RBI issues new guidance on IT governance & cyber security for banks & NBFCs
The Reserve Bank of India (RBI) has recently released a new and comprehensive set of guidelines called "Master Direction" for banks and NBFCs. These guidelines focus on Information Technology Governance, Risk, Controls, and Assurance Practices. The RBI has highlighted the importance of Directors of regulated entities to fulfill their duties to ensure the protection of customer's interests. These guidelines have consolidated and updated all the previous instructions, circulars, and guidelines related to IT Governance issued earlier. The new guidelines will be implemented from April 1, 2024.
The guidelines have directed all regulated entities to keep a close watch on 'Cyber events' defined as any observable occurrence in an information system. Cyber events sometimes provide an indication that a cyber incident is occurring. Cyber security Preservation of confidentiality, integrity and availability of information through the cyber medium. In addition, other properties, such as authenticity, accountability, non-repudiation and reliability, can also be involved.
A 'cyber incident' refers to any event that adversely affects the cybersecurity of an information asset, whether resulting from malicious activity or not. On the other hand, a 'cyber-attack' refers to malicious attempts to exploit vulnerabilities in the cyber medium to damage, disrupt, or gain unauthorized access to assets. Lastly, a 'de-militarized zone' or 'DMZ' is a perimeter network segment that is a logical barrier between internal and external networks.
An 'Information Asset' is any component of the environment that supports activities related to information. This includes information systems, data, hardware, and software. The Reserve Bank of India has instructed foreign banks operating in the country to adhere to these guidelines and to discuss with the RBI if they need an exemption from any specific requirement.
