RBI, or the Reserve Bank of India, is the central banking institution of India that regulates the country’s monetary policies and manages the country’s banking system. In recent years, the RBI has also taken a more proactive approach to address the issue of cyber security and compliance in the financial services sector.
The RBI’s focus on cyber security is a response to the wider industry trend towards online banking, with 68 percent of Indian consumers now using online or mobile banking to conduct financial transactions. From a compliance standpoint, increasing numbers of data privacy breaches in this threat landscape call for unifying approaches across the financial sector.
Financial institutions are among the most heavily targeted organizations in today’s cyber threat landscape by profit-hungry threat actors. To ensure a better grasp of cyber risk management across the banking industry and update compliance requirements, the RBI released a set of controls and guidelines in 2016 known as Cyber Security Framework in Banks. More recently, the RBI published a more extensive set of initiatives related to compliance, risk management, and corporate governance. This article provides a run-through of the RBI’s Cyber Security Framework and the more recent RBI compliance rules.
3 Tier Structure of RBI Cyber Security Framework
The Cyber Security Framework is a circular document, so it acts as a notice about both guidance and regulatory requirements for all scheduled commercial banks in India, including cooperative banks. The most notable element from a regulatory compliance standpoint is the mandating of banks to create a cyber security policy that’s approved by the board of directors. This policy should then be communicated to the Cyber Security and Information Technology Examination (CSITE) in Mumbai.
Annex 1 – Baseline Cyber Security and Resilience Requirements
The framework outlines several important controls and processes for achieving a baseline level of cyber security and resilience, including:
- Data Leak Prevention Strategy (learn more here about how Endpoint Protector helps with this element of the RBI Cyber Security framework)
- User Access Control
- Patch Management
- User Training and Awareness
- IT Asset Inventory
- Vendor Risk Management
Annex 2 – Cyber Security Operation Centre (C-SOC)
The second annex details the requirement to establish a cyber security operation center (C-SOC). The C-SOC provides what RBI deems as necessary continuous monitoring of the environment. A combination of appropriate tools, clearly defined policies and procedures and technically competent and capable security staff are flagged as pivotal across the industry.
Annex 3 – Security Incident Reporting (CSIR)
The framework also says that banks should report security incidents to the RBI within two to six hours of discovery. Subsequent updates are also necessary if previous reports were incomplete. A template for reporting security incidents includes six sections, such as the chronological order of events, root cause analysis, and targeted incident resolution date.
RBI Compliance Functions in Banks
A document published in September 2020 outlines the requirements for banks to have a compliance culture, strong compliance risk management, and an independent corporate compliance function.
A Board-approved compliance policy must clearly spell out the bank’s compliance philosophy and the role of the compliance function. The compliance function also has to monitor and periodically test compliance by performing sufficient and representative compliance testing. Another responsibility of the compliance function is to report on compliance failures and breaches (non-compliance).
The compliance policy also sets out the expectations for ensuring compliance with all applicable statutory provisions, rules and regulations, and codes of conduct. Each bank’s compliance function must be spearheaded by a chief compliance officer (CCO).
The CCO’s minimum tenure is three years. Some eligibility criteria for appointing an appropriate person to the role include:
- a senior executive, such as a chief general manager, not more than two levels below the chief executive officer (CEO)
- no older than 55
- at least 15 years of experience in banking or financial services
The CCO must have a direct reporting line to the Managing Director (MD) & CEO and/or Board/Board Committee (ACB) of the bank. If the CCO reports directly to the MD and CEO, there must also be, at minimum, a quarterly meeting between the CCO and the bank’s audit committee, without the presence of senior management; i.e. the CEO or MD.
Banks can’t give their designated CCO any responsibilities that would lead to a conflict of interest with their main responsibilities. The CCO must design and maintain a compliance framework. These RBI compliance requirements apply to all scheduled commercial banks excluding Regional Rural Banks (RRBs).
Risk-Based Internal Audits
Published in February 2021, an RBI document outlines the need for a risk-based internal audit methodology at all Primary (Urban) Co-operative Banks (UCBs) with asset size of ₹500 crore or more, all deposit-taking Non-Banking Financial Companies (NBFCs) and non-deposit-taking Non-deposit taking NBFCs with an asset size of ₹5,000 crore and upwards. Some key requirements are:
- Undertake an independent risk assessment that accounts for inherent business risks emanating from each business activity and the effectiveness of the control systems for monitoring those risks.
- The risk assessment can use both quantitative and qualitative approaches to determine risk levels and trends for different business activities and functions.
- In addition to transaction testing, evaluate risk management systems and control procedures in various areas of operations (e.g. cyber security).
- Establish a plan, scope, objective, timeline, and resource allocations prior to any internal audit assignment.
Navigating Your RBI Compliance Challenges
In addition to combating sophisticated threat actors, organizations must also battle to remain compliant with increasingly strict regulations. Navigating the compliance landscape in banking can be a minefield, with documents often shrouding the necessary actions in complex legal speak. Hopefully, this article clarifies much of what the RBI expects in terms of cyber security, your internal compliance function, and from an internal audit standpoint.
Thankfully, compliance also becomes easier with the aid of tools and solutions. With an entire chapter dedicated to data loss, the RBI Cyber Security Framework calls for protecting data against loss, leak, and theft across its lifecycle.
Endpoint Protector helps Indian banks protect confidential data throughout their entire network, regardless of whether the computers are Windows, macOS, or Linux-based. Beyond just data loss prevention, Endpoint Protector also comes with features that help address some of the other baseline requirements for cyber resilience around removable media, user access control, and real-time threat defense.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.