Complete guide to RBI cyber security framework

01What the framework is

RBI's cyber security expectations for regulated entities are scattered across multiple instruments. The most important ones for 2026 compliance are:

• Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (DOR.IT.REC.99/03.10.001/2023-24, dated 7 November 2023) — the consolidated direction governing IT risk and assurance.
• Cyber Security Framework in Banks (DBS.CO.CSITE.BC.11/33.01.001/2015-16, dated 2 June 2016) — the baseline cyber framework, still active and routinely cited in inspections.
• Master Direction on Outsourcing of Information Technology Services (April 2023) — third-party and cloud obligations.
• Master Direction on Digital Payment Security Controls (Feb 2021) — for entities operating digital payment products.
• Sectoral circulars for NBFCs, Cooperative Banks, Payment Aggregators, ARCs, NBFC-AAs — each adding sector-specific obligations on top of the baseline.

02Who it applies to

The framework, in some form, applies to every entity RBI regulates. Sectoral coverage in 2026:

• Scheduled Commercial Banks (public, private, foreign, small finance, payments banks) — full framework, strictest enforcement.
• NBFCs — graded application by size: Top Layer / Upper Layer / Middle Layer / Base Layer (Scale Based Regulation, Oct 2022). The larger the layer, the closer to bank-grade obligations.
• Cooperative Banks (UCBs, RRBs) — applicable, with a phased compliance timeline depending on tier.
• Payment Aggregators & Payment Gateways — subject to PA-PG Guidelines (Mar 2020 + Dec 2024 amendments) which incorporate cyber obligations.
• NBFC-AAs (Account Aggregators) — Master Direction on AA + applicable cyber framework sections.
• Asset Reconstruction Companies — sectoral circular adapts the bank framework.
• Credit Information Companies — IT framework with cyber addendum.
• Pre-paid Instrument issuers — Master Direction on PPIs + cyber controls.

If you are a vendor or fintech partner to any of the above, you are not directly regulated but you carry derivative obligations through your contract — the regulated entity is required by RBI to push controls down to you.

03Governance & CISO

RBI insists on cyber governance being a board-level item, not a CIO sub-function:

• CISO appointment — mandatory and must be a senior officer reporting to a level immediately below MD/CEO. Cannot be the CIO; explicit segregation of duties.
• Board-approved cyber strategy — refreshed at least annually, covering risk appetite, governance structure, control framework, and incident response posture.
• Information Security Committee (ISC) — chaired by CISO, with representation from IT, risk, business heads, and internal audit. Meets at least quarterly.
• IT Strategy Committee of Board — for larger entities, a board-level committee overseeing IT and cyber.
• Annual board review — cyber posture, incidents, audit findings, third-party risk all presented to the board with documented minutes.

04Cyber strategy & policy

RBI expects a documented stack:

• Cyber Security Policy — board-approved, refreshed annually.
• Information Security Policy — covering identity, access, classification, retention, encryption, secure development, third-party.
• Cyber Crisis Management Plan (CCMP) — incident classification (low/medium/high/critical), response RACI, communication tree, RBI notification timelines, customer notification protocol, regulator escalation.
• Business Continuity Plan + IT Disaster Recovery — RTO and RPO defined per critical system, tested at least annually, documented test results.
• Standards and procedures — under each policy, the operational evidence: vulnerability management, change management, access review, log retention.

05Baseline controls

The Cyber Security Framework prescribes baseline controls across categories. Practitioner translation:

• Network security — segmented zones (DMZ, internal, sensitive); inter-zone traffic via firewalls with documented rule base; quarterly firewall rule review; intrusion prevention; egress filtering.
• Endpoint security — anti-malware on every endpoint; EDR for critical roles; full disk encryption on laptops; MDM for mobile; USB port control.
• Access control — MFA on all privileged access and remote access; quarterly access review; joiner-mover-leaver workflow with documented evidence; PIM/PAM for admin accounts.
• Application security — secure SDLC; pre-production security testing; OWASP Top 10 coverage; production WAF for customer-facing apps.
• Data security — classification (public, internal, confidential, restricted); encryption in transit (TLS 1.2+) and at rest (AES-256); DLP for confidential and restricted; tokenisation for card data; key management via HSM.
• Logging & monitoring — centralised log aggregation; minimum 180-day retention online and 5-year archive for financial transactions; SIEM with use-case library; SOC coverage 24x7 for critical systems.
• Vulnerability management — asset inventory; quarterly internal scans; monthly external scans; patch SLAs by severity; documented exception process.

06VAPT requirements

Annual VAPT is the most-cited requirement. What "annual VAPT" actually means under RBI scrutiny:

• Scope — every internet-facing application, every critical internal application, every external IP range, the core banking / lending platform (or equivalent), any mobile application, any customer-facing API.
• Methodology — manual exploitation, not just scanner output. OWASP ASVS L2 / MASVS for apps, PTES / NIST SP 800-115 for network. Document your methodology in the SOW.
• Vendor — preferably CERT-In empanelled. Many banks make this mandatory in tender. Verify empanelment status on cert-in.org.in before kick-off.
• Re-test — re-test of high and critical findings within 30 days of remediation, with a re-test letter as audit evidence.
• Frequency — annual minimum; many banks now do six-monthly for critical apps. After any major architectural change, a delta VAPT is expected.
• Reporting — findings catalogued by CVSS, mapped to OWASP and CIS controls, exploit narratives where applicable, executive summary for the board, and a closure tracker.

