2.13 IT and cybersecurity Master Direction

Rule summary

The RBI Master Direction – Information Technology Governance, Risk, Controls and Assurance Practices, issued on 7 November 2023, consolidates and tightens IT governance obligations for all REs. It sets explicit requirements for board oversight, IT strategy, IT operations, IT outsourcing, cybersecurity, audit, BCP, and DR.

For lenders building modern cloud-native platforms, this is the most operationally consequential single regulation after IRACP — every architectural decision (cloud, regions, encryption, access, audit) needs to be tested against it.

Source citation

RBI Master Direction – Information Technology Governance, Risk, Controls and Assurance Practices, DOS.CO.CSITEG/SEC.7/31.01.015/2023-24, dated 7 November 2023.
Predecessor: RBI Information Technology Framework for the NBFC Sector, DNBS.PPD.No.04/66.15.001/2016-17, 8 June 2017 (largely superseded by the 2023 MD).

Applicability

All scheduled commercial banks, payments banks, small finance banks, local area banks.
All NBFCs other than NBFC-BL (although NBFC-BLs are expected to follow as a matter of good practice; many provisions apply contextually).
Effective from 1 April 2024 (with phased compliance dates for various sections).

Key chapters

IT Governance

Board-approved IT strategy aligned with business strategy.
IT Strategy Committee of the board (in NBFC-ML and above).
Chief Information Officer (CIO) appointed; reports to board / specified senior management.
IT Steering Committee (executive level).

IT Infrastructure and Services Management

Documented inventory of IT assets, software, services.
Capacity management.
Change management with approvals and rollback.
Configuration management.
Patch management.

IT Service Outsourcing

Pointer to the Master Direction on Outsourcing of IT Services (10 April 2023) — see Outsourcing.
Defined IT outsourcing policy.
Vendor risk assessment.
Right to audit.
Exit plans.

Information Security

Information Security policy, board-approved.
Risk management framework.
Asset classification.
Access management — least privilege, segregation of duties, periodic review.
Cryptography — encryption at rest and in transit per defined standards.
Network security — segmentation, firewalls, IDS/IPS.
Endpoint security.
Vulnerability management and penetration testing.
Security operations centre (SOC) — internal or outsourced.

Cybersecurity

Cybersecurity policy.
Threat intelligence integration.
Incident response plan.
Cyber crisis management plan.
Periodic drills.

Business Continuity and Disaster Recovery

Board-approved BCP and DR policies.
Defined RPO (Recovery Point Objective) and RTO (Recovery Time Objective) for critical services.
Periodic DR drills (at minimum annual; quarterly for critical systems is good practice).
Geographic separation between primary and DR.

IT Audit

Independent IT audit (annual at minimum).
Findings tracked and remediated.

Reporting to RBI

Material cyber incidents to be reported to RBI within 6 hours of detection (per the CERT-In direction and RBI cybersecurity guidelines).
Reports under the Cyber Security & IT Examination (CSITE) framework periodically.

Cloud-specific considerations

The MD recognises cloud usage but treats it as IT outsourcing — with attendant due diligence, contract clauses (audit rights, data location, breach notification, exit), and risk management. NBFCs running on public cloud (AWS, Azure, GCP, OCI) must:

Have a board-approved cloud strategy.
Demonstrate that cloud-stored data complies with data localisation (RBI Payment System Data Storage direction, AA framework, DPDP Act).
Have a documented exit / portability plan.
Maintain RBI’s right to inspect cloud resources used for regulated activities.

Product implications

All borrower data stored within India by default (Payment System Data Storage applies if any payment data; AA framework explicit on data localisation; DPDP allows transfer to non-restricted countries but RBI’s IT MD effectively keeps regulated-entity data in India).
Encryption at rest with documented key management.
TLS 1.2+ for data in transit.
MFA for all admin / privileged access.
No production data in non-production environments without strict masking.

System implications

Identity and access management (IAM) — SSO, MFA, role-based, periodic access review, joiner / mover / leaver process.
Audit logging at every layer — application, database, infrastructure. Log integrity protected.
Secrets management — vaulted, rotated, never in code.
Encryption — TLS in transit, AES-256 at rest, KMS-managed keys.
Backup with documented RPO and tested restoration.
DR with documented RTO and periodic drill.
Vulnerability management — scheduled scans, patch SLA.
Penetration testing — annual external pen test minimum.
SIEM / SOC — log aggregation, threat detection, on-call.
Incident response runbook — documented, drilled.
Vendor risk register — DPA, audit rights, exit plans.

Documents that must be generated

IT strategy (board-approved).
Information security policy.
BCP / DR plan.
Incident response plan.
IT audit reports.
Cyber incident reports.
Cloud strategy.
Vendor risk register.

Workflow that must exist

New asset onboarding to inventory.
Change management with approvals.
Quarterly access review.
Annual IT audit.
Annual pen test.
Quarterly DR drill (critical systems).
Incident response with <= 6 hour RBI reporting on material incidents.

Reports that must be produced

IT audit annual.
Pen test annual.
BCP / DR drill quarterly.
Cyber incident log.
CSITE returns (per RBI schedule).

Audit evidence required

All policies signed off by board.
IT audit working papers.
Pen test reports and remediation.
Access review evidence.
Incident response logs.

Sources

RBI Master Direction – Information Technology Governance, Risk, Controls and Assurance Practices, DOS.CO.CSITEG/SEC.7/31.01.015/2023-24, 7 November 2023.
CERT-In direction on cyber incident reporting (April 2022).
RBI Cyber Security Framework in Banks (2016) and successor circulars.
RBI Storage of Payment System Data (April 2018).