The Reserve Bank of India (RBI) has issued a new comprehensive master direction on Information Technology (IT) governance, risk, controls, and assurance practices for banks and Non-Banking Financial Companies (NBFCs).
It establishes the role of directors of such Regulated Entities (REs) to discharge their duties with an intent to safeguard the interests of consumers.
The core focus areas of IT governance shall comprise strategic alignment, risk management, resource management, performance management, and business continuity or disaster recovery management.
Referred to as the Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023, it shall be effective from April 1, 2024.
The guidelines have called upon all REs to remain vigilant about cyber events, which are defined as any observable occurrence in an information system. Cyber events sometimes tend to indicate that a cyber incident is occurring.
It also takes into account cyber security, which is related to the preservation of confidentiality, integrity, and availability of any information via the cyber medium.
Additionally, other properties, such as authenticity, accountability, non-repudiation, and reliability, can be involved as well.
It also refers to a cyber incident, which is a cyber event that adversely influences the cyber security of an information asset that could be the result of malicious activity or not.
It puts the spotlight on cyber-attacks, which relate to malicious attempts to exploit vulnerabilities via the cyber medium with the intent to damage, disrupt, or gain unauthorised access to assets.
It also talks about the De-Militarised Zone (DMZ), which is a perimeter network segment that is logically between internal and external networks.
The term information asset relates to any piece of data, device, or other component of the environment that is known to support information-related activities. These may include information systems, data, hardware, and software.
Furthermore, foreign banks who have their operations in the country have also been directed to follow the norms. They would be required to hold discussions with the central bank if they have to seek an exemption in the case of any specific guideline.
The new directions also spell out that the risk management policy of the RE shall include IT-related risks, including cybersecurity-related risks, and the Risk Management Committee of the Board (RMCB), in consultation with the Income Tax Settlement Commission (ITSC), shall review periodically and make an updation report on an annual basis.
Rajiv is an independent editorial consultant for the last decade. Prior to this, he worked as a full-time journalist associated with various prominent print media houses. In his spare time, he loves to paint on canvas.