RBI Cyber Security Framework for Banks

RBI Cyber Security Framework for Banks

With the ever-increasing cyberthreat landscape and the rising data breaches, the financial and information systems need to be under tighter security controls. The traditional compliance requirements are failing to meet the growing sophistication of the cyberattacks today, and hence businesses and governments organizations need to ensure that they are on the forefront of defending these advanced adversaries. In 2011, the central banking institution released extensive IT security guidelines, but it felt compelled to update its guidance partly as the original advisory didn’t sufficiently address the need for post-breach capabilities. The RBI’s Cybersecurity Framework in Banks is one such step towards safeguarding the crucial business assets, ensuring security compliance and data integrity.

The RBI’s Cybersecurity Framework defines requirements for today’s modern financial organization to protect themselves from the evolving attack techniques developed by cyber attackers every day. The framework addresses three core areas namely:-

  1. Establish Cyber Security Baseline and Resilience
  2. Operate Cyber Security Operations Centre
  3. Cyber Security Incident Reporting (CSIR).

The Baseline Cyber Security and Resilience Requirements consists of:-

  • Need for a Board approved Cyber-security Policy
  • Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank
  • Arrangement for continuous surveillance
  • IT architecture should be conducive to security
  • Comprehensively address network and database security
  • Ensuring Protection of customer information
  • Cyber Crisis Management Plan
  • Cyber security preparedness indicators
  • Sharing of information on cyber-security incidents with RBI
  • Supervisory Reporting framework
  • An immediate assessment of gaps in preparedness to be reported to RBI
  • Organizational arrangements
  • Cyber-security awareness among stakeholders / Top Management / Board

After having an efficient surveillance system, the framework outlines the need to:

Operate Cyber Security Operations Centre:

The Cyber SoC must take into account proactive monitoring and management capabilities with sophisticated tools for detection, quick response and backed by data and tools for sound analytics. The guidelines specifically call out the use of honeypot services. This is one of the very few specifications of a particular technology by the framework, which speaks to the clear value of honeypot solutions in detecting and responding to advanced threats.

Cyber Security Incident Reporting (CSIR):

Banks are stated to promptly notify RBI of any or all “unusual” cyber-security incidents whether successful or not. The notification can take no more than 6 hours, which means that detection and analysis must take place extremely quickly.

The Incident Report plan includes a Cyber Crisis Management Plan (CCMP), addressing Incident Detection, Response, Recovery and Containment.

As a CERT-IN Empaneled Security Auditor, QRC has been working alongside RBI & NPCI Guidelines, assessing your organization with a wholesome approach and helping banks address multiple security challenges arising out of RBI’s regulatory requirements. We assess the entire security controls that deal with the customer data:

Our approach for assessment is as follows:

Information Gathering & Documentation Review

We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow.

Audit Process

Post scope definition and initial engagement, we will conduct an initial audit as per the Cyber Security Framework put forth by RBI, to better understand the infra of the organization, and help our clients in identifying all the critical system platforms, network and physical components, storage locations of the sensitive information under scope, as per audit requirement.


As per the assessment, and the identification of the data assets, QRC will provide remediation support for the infrastructure supporting relevant business processes and complying with the RBI mandate.

Report & Confirmation Letter

Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the confirmation letter that all payment related data is residing inside India.

Aligning your organization controls as per the RBI Cybersecurity Framework significantly reduces the impact of the business in wake of a cybersecurity incident. Banks need to assess their cybersecurity preparedness under the active guidance and oversight of the IT Sub Committee of the Board or the Bank’s Board directly. The audit will significantly help in:

  • Establishing strong governance collaboration within industry advanced real-time capabilities
  • Identifying gaps w.r.t. Cyber Security/Resilience Framework and closing it effectively
  • Update the measurement criteria for assessing effectiveness of controls including the risk assessment and risk management methodology followed by the bank
  • Improve customer trust and build cyber resilience
  • Proactive reporting and collaboration within industry 24x7 operations center with advanced real time capabilities (continuous surveillance)

Get Free Consultation