Background:

The Reserve Bank of India ("RBI") has issued Master Directions on Information Technology Governance, Risk, Controls and Assurance Practices ("ITGRCA Directions" or the "Directions") (available, here) on November 7, 2023, pursuant to powers granted under Section 35A of the Banking Regulation Act, 1949 read with Section 45L of the Reserve Bank of India Act, 1934 and Section 11 of the Credit Information Companies (Regulation) Act, 2005. The directions came in furtherance of the Statement on Developmental and Regulatory Policies in February 2022 and invitation for comments from all stakeholders on the Draft Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices in October 2022.

Purpose:

The ITGRCA Directions aim to update, integrate and consolidate the instructions relating to information technology, governance and controls, business continuity management and information system audits.

Applicability:

The Directions are applicable to regulated entities including a) all banking companies; b) NBFCs; c) Credit Information Companies; d) EXIM Bank; e) NABARD; f) National Housing Bank; and g) SIDBI.

Further, foreign banks operating in India through branch mode, reference to the board of directors in these Directions should be read as reference to the controlling office/ Head office which has the oversight over the branch operations in India. Further, such foreign banks shall be subject to a 'comply or explain' approach.

The Directions won't be applicable to (a) Local Area Banks; (b) NBFC-Core Investment Companies and (c) Base layer NBFC's.

The key highlights of the Directions are stated below:-

  1. IT Governance Framework:
    The Regulated Entities have to establish a robust IT Governance Framework focusing on strategic alignment, risk management, resource management, performance management and Business Continuity/ Disaster Recovery Management. Further, the Robust IT governance framework shall also include roles and responsibilities of Board and Senior Management and shall provide for adequate oversight mechanism to ensure accountability and mitigation of IT and cyber security risk.
  1. Board Level IT Strategy Committee:
    Regulated Entities are required to establish a Board-level IT Strategy Committee (ITSC) which shall ensure the following:-
  1. Minimum of three directors as its members
  2. The Chairperson of the ITSC shall be an independent director
  3. Members shall be technically competent
  4. ITSC shall meet at least on a quarterly basis
  1. Role of the Board of Directors:
    Strategies and Policies related to IT, Information Assets, Business Continuity Plan, Incident Response and Recovery Management, Cyber Crisis Management etc. to be approved and reviewed by Board of Directors annually.
  1. Third Party Arrangements (like outsourcing agreements) & Service Management:
    The ITGRCA Directions lays down obligations on the Regulated Entities to ensure appropriate vendor risk assessment procedure and controls proportionate to the assessed risk [including a) mitigation concentration risk; b) elimination or addressing any conflict of interests; c) mitigation of risks associated with single point of failure; d) compliance with applicable legal, regulatory requirements and standards to protect customer data; e) providing high availability (for uninterrupted customer service); and f) managing supply chain risks effectively.] which are not covered under the RBI (Outsourcing of Information Technology Service) Direction, 2023 (click here).
  1. Senior Management and IT Steering Committee:
    The Senior Management of the Regulated Entitles shall:
  1. execute board approved IT Strategy;
  2. set up IT risk management processes and create a culture of IT risk awareness and cyber hygiene practices;
  3. establish an IT Steering Committee with representation at Senior Management level from IT and business functions;
  4. convene a meeting of IT Steering Committee atleast on a quarterly basis; and
  5. provide periodic updates to the ITSC and CEO pertaining to the committee's activities
  1. Head of IT Function:
    A sufficiently senior level, technically competent and experienced official in IT shall be appointed as the head of IT Function.
  1. IT Services Management:
    The Regulated Entities shall put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment.
  1. Risk Management Committee:
    The risk management Committee shall (a) periodically review IT related risks, (b) review and update risk management policy including IT related risks; (c) ensure adequate IT risk management process is in place.
  1. Role of Chief Information Security Officer ('CISO'):
    The following functions shall be performed by the CISO-
  1. ensure effective functioning of the security solutions deployed
  2. shall be a permanent invitee to ITSC and IT Steering Committee.
  3. establish cybersecurity strategy and ensure compliance with regulatory instructions.
  4. report directly to the Executive Director or equivalent executive overseeing the risk management function
  5. Manage Security Operations Centre (SOC)
  1. Miscellaneous:
    The Directions further elaborates the following aspects: a) Information Security Policy and Cyber Security Policy, b) Risk Assessment, c) Conduct of Vulnerability Assessment (VA), d) Controls on teleworking e) Cyber Incident Response and Recovery Management f) Business Continuity Plan (BCP) g) Disaster Recovery (DR) Policy and h) IS Audit.

Author`s View:

The Directions are being structured in a manner to keep the financial sector at pedestal with the information technology sector. These Directions will make sure that the Regulated Entities including the NBFC's shall ensure governance & control framework at par with Banks. It is a challenging move for NBFC's as earlier there no robust and stringent assessment and implementation control framework applicable to them. Overall, the Directions will strengthen the Regulated Entities' IT defenses, in a way contribute to the momentum toward improved consumer safety, transparency and governance in the financial system.

Please find a copy of the RBI's Master Directions here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.