RBI Cyber Security Framework
cyber resilience expectations for India financial institutions

RBI cyber security in context: cyber resilience expectations for India financial institutions

The Reserve Bank of India sets cyber security expectations across the regulated financial population through three connected supervisory communications. The 2016 Cyber Security Framework in Banks circular (DBS.CO.CSITE.BC.NO.11/33.01.001/2015-16) issued 2 June 2016 anchors the foundational expectation for scheduled commercial banks. The Master Direction on IT Governance, Risk, Controls and Assurance Practices (DoS.CO.CSITEG.SEC.7/31.01.015/2023-24) issued 7 November 2023 and effective 1 April 2024 consolidates IT governance and information security expectations across scheduled commercial banks (excluding regional rural banks), small finance banks, payments banks, top-layer NBFCs, and credit information companies. The Master Direction on Information Technology Governance and Information Risk Management for NBFCs sets the equivalent expectation for top-layer and upper-layer non-banking financial companies. For an RBI-regulated institution, these documents are not optional reference material; they are the working framework the Department of Supervision Cyber Security and IT Examination Group (CSITE) examiner uses to read the cyber security programme.

RBI sits inside a wider international picture for financial-sector cyber security supervision. For European entities, the Digital Operational Resilience Act sets the comparable obligations, including threat-led penetration testing through the TIBER-EU framework. For UK entities, the CBEST scheme applies the intelligence-led approach under the Bank of England and the Financial Conduct Authority. For Hong Kong entities, the HKMA Cyber Resilience Assessment Framework runs an inherent risk, maturity, and iCAST sequence. For Singapore entities, the MAS Technology Risk Management Guidelines carry the equivalent obligation. For Australian entities, the APRA CPS 234 prudential standard applies. For US entities, the FFIEC IT Examination Handbook and the Cybersecurity Assessment Tool set the equivalent expectation. The RBI framework is the India equivalent, with the 2016 Cyber Security Framework in Banks circular and the Master Direction on IT Governance, Risk, Controls and Assurance Practices as the central references and CSITE as the examination function.

In-scope entities: who RBI cyber security expectations apply to

RBI cyber security expectations apply across the supervised population of the Reserve Bank of India. The depth of application is calibrated to the institution size, complexity, and risk profile rather than to a single threshold. The summary below is the working categorisation; the Reserve Bank of India and the RBI Department of Supervision remain the authoritative source for any specific scope question.

The 2016 Cyber Security Framework in Banks circular

The 2016 circular requires the bank board to approve a cyber security policy distinct from the broader IT policy, classify the institution into a tier based on inherent risk, evidence the baseline cyber security and resilience requirements per tier, operate a Cyber Crisis Management Plan, and report cyber incidents to the RBI cyber security and IT examination cell on the indicative timeline. The circular treats cyber security as a board-level obligation rather than as a delegated technology operations matter, with named accountable executives, explicit gap assessment, and a working programme that operationalises the policy in day-to-day controls.

Vulnerability scanning evidence, penetration test findings, and configuration assessment records sit at the centre of the baseline cyber security and resilience requirements. The penetration testing workflow keeps engagement, findings, and remediation tied to a single record. The scanner result triage workflow covers turning raw scanner output into assessor-ready findings without losing the audit trail. For the analytical view of how a finding ages into a remediation backlog, the aging pentest findings research covers why an open finding that lingers across cycles reads to a CSITE examiner as a programme weakness rather than as a delivery delay.

Tier classification and the baseline-by-tier model

The 2016 Cyber Security Framework in Banks circular requires the institution board to classify the bank into a tier on the basis of inherent risk drivers: the technology footprint, the number of internet-facing systems, the transaction volume, the digital and mobile channel exposure, the third-party connectivity, the customer base, and the systemic relevance of the institution to the wider financial system. The tier sets the baseline control expectations and the depth of supervisory dialogue. Higher-tier institutions evidence stronger detection, response, and recovery capabilities than lower-tier institutions and run a deeper testing programme, with the supervisory expectation calibrated to the inherent risk driver picture rather than to a single threshold.

The tier classification is the upstream decision: the tier sets the target operating capability for the cyber security programme, and the gap assessment against the tier baseline drives the prioritisation of remediation activity. Treating tier classification as a one-time exercise rather than as a recurring decision the inherent risk picture refreshes is a common structural mistake; the supervisory dialogue expects the tier classification to be reviewed on cadence and on material change.

