The integration of data and technology in the banking sector has sparked debates on IT governance of the financial sector. Technology offers convenience, but also attracts cybercrime. Because of which cybersecurity has become critical—the market value of cybersecurity in banking which reached $38.52 billion in 2021 and is projected to compound at 22.4 per cent by 2029.
Under the extant regime, there were twelve separate guidelines and notifications governing the space, which were deemed obsolete with the changing landscape. The inadequacy of the existing framework is illustrated from the fact that Indian banks reported 248 data breaches in 2022—a staggering 20 per cent of the world total. This jolted the RBI to rethink the IT governance and cybersecurity framework for the financial sector. It released a draft of the new IT guidelines in October 2022. And on November 7, 2023, the RBI notified the master direction on ‘Information Technology Governance, Risk, Controls and Assurance Practices’ which will take effect from April 1, 2024.
The master direction will apply to all RBI regulated entities except local area banks and NBFC-core investment companies. It prescribes procedures and framework for strategic alignment, risk management, resource management, performance management and business continuity/ disaster recovery management. It also provides for periodic reviews of risks, IT and information security risk management framework, information security policy and cyber security policy.
The framework provides for the constitution of three major committees by the regulated entities — IT strategy committee of the board, IT steering committee and information security committee. The regulated entities are also required to designate a senior level executive having no direct reporting relationship with the head of IT Function as ‘chief information security officer’. Further, the regulated entities have been recommended to conduct disaster recovery drills at least on a half-yearly basis for critical information and back up data in a secured manner as a business continuity measure.
Earlier, the boards of regulated entities were focused more on the business, financial and credit risks. But now the RBI has conferred additional obligations on the board of directors and audit committee of regulated entities, requiring them to ensure that all necessary measures related to IT, information assets, business continuity, information security and cyber security are periodically reviewed. The audit committee will be responsible for the information system audit of regulated entities.
Cyber incidents reporting
In case of any cyber incidents, the regulated entity is required to communicate the details to the RBI in addition to the board, senior management, customers and CERT-In. Though the guidelines does not expressly provide penal provisions, any contravention or non-compliance of the master direction by the regulated entities will attract penalties as prescribed in Section 46 of the Banking Regulation Act, 1949.
The master direction has captured the essence of the Digital Personal Data Protection Act, 2023 and is in line with the overall objective of the authorities to eliminate the threat of any data breaches and cybersecurity incidents altogether. Thus, whether in-house or outsourced, regulated entities need to ramp up cybersecurity investments and IT resources significantly.
The investments and efforts required by the financial institutions to follow the directive might seem big right now, but in the long-term dividends are multi-fold as it will pay the way for instilling customer confidence, financial stability, data privacy, deep rooted cyber resilience, stronger brand reputation and institutionalisation of good practices.
(Dhir is Senior Partner & Head of Corporate, DMD Advocates; Shreyashi is an Advocate)