The Reserve Bank of India (RBI) on November 7 notified the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, which prescribes IT and cybersecurity guidelines for banks and other regulated entities. The Direction introduces new measures as well as updates and consolidates measures prescribed in earlier circulars, which now stand repealed. It comes into effect from April 1, 2024. Who do these directions apply to? All Scheduled Commercial Banks (except Regional Rural Banks) Small Finance Banks Payments Banks Non-Banking Financial Companies (except NBFC-Core Investment Companies) Credit Information Companies Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI) These entities are collectively referred to as regulated entities (REs) from here on. Important Definitions Cyber security: "Preservation of confidentiality, integrity and availability of information and/or information systems through the cyber medium. In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved." Cyber incident: "A cyber event that adversely affects the cyber security of an information asset whether resulting from malicious activity or not." Cyber attack - "Malicious attempt(s) to exploit vulnerabilities through the cyber medium to damage, disrupt or gain unauthorized access to assets." What are the governance measures regulated entities must adopt? Implement an IT Governance Framework: REs must put in place an IT Governance Framework that takes into account strategic alignment, risk management, resource management, performance management and Business Continuity/ Disaster Recovery Management. It should also specify the roles and responsibilities of the Board of Directors and include oversight mechanisms for IT security risks. …