The 2023 Master Direction on IT Governance, Risk, Controls and Assurance Practices

The Master Direction issued 7 November 2023 and effective 1 April 2024 consolidates IT governance and information security expectations across scheduled commercial banks (excluding regional rural banks), small finance banks, payments banks, top-layer NBFCs, and credit information companies. The Master Direction is structured across the IT governance framework, the IT risk management framework, the information security policy and operating model, IT services management and IT operations, information systems audit and assurance, and business continuity and disaster recovery. The Master Direction does not displace the 2016 Cyber Security Framework circular; the documents read together as the working supervisory expectation.

Baseline cyber security and resilience controls

The baseline control set sits across the 2016 Cyber Security Framework in Banks circular and the Master Direction on IT Governance, Risk, Controls and Assurance Practices. The controls below are the working catalogue the supervisory dialogue reads against; each control is examined for design, for operation, and for the evidence the control produces on a continuous basis rather than at examination time only.

Vulnerability Assessment and Penetration Testing under RBI

The supervisory expectation is for recurring vulnerability assessments and penetration testing on internet-facing systems, online banking and mobile banking platforms, payment gateways, ATM and card management systems, and any system that processes customer-sensitive data. The cadence is calibrated to the institution tier and the criticality of the system tested, with at least an annual VAPT cycle on critical systems and on material change as the working baseline. Larger institutions and institutions with significant digital transaction volume frequently run adversarial exercises (red team or scenario-led testing) on top of the recurring VAPT programme to evidence the detection and response capability against realistic threat actor behaviour.

The institution retains the test scope, the test report, the findings register with severity and remediation plan, and the retest evidence in the form CSITE can examine without reconstruction. The supervisory dialogue tests whether testing produces actionable findings and whether fixes are applied before a finding becomes an incident. Application security testing on customer-facing channels, mobile banking application testing, payment system testing, and configuration assessment of critical infrastructure all sit inside the institution evidence pack alongside the test reports.

For the workflow that runs adversarial exercises from scope to attestation on a single engagement record, the threat-led penetration testing workflow covers the cycle end to end. The red teaming workflow keeps timestamps, attack paths, and operator notes structured so the closure record is the working record rather than a rebuilt one. For the recurring VAPT cycle that tracks the supervisory cadence, the penetration testing workflow keeps the engagement record and the remediation backlog tied to a single defensible artefact, and the retesting workflow evidences the closure of findings the examiner expects to see verified rather than self-attested.

Cyber Crisis Management Plan and incident response

The Cyber Crisis Management Plan is a documented programme covering detection, containment, eradication, and recovery; cyber incident scenarios including ransomware, destructive attack, and prolonged outage; the integration with broader business continuity and disaster recovery; the named crisis management team; the communications plan; and the testing cadence that exercises the plan rather than only describing it. The supervisory dialogue tests whether the plan can be operated under pressure, whether the runbooks are current, whether the communication tree is up to date, and whether the lessons-learned cycle from the most recent exercise has been applied to the controls the exercise touched.

The CCMP exercise calendar runs against the realistic threat picture the institution operates in, with scenarios calibrated to the institution tier and the systems most critical to operations. Tabletop exercises walk the crisis management team through a scenario without operational disruption; live or simulated technical exercises stress the detection and response capability against scripted adversarial activity. Both exercise types feed into the CCMP record alongside the post-exercise lessons-learned closure.

Incident reporting to RBI and CERT-In

Cyber incident reporting operates on two parallel tracks. RBI cyber incident reporting goes to the cyber security and IT examination cell on the indicative timeline (typically 2 to 6 hours from detection of a material incident, depending on the institution category and the applicable supervisory communication). Parallel reporting to the Indian Computer Emergency Response Team (CERT-In) operates under the CERT-In Information Security Practices, Procedure, Prevention, Response and Reporting of Cyber Incidents directions. The CERT-In directions issued in April 2022 require reporting of specified cyber incidents within 6 hours of noticing such incidents or being brought to notice about such incidents.

The institution evidence pack records the detection time, the materiality determination time, the regulator notification trail (both the RBI submission and the CERT-In submission where applicable), the post-incident review, and the lessons-learned closure applied to the controls the incident touched. Customer notification of unauthorised access to customer information sits alongside the regulator notifications under the same incident reference, with the timing and content of the customer communication tracked in the same record. The supervisory expectation is that the response is grounded in the evidence pack rather than reconstructed from email and shared drives at the deadline moment.

CSITE supervision and the Cyber Security Operations Centre

The Department of Supervision Cyber Security and IT Examination Group (CSITE) operates the supervisory examination programme that reads the institution cyber security programme. The CSITE examination cycle reviews the cyber security policy, the tier classification, the baseline control set, the VAPT programme, the CCMP exercise record, the incident register, the third-party register, and the information systems audit reports. The dialogue is evidence-based: each examination question reads against the artefact the institution has retained, the policy reference, the control owner, and the supervisory communication thread.

