RBI’s Cybersecurity Mandate — What Changed in 2024 and Why It Matters in 2026
The Reserve Bank of India’s April 2024 Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices is the most significant consolidation of RBI’s IT and cybersecurity expectations in over a decade. It replaced seven earlier circulars — including the 2016 Cybersecurity Framework for Banks and the 2017 IT Framework for NBFCs — with a single, comprehensive, Board-accountable regime.
For CIOs, CISOs, and compliance heads at Indian banks and NBFCs, this is not a compliance update to delegate to the IT team. The 2024 Master Direction places explicit governance obligations at the Board level — making Board members personally accountable for IT risk oversight. Boards that cannot demonstrate active engagement with IT strategy and cybersecurity risk face regulatory scrutiny regardless of whether a breach has occurred.
Covered Entities — Who Must Comply
The Master Direction applies to all RBI-regulated entities including: all Scheduled Commercial Banks (public, private, foreign), Small Finance Banks and Payments Banks, Non-Banking Financial Companies (NBFCs) including Housing Finance Companies (HFCs), Credit Information Companies, EXIM Bank, NABARD, National Housing Bank, and SIDBI.
For NBFCs specifically, compliance intensity is tiered by asset size. NBFCs with assets above Rs 500 crore face the highest compliance burden — including full Board-level IT governance, mandatory CISO, annual VAPT, and CCMP. Smaller NBFCs have proportionate requirements but are not exempt from core obligations including incident reporting, data localisation (for payment data), and information security policy.
Board-Level IT Governance — The 2024 Upgrade
The most significant structural change in the 2024 Master Direction is mandatory Board-level accountability for IT governance. Previously, IT strategy could be managed at the senior management level. Now:
| Requirement | Pre-2024 | Post-2024 Master Direction |
|---|---|---|
| IT Strategy Committee | Recommended for large banks | Mandatory at Board level for all covered entities |
| IT Risk Framework | Senior management approval | Board approval required |
| CISO reporting line | To CTO or COO | Directly to MD/CEO or Board; operationally independent of IT department |
| Cyber Crisis Management Plan | Mandatory for large banks only | Mandatory for all covered entities |
| Third-party audit | Annual IS audit recommended | Annual audit of all critical vendors; exit clauses mandatory in vendor contracts |
6-Hour Cyber Incident Reporting — The Clock Starts at Detection
One of the most operationally demanding requirements in the 2024 Master Direction is the 6-hour reporting timeline for significant cybersecurity incidents. This is dramatically tighter than the DPDP Act’s 72-hour breach notification requirement and requires pre-built response workflows.
Incidents that trigger the 6-hour reporting obligation include: ransomware attacks on any banking system; data breaches affecting customer personal or financial data; disruption of critical banking services (internet banking, mobile app, ATM, payment systems); compromise of ATM or payment infrastructure; DDoS attacks causing service degradation; and fraudulent transactions above threshold values. Reports must be filed via the DAKSH portal (RBI’s secure incident reporting platform) to RBI CSITE (Cyber Security and Information Technology Examination group).
Cyber Crisis Management Plan — Mandatory for All
The CCMP is the operational playbook for a cybersecurity crisis. It must be Board-approved, tested annually through simulation exercises, and available for RBI inspection. A compliant CCMP must cover:
- Detection and Classification: How incidents are identified and classified by severity (Critical / High / Medium / Low)
- Escalation Matrix: Who is notified at each severity level — from IT ops to CISO to MD/CEO to Board to RBI
- Containment Procedures: System isolation protocols, network segmentation, account freezing
- Recovery Procedures: RTO/RPO targets, backup restoration, DR site activation
- Communication Protocols: Internal communications, customer notifications, media response, RBI reporting
- Post-Incident Review: Root cause analysis, lessons learned, control improvement actions
VAPT Requirements — Frequency and Scope
Vulnerability Assessment and Penetration Testing is mandatory for all covered entities. RBI specifies minimum frequencies and scope:
| Entity Type | VAPT Frequency | Scope |
|---|---|---|
| Large banks / SIFIs | Twice a year (minimum) | Internal infrastructure + internet-facing systems separately |
| Mid-size banks / large NBFCs | Annually | Full network, applications, critical infrastructure |
| Smaller NBFCs | Annually | Internet-facing systems minimum |
| Critical applications | Before major releases; after significant changes | Application Security Testing (AST) |
VAPT must be conducted by CERT-In empanelled information security auditors. Critical and high-severity findings must be remediated within 30 days; medium-severity within 60 days. Remediation evidence must be documented and available for IS audit.
Third-Party Risk Management — Tightened Significantly
The 2024 Master Direction significantly tightens vendor and outsourcing risk management. Key requirements: all IT outsourcing arrangements must include contractual clauses covering data security, audit rights, incident notification, and exit management; regulated entities must monitor concentration risk — over-reliance on a single vendor (including cloud providers) for critical services; annual security audits of all critical vendors; and cloud service providers must meet RBI data localisation requirements — payment data cannot be stored outside India regardless of vendor structure.
Data Localisation — Payment Data Must Stay in India
RBI’s payment data localisation requirement (2018, reaffirmed in 2024) mandates that all full end-to-end transaction data related to payments made in India must be stored exclusively within India. This applies to banks, NBFCs, payment aggregators, and payment gateways.
For processing purposes, data can be sent abroad temporarily but must be deleted from foreign systems upon completion. Mirroring (maintaining a copy abroad) is not permitted. Cloud providers must be contractually restricted and technically prevented from replicating payment data to foreign regions. Audit evidence of localisation compliance is required for IS audit.
RBI Cybersecurity vs DPDP Act — Key Differences
| Dimension | RBI Master Direction 2024 | DPDP Act 2023 |
|---|---|---|
| Incident reporting timeline | 6 hours (significant incidents) | 72 hours (personal data breaches) |
| Governance mandate | Board-level IT Strategy Committee mandatory | No explicit board governance requirement |
| Data localisation | Payment data must stay in India | Cross-border transfers to whitelisted countries permitted |
| Audit requirement | Annual IS audit, VAPT, annual vendor audit | Annual DPIA for SDFs only |
| Regulator | Reserve Bank of India | Data Protection Board of India |
| Penalties | Rs 50 lakh to Rs 30 crore (recent range) | Up to Rs 250 crore per instance |
Banks and NBFCs must comply with both regimes independently. The RