Back to Resources
RBI Cybersecurity Framework Checklist — visual preview
Checklist

RBI Cybersecurity Framework Checklist

Indian Banking Cybersecurity & IT Governance

Overview

The Reserve Bank of India (RBI) has issued multiple cybersecurity circulars and frameworks that apply to banks, NBFCs, payment system operators, and other regulated entities. The primary framework is the RBI Cybersecurity Framework for Banks (2016), supplemented by subsequent circulars on IT governance, third-party risk, digital lending, and payment security. Compliance is mandatory, and RBI conducts regular inspections through its IT examination process. This checklist consolidates the key requirements across major RBI cybersecurity directives.

Key RBI Cybersecurity Requirements

RequirementCircular/FrameworkApplicability
Cybersecurity PolicyCybersecurity Framework 2016All scheduled commercial banks
Cyber Security Operations Centre (C-SOC)Cybersecurity Framework 2016All banks with digital operations
Incident Reporting to CERT-In and RBIMultiple circularsAll regulated entities
Board-approved IT StrategyIT Governance FrameworkAll banks and NBFCs
CISO AppointmentCybersecurity Framework 2016All banks
Red Team Exercises2024 IT Examination FrameworkLarge and mid-size banks
Third-party IT Risk AssessmentOutsourcing GuidelinesAll banks and NBFCs
Data LocalizationPayment Data Storage 2018All payment system operators

Implementation Checklist

  • Establish a Board-approved cybersecurity policy reviewed at least annually
  • Appoint a Chief Information Security Officer (CISO) who reports directly to the Head of Risk Management or MD/CEO
  • Set up a Cyber Security Operations Centre with 24/7 monitoring capability
  • Implement a cyber crisis management plan with defined roles, escalation paths, and communication protocols
  • Deploy Security Information and Event Management (SIEM) for centralized log analysis
  • Conduct vulnerability assessment and penetration testing (VAPT) at least once a year by CERT-In empaneled auditors
  • Submit cyber incident reports to RBI and CERT-In within 6 hours of detection
  • Perform comprehensive IT audit by RBI-approved IS auditors annually
  • Implement data localization requirements for payment data stored and processed in India
  • Maintain a detailed asset inventory including hardware, software, network devices, and data repositories

IT Governance and Risk Management

RBI expects regulated entities to treat IT risk as a critical component of operational risk. The Board must approve the IT strategy and review cybersecurity posture at quarterly intervals. The IT Sub-Committee of the Board should include members with technology expertise. Banks must maintain a separate IT risk register, conduct business impact analysis, and ensure that technology investments align with the overall risk appetite. The RBI IT examination process evaluates governance maturity, access controls, business continuity, vendor risk management, and the effectiveness of security monitoring.

Outsourcing and Third-Party Risk

RBI outsourcing guidelines require banks and NBFCs to maintain comprehensive oversight of all IT service providers. All outsourcing arrangements must be Board-approved and documented with clear service level agreements. Regulated entities must conduct due diligence before engaging third parties and periodically assess their security posture. Cloud service providers must store data within India unless explicitly permitted otherwise. The regulated entity retains full responsibility for all outsourced activities, and RBI retains the right to inspect or audit any service provider.

Common Examination Findings

  • Delayed cyber incident reporting beyond the 6-hour window
  • Inadequate network segmentation between production and development environments
  • Weak privileged access management with shared administrative credentials
  • Insufficient Board-level reporting on cybersecurity metrics
  • Lack of red teaming or advanced penetration testing
  • Incomplete data localization compliance for payment data
  • Outdated or missing business continuity and disaster recovery testing

Frequently Asked Questions

Which RBI circular is the primary cybersecurity framework?
The primary framework is the "Cyber Security Framework in Banks" circular dated June 2, 2016 (RBI/2015-16/418). It has been supplemented by subsequent circulars on specific topics including payment data storage, digital lending, and IT examination guidelines.
What is the incident reporting timeline?
Cyber security incidents must be reported to RBI and CERT-In within 6 hours of detection. This includes incidents involving data breaches, service disruptions, ransomware, website defacement, and unauthorized access to critical systems.
Does this apply to NBFCs and payment companies?
Yes. While the original 2016 framework targeted scheduled commercial banks, subsequent RBI circulars have extended cybersecurity requirements to NBFCs, payment system operators, cooperative banks, and other regulated entities with varying levels of prescriptiveness.
What are the data localization requirements?
Payment system operators must store all payment data (including full end-to-end transaction details, information collected or processed as part of a payment message) in systems located only in India. Foreign payment processors can process data abroad but must delete it from foreign systems within 24 hours and store the data exclusively in India.
Who can conduct the required IT audits?
IT audits must be conducted by auditors empaneled by CERT-In for vulnerability assessment and penetration testing. For IS audits, banks must use auditors from the panel approved by IDRBT (Institute for Development and Research in Banking Technology) or as prescribed by RBI.

Ready to use this resource?

Download it now or schedule a demo to see how Hunto AI can automate your security workflows.

Book a Demo