Higher-tier institutions evidence a Cyber Security Operations Centre (C-SOC) capability, threat intelligence consumption, security monitoring across critical systems, log retention with tamper-evident properties, and alerting and triage workflows. The C-SOC operating record is examined for coverage (which assets are monitored), for fidelity (the alert-to-incident ratio), and for timeliness (the time from event to triage to escalation). The CSITE examination tests the operating effectiveness of the controls the cyber security policy claims to operate, and the institution evidences the operation rather than only the design.

RBI and adjacent frameworks: PCI DSS, ISO 27001, NIST CSF, SWIFT CSP

Most RBI-supervised institutions run more than one framework at the same time. The institution may operate the PCI DSS standard on the payment card environments, the ISO 27001 information security management system at the entity level, the SWIFT Customer Security Programme on the wholesale messaging infrastructure, the NIST Cybersecurity Framework as a control catalogue reference, and the OWASP Top 10 on the application security testing programme. The supervisory dialogue does not require running every adjacent framework; the institution evidences how the controls these frameworks operationalise feed back to the RBI baseline so the same evidence pack often satisfies more than one regime when the mapping is built into the workspace from the start rather than rebuilt at examination time.

For the wider operational context that an RBI-regulated institution may run alongside the framework, the banking and fintech security consultancies workspace covers how a service provider delivering RBI-aligned, PCI DSS, SWIFT CSP, and ISO 27001 work across multiple regulated clients keeps the evidence record consistent without writing the same finding three times.

Evidence the CSITE examiner (and your board) expect

CSITE examinations that go badly usually go badly because the artefacts are scattered across drives, secure email threads, and screenshots. Build the evidence pack as the work happens, retain raw evidence alongside the structured record, and tie every artefact back to the policy section, the baseline control area, and the owner who produced it. The CSITE examiner reads the way the underlying record reads.

Where SecPortal fits in an RBI-aligned programme

SecPortal is the operating layer for the RBI programme, not a replacement for the Reserve Bank of India, the VAPT provider, or the threat intelligence partner. The platform handles scope, role records, findings, replay notes, attestation artefacts, and the closure pack so the work runs as a structured workflow rather than a long encrypted email thread. Compliance tracking maps the RBI evidence pack to ISO 27001, PCI DSS, NIST CSF, and SWIFT CSP for institutions that have to satisfy more than one regime from the same body of work.

RBI cyber security operates as a continuous programme rather than a single attestation. The asset register, the third-party register, the VAPT cadence, the CCMP exercise record, and the audit trail carry value across cycles when each iteration inherits the prior evidence pack rather than rebuilding from scratch. For consultants delivering RBI-aligned work to multiple India-regulated clients, the banking and fintech security consultancies workspace bundles the platform with branded client portals and AI report generation so the deliverable looks as polished as the work behind it.

For programmes that want continuous detection and trend evidence between CSITE examination cycles, the continuous monitoring capability and attack surface management capability produce the cadence and coverage record that examiners read most easily during the scoping conversation.

Scope and limitations

The 2016 Cyber Security Framework in Banks circular, the Master Direction on IT Governance, Risk, Controls and Assurance Practices, and the Master Direction on Information Technology Governance and Information Risk Management for NBFCs are operated by the Reserve Bank of India through the Department of Supervision and the CSITE group. The supervised institution evidences how its programme meets the supervisory expectations during examination. SecPortal is the workspace that holds the engagement, the testing programme, the findings, the remediation record, and the audit trail. Examination responses, regulator filings, and incident notifications remain actions the institution takes through the channels the Reserve Bank of India and CERT-In prescribe; SecPortal holds the supporting record so the response is grounded in the evidence pack rather than reconstructed from email and shared drives at the deadline moment.

This page describes the structure of RBI cyber security supervisory expectations and how a workspace-driven programme plays against them; the authoritative reference for the obligations remains the 2016 Cyber Security Framework in Banks circular, the Master Direction on IT Governance, Risk, Controls and Assurance Practices, the Master Direction on Information Technology Governance and Information Risk Management for NBFCs, the applicable cyber security guidance for Urban Co-operative Banks, the CERT-In Information Security Practices, Procedure, Prevention, Response and Reporting of Cyber Incidents directions, and the related supervisory communications the Reserve Bank of India issues through its Department of Supervision and Department of Regulation.