RBI Cyber Security Guidelines for NBFC

RBI Cyber Security Guidelines for NBFC

The Non-Banking Finance Companies (NBFCs) in India are key players in the country’s economy, growing in size and complexity over the years. As the industry has matured over the years, so has its need to have a Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, benchmarked to best practices.

In lieu of this, RBI issued a Master Directions and Guidelines for Non-Banking Financial corporations, to resolve weakness in the cybersecurity governance framework mainly driven by the demand and need for mitigating the cyber threats coming out of evolving technology adopted by these corporations.

As per the new directive, the NBFCs are expected to enhance security measures to ensure the safety and security of the customers and NBFC. The corporations may have already implemented some of the requirements as stated in the directive, however a periodic formal gap analysis is necessary in a timely manner, to ensure compliance with the directive. The analysis is to be conducted by a

CERT-IN empaneled organization.

The focus of the IT framework is mainly on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The guidelines are categorized into two parts depending on the NBFCs asset size:

Section-A: NBFCs with assets size above 500 crore -

  1. IT Governance
  2. IT Policy
  3. Information and Cyber Security
  4. IT Operations
  5. IS Audit
  6. Business Continuity Planning
  7. IT Services Outsourcing


Section-B: NBFCs with assets size below 500 crore -

Similar but simpler requirements compared to Section A !

As a CERT-In Empaneled Security Auditor, QRC  is authorized to help you understand, manage and comply with RBI Guidelines & Circulars that are released on a periodic basis.

Our approach for assessment is as follows:

Information Gathering & Documentation Review

We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow in your organization. The policies, procedures and other documents of the organization are reviewed.

Audit Process

Post scope definition as per the Master Direction - Information Technology Framework for the NBFC Sector directive and initial engagement, we will conduct an initial audit for understanding the infra of the organization and help our clients in identifying evidence for all the audit points. Once these gaps are identified, areas of improvements are suggested wherever possible.


As per the assessment, and the identification of the payment data, QRC will provide remediation support for complying with the RBI mandate.

Report & Confirmation Letter

Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the confirmation letter that all payment related data is residing inside India.

Having a successful security audit as per the stated RBI guidelines ensures appropriate assessment of technology risks and the control environment of the NBFCs as related to critical business processes.

  • The assessments help to identify that the updated systems are suitable and operating securely as designed.
  • Empowers confidence as an independent third-party opinion is obtained, steering the organization’s operations to offer better services.
  • NBFCs audits provide assurance to organizations and partners who outsource any IT systems performing critical operations that their service organizations have procedures and controls in place to provide constant and reliable services.
  • Audits conducted by a CERT-IN empaneled auditor, allows our clients to be proactive in identifying vulnerabilities in their IT infrastructure, and validating the effectiveness of their current security safeguards.
  • Security of the organization can be improved by getting valuable suggestions and feedback from the experienced QRC team.

Get Free Consultation