S Ravi BSE Discusses Cybersecurity: RBI's Groundbreaking Master Direction on IT Governance for 2024 and Beyond
The new comprehensive master direction on information technology governance, risk, controls and assurance practices to be implemented by Regulated entities (REs) comprising of scheduled commercial banks (excluding regional rural banks); small finance banks; payments banks; NBFCs in top, upper and middle layers; all India financial institutions and credit information companies effective from 1st April 2024 shall facilitate the easy administration of IT and cyber governance and compliance, in place of the prevalent multiple circulars.
In the case of foreign banks, the directions state that they shall be subject to a ‘comply or explain’ approach in terms of the applicability of these Directions and they do not need to constitute any Committees (Board or Executive level) referred in this Master Direction at the branch level. They have been given the flexibility to leverage upon controlling office/ head office/ regional/ zonal Committees for compliance with this Master Direction as long as governance obligations/responsibilities outlined for the prescribed committees are met.
The master direction clearly outlines the role (including authority) of the board of directors, board-level committee and senior management of these REs in discharging their responsibilities to protect the interests of customers. and consolidates and updates the guidelines, instructions and circulars on IT Governance Risk, Controls, Assurance Practices and Business Continuity/ Disaster Recovery Management issued earlier.
The master direction makes it mandatory for the REs to put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment (including Disaster Recovery sites). Further its stresses the need to have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency. In the wake of cyber and IT fraud, RBI in its master direction has stressed the need for IT applications to have the necessary audit and system logging capability and ability to provide audit trails. Further, in order to strengthen the IT infrastructure, the RBI through its direction highlights the need to adopt internationally accepted and published standards that are not deprecated/ demonstrated to be insecure/ vulnerable and the configurations involved in implementing controls to be compliant with extant laws and regulatory instructions.
While the approval of strategies and policies related to the IT function lies in the hands of the Board, these directions put the responsibility on the CEO to institute effective oversight on the planning and execution of IT Strategy as well as to ensure that cyber security posture of the RE is robust; and overall, IT contributes to productivity, effectiveness and efficiency in business operations. The directions designate a Chief Information Security Officer (CISO) who will be responsible for driving IT/ cyber security, compliance and related regulatory guidelines, and administering policies of the RE.
From a compliance perspective, REs have to ensure that appropriate vendor risk assessment process & controls proportionate to assessed risk & materiality has been put in place. Further, it shall be the responsibility of the REs to maintain an enterprise data dictionary to enable data sharing among applications & information systems
The RBI through this master direction, recognizing the increased relevance of IT infrastructure in the financial services space, has detailed the mandatory implementation and review of the IT systems and applications in order to keep a check on the processes, data security and integrity, disaster recovery management as well as business continuity in order to protect the interest of various stakeholders including customers. The directions mandate the adoption of several procedures and processes like IT Strategic Planning, Service Level Management (SLM), product approval and quality assurance process (for new IT-based business products) in order to ensure that the banking sector delivers secure products and services to its clients. In this era of digitisation and increasing threats, the master direction provides the required structure and procedures to secure banking systems.