A historic announcement presenting the Master Direction on Risk, Information Technology Governance, Controls, and Assurance Practices was made by the Reserve Bank of India (RBI) on November 7, 2023. These rules are intended to strengthen overall risk management and cybersecurity resilience, and they are relevant to a variety of financial firms, such as banks and NBFCs.

This would be a reaction to the increase in cyber incidents, with more than 1.39 million reported in 2022 itself. The financial industry is becoming vulnerable to dangerous cyberattacks such as ransomware, zero-day exploits, and denial-of-service assaults etc. RBI has taken action to strengthen cybersecurity in financial institutions acknowledging the gravity of the situation.

Key Implications of RBI’s Master Direction:

1. Enhanced Responsibility and Monitoring: The Board of Directors is now more heavily involved in the approval process for plans related to crisis management, security, and IT strategy. Senior management is also responsible for ensuring that cybersecurity rules are implemented effectively.
2. Robust IT Governance Framework: Board committees, senior management, and IT leadership must all clearly own cybersecurity and IT strategy, according to the standards.The recommendations also call for establishing an IT steering committee having representatives from business and technology departments to supervise senior management in the areas of IT risk management, project implementation, architecture standards etc.
3. Amplified focus on risk assessment: In today’s risk management, cyber risks are a part of the wider picture. It will be imperative to monitor these risks and update the board and IT strategy committee on a regular basis. Furthermore, it is necessary to make declarations regarding the acceptable level of risk(risk appetite) in order to direct the distribution of resources. The IT and risk teams must collaborate on this, from risk identification to quarterly reporting.
4. Boosting Cybersecurity Protocols: The revised master direction represents a significant shift toward giving cybersecurity priority over IT risks. Regulatory bodies now need to strengthen their cybersecurity defenses in a number of ways, including training qualified workers for cyber forensics, incident response, threat hunting, and ongoing security monitoring. They have to set up strong Security Operations Centers (SOCs) and put in place 24*7 network and endpoint threat monitoring. Performing routine cyber risk assessments, putting multi-factor authentication, and developing capacities for efficient cyber crisis management is also required. Significant resources must be allocated to cybersecurity, whether handled internally or externally. Working together via IB-CART(Indian Banks- Center for Analysis of Risks and Threats) and other platforms is essential for exchanging intelligence about new cyberthreats.
5. Business Continuity and Disaster Recovery Management: Financial institutions are required to perform half-yearly disaster recovery drills, define recovery time objectives, and evaluate the impact on business operations. In order to address gaps such as untested failover plans, banks must align their Disaster Recovery (DR) and Business Continuity (BC) plans with RBI recommendations. RBI stresses that banking services should continue even in the event of disruptions.
6. Monitoring Third-Party Risks: RBI emphasizes the risks involved with financial institutions relying on cloud services and tech vendors. Regulated entities must conduct collaborative testing for service levels, monitor compliance with RBI guidelines, and routinely assess supplier risks. It is required to maintain source code escrows for critical IT services. To reduce the risks associated with IT vendors, enhanced governance and security reviews are necessary.
7. Elevating IT Audit Standards: RBI emphasizes increased accountability for IT audits in its master direction for significant IT investments. It recommends the regulated entities to have continuous IT audits with automation in a risk-based information systems audit approach, especially for critical systems. The findings must be monitored by the board’s audit committee, which focuses on vendor risks, DR readiness, access controls, and cybersecurity.

This master direction issued by the RBI is a positive step in protecting India’s financial sector in this era of everything digital! It offers explicit recommendations for strengthening cybersecurity, resilience, risk management and IT governance. Even though there would be implementation difficulties, the journey is indeed worthwhile because enhanced cyber resilience and customer trust are the results. Regulators around the world can use the master direction as a guide to monitor cyber risks in the financial industry.

-Akshara Joshi on Linkedin