EXIM Bank) are covered with differentiated obligations based on entity tier and asset size.
Credit Information Companies (CICs such as CIBIL, Equifax India) and payment system operators regulated by RBI are covered under the Direction and must implement the applicable IT governance and IS controls.
A structured six-phase process from initial gap assessment through to ongoing regulatory monitoring and IS audit coordination.
Assess current IT governance and IS controls against all RBI Master Direction domains, scoped to your entity type (SCB, NBFC, AIFI, or CIC) with a gap report and prioritised remediation roadmap.
Establish Board-level IT Strategy Committee and management-level IT Steering Committee with defined charters, meeting cadences, and board reporting structures.
Develop the complete IS policy framework including IS policy, internet banking security, outsourcing security, and all RBI-mandated annexure policies with board approval.
Implement cybersecurity controls across infrastructure, network, application, and third-party domains per the Master Direction, including SOC and BCP/DR for SCBs.
Establish incident response procedures meeting CERT-In's 6-hour reporting requirement plus IB-CART notification, with templates, classification criteria, and escalation runbooks.
Annual cyber risk assessment, IS audit coordination, CERT-In reporting readiness maintenance, and continuous regulatory update tracking across all Master Direction domains.