RBI IT Outsourcing Incident Response: When Vendor Cyber Incidents Become Yours

Last updated: April 26, 2026

RBI’s Master Direction on IT Outsourcing (April 2023) treats cloud and SaaS as material outsourcing requiring board approval and prior risk assessment. When a cyber incident happens at a vendor, the regulated entity (you) remain accountable. This article covers vendor-incident response under the Master Direction.

The rule

RBI Master Direction on Outsourcing of IT Services para 9.3-9.4: “The regulated entity shall be responsible for the activities outsourced and shall ensure that the service provider has adequate capability for handling such incidents… The reporting timeline to RBI applies regardless of which party detected or caused the incident.”

Translation: vendor’s incident is your incident from a regulator perspective.

The contractual prerequisites

Every material vendor contract should include:

# Clause: Cyber Incident Notification

Service Provider ("Vendor") shall notify Customer of any cyber security incident
affecting Customer's data or services within FOUR (4) hours of detection by Vendor's
Security Operations Center or any equivalent function.

Notification shall include:
- Time of detection
- Nature and scope of incident
- Affected Customer data / services
- Initial mitigation steps taken
- Anticipated next-step actions

Vendor shall provide subsequent updates every TWO (2) hours until containment.

Vendor shall preserve all forensic evidence and provide unrestricted access to
Customer's nominated forensic responders.

Customer reserves the right to participate in or independently conduct investigation,
to take over response activities, and to require Vendor to coordinate with regulator
notifications including RBI within statutory timelines.

The playbook for vendor-side incidents

Vendor reports incident at time V
├── Within 1 hour of V:
│   ├── Engage internal CISO + Vendor Risk team
│   ├── Confirm scope: which Customer data / services affected
│   └── Activate vendor relationship management protocol
├── Within 2 hours of V:
│   ├── Decide: do we report to RBI now or after more details?
│   │   └── If customer data clearly affected: report now
│   │   └── If under investigation: report with "under investigation" status
│   └── Notify Audit Committee chair, GC
├── Within 4-6 hours of V:
│   └── RBI notification using standard template (vendor-incident variant)
├── Within 24 hours:
│   ├── Independent verification of vendor's mitigation
│   ├── Customer-facing communication if customer-impacting
│   └── Plan for vendor-of-vendor (4th party) impact assessment
└── Post-incident:
    ├── Vendor risk re-assessment
    ├── Possible contract enforcement (penalties, exit)
    └── Lessons learnt to vendor risk register

Common gaps

• Vendors without 4-hour notification clause — many legacy contracts have 24-72 hour notification, incompatible with RBI’s 2-6 hour window for the regulated entity
• Vendors that won’t share forensic data — confidentiality clauses sometimes block customer access to investigation evidence
• Sub-processor opacity — vendor’s vendor compromised; vendor doesn’t know; you don’t know
• Cloud provider incidents — AWS / Azure / GCP have published shared-responsibility models; their detection of broader-scope incidents may not reach you

The vendor risk re-assessment trigger

Post any vendor incident affecting your data:

• Re-run vendor security questionnaire
• Demand updated SOC 2 / ISO 27001 evidence
• Site visit if material vendor
• Penetration test of vendor’s customer-facing infrastructure (where contractually permitted)
• Incident-response capability re-assessment
• Decision: continue, remediate-then-continue, exit

The takeaway

RBI’s Master Direction on IT Outsourcing makes vendor incidents your incidents. Contractual prerequisites (4-hour notification, forensic access, regulator coordination) are non-negotiable. Quarterly review of vendor contracts against this bar is the discipline that turns RBI inspection conversations from awkward to confident.