07SOC & monitoring

Monitoring obligations scale with size:

• SCBs and large NBFCs — 24x7 SOC, in-house or co-managed, with documented use-cases, threat-hunting, and Cyber Threat Intelligence integration.
• Mid-tier NBFCs — at minimum, MSSP-led SOC with documented SLAs and shared on-call protocol.
• Smaller entities — outsourced SOC permissible but the regulated entity remains accountable; the contract must specify use-cases, SLAs, escalation paths.

SOC maturity is increasingly probed in inspections — RBI examiners ask for the use-case library, the last 90 days of alerts, mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) metrics, and a sample incident closure file end-to-end.

08Third-party risk

Master Direction on Outsourcing (April 2023) and the Cyber Framework together set third-party expectations. The current bar:

• Vendor risk assessment at on-boarding — security questionnaire, financial health, regulatory history, certifications (ISO 27001, SOC 2 Type II preferred).
• Contractual obligations — RBI inspection rights, data localisation clauses, sub-processor consent, breach notification within 24 hours to the regulated entity, indemnity, exit and data-return clauses.
• Ongoing monitoring — annual review for material vendors, SOC reports on file, periodic site visits or independent assurance.
• Concentration risk register — what % of critical functions ride on a single vendor; documented mitigation if concentration is high.
• Cloud-specific clauses — under the IT Outsourcing Master Direction, cloud is treated as material outsourcing requiring board approval and prior risk assessment.

09Cloud & outsourcing

Cloud adoption in BFSI is permitted but heavily conditioned:

• Data localisation — payments data must be stored only in India (RBI April 2018 directive, still binding). Transactional data permitted to be processed abroad if returned and only stored in India.
• Segregated tenancy — multi-tenant cloud permitted but with documented logical separation and encryption keys held by the regulated entity.
• Cloud Service Provider (CSP) due diligence — formal assessment, ISO 27001 / SOC 2 / CSA STAR evidence, supplemental security reviews.
• RBI inspection rights — the contract must give RBI the right to inspect the CSP's facilities; this is often handled via the CSP's published audit reports.
• Exit plan — documented and tested portability plan; what happens if the CSP becomes unavailable.

10Incident reporting

Multi-layered timing requirements. Practitioner cheat-sheet:

One incident often triggers all five reporting paths. Have the templates pre-drafted.

11Audit obligations

• Internal audit — IT and cyber audit at least annually, by an independent function, covering all baseline controls.
• Concurrent audit for critical systems where applicable.
• Information System Audit — typically biennial, by an external CISA / CISM / DISA-qualified auditor.
• External assurance — independent IS audit findings reported to the audit committee of the board.
• RBI inspection — risk-based, frequency depends on entity size and incident history. The cyber sub-team has materially expanded post-2022.

12What an inspection looks for

Distilled from recent post-inspection conversations with mid-tier NBFCs and small banks:

• Board minutes of the cyber strategy approval and quarterly reviews.
• The CISO's last 6 months of work — committee minutes, decisions, risks tabled.
• Asset inventory completeness — examiners pull samples and look for the asset in the inventory.
• Last VAPT report end-to-end — SOW, methodology, findings, re-test letter, board acknowledgement of high/critical.
• Sample DR test — last test result, RTO/RPO actuals, lessons learnt actions tracked to closure.
• Patch compliance — show the patch dashboard for the last 90 days, with evidence of SLA breaches and the exception process.
• Vendor risk register — pull a sample vendor and trace from due diligence to ongoing monitoring.
• Incident log — every incident logged, classified, root-caused, lessons-learnt actions tracked.
• SOC use-case library and a sample alert closure end-to-end.
• User access review — last quarter's review file, with sign-offs, and evidence of revocations.

13Common mistakes

• CISO is the CIO. Automatic finding. Separate the roles by reporting line.
• Cyber strategy is last year's, with the date changed. Review minutes and material changes are scrutinised.
• VAPT certificate without the report. The certificate alone is meaningless evidence; examiners want the full report.
• "Annual" patch SLA. Critical: 7 days. High: 30 days. Anything slower needs a documented exception with risk owner sign-off.
• Cloud workloads with payment data outside India. Material breach of localisation; trace this carefully.
• Vendor due diligence done once, never refreshed. Annual refresh is the floor.
• SOC alerts without closure documentation. Examiners read closure rationales; "false positive" repeated 50 times is a red flag.
• DR test that just confirms backups exist. A real DR test fails over to the secondary, runs production traffic, and measures RTO and RPO actuals.
• Master Direction on IT Outsourcing not mapped to existing vendor contracts. Contracts are often 3-5 years old and predate the 2023 direction.

1490-day roadmap to inspection-readiness

If you are a mid-size NBFC or small bank with patchy compliance and an inspection on the horizon:

• Days 1–15. CISO clarity (separate from CIO), cyber strategy refreshed and board-approved, ISC charter and quarterly meeting cadence locked.
• Days 15–30. Asset inventory completeness, vendor register refresh, classification baseline, access review for last quarter completed and signed-off.
• Days 30–45. VAPT scoped and kicked off with a CERT-In empanelled vendor; cyber crisis management plan refreshed and tabletop run.
• Days 45–60. Vulnerability management metrics published; patch SLA exceptions formalised; SOC use-case library documented and reviewed with the MSSP.
• Days 60–75. VAPT report received; high and critical findings into ticketing system with owners and target dates; board paper drafted.
• Days 75–90. DR test executed and minuted; IT Outsourcing direction gap analysis against existing contracts; remediation plan into Audit Committee.