The Non-Banking Finance Companies (NBFCs) in India are key players in the country’s economy, growing in size and complexity over the years. As the industry has matured over the years, so has its need to have a Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, benchmarked to best practices.
In lieu of this, RBI issued a Master Directions and Guidelines for Non-Banking Financial corporations, to resolve weakness in the cybersecurity governance framework mainly driven by the demand and need for mitigating the cyber threats coming out of evolving technology adopted by these corporations.
As per the new directive, the NBFCs are expected to enhance security measures to ensure the safety and security of the customers and NBFC. The corporations may have already implemented some of the requirements as stated in the directive, however a periodic formal gap analysis is necessary in a timely manner, to ensure compliance with the directive. The analysis is to be conducted by a
CERT-IN empaneled organization.
The focus of the IT framework is mainly on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The guidelines are categorized into two parts depending on the NBFCs asset size:
Section-A: NBFCs with assets size above 500 crore -
Section-B: NBFCs with assets size below 500 crore -
Similar but simpler requirements compared to Section A !
As a CERT-In Empaneled Security Auditor, QRC is authorized to help you understand, manage and comply with RBI Guidelines & Circulars that are released on a periodic basis.
Our approach for assessment is as follows:
Information Gathering & Documentation Review
We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow in your organization. The policies, procedures and other documents of the organization are reviewed.
Post scope definition as per the Master Direction - Information Technology Framework for the NBFC Sector directive and initial engagement, we will conduct an initial audit for understanding the infra of the organization and help our clients in identifying evidence for all the audit points. Once these gaps are identified, areas of improvements are suggested wherever possible.
As per the assessment, and the identification of the payment data, QRC will provide remediation support for complying with the RBI mandate.
Report & Confirmation Letter
Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the confirmation letter that all payment related data is residing inside India.
Having a successful security audit as per the stated RBI guidelines ensures appropriate assessment of technology risks and the control environment of the NBFCs as related to critical business processes.