RBI Releases New Guidelines for Banks and NBFCs on IT Governance and Cybersecurity

The Reserve Bank of India (RBI) released a comprehensive set of guidelines pertaining to Information Technology Governance, Risk, Controls and Assurance Practices vide circular bearing reference number RBI/DoS/2023-24/107 DoS.CO.CSITEG/SEC.7/31.01.015/2023-24 dated 7 November, 2023.

The main areas of focus for IT governance are strategic alignment, risk management, resource management, performance management, business continuity and disaster recovery management.

Some of the key provisions under the said guidelines are as follows:

  1. REs are required to establish a comprehensive IT Service Management Framework to support their information systems and infrastructure. This framework aims to ensure the operational resilience of their entire IT environment, including disaster recovery sites.
  2. REs are required to establish a process for identifying and categorizing the security classification of information assets, taking into account their importance to the operations of the REs. This classification should consider the aspects of Confidentiality, Integrity, and Availability.
  3. REs are required to ensure that information systems and infrastructure have the capability to support business functions and maintain the availability of all service delivery channels.
  4. REs must adhere to a standardised and officially defined project management methodology for any IT projects they undertake. The project management approach will facilitate stakeholder participation to effectively monitor and manage project risks and progress, among other things.
  5. REs must have a legally compliant data migration policy that clearly outlines a structured procedure for migrating data, with the objective of maintaining data integrity, completeness, and consistency. The policy shall include provisions regarding signoffs from business users and application owners at each stage of migration, maintenance of audit trails, and other relevant matters.

These directions shall not be applicable to local area banks and NBFC-core investment companies. These directions will take effect starting April 1, 2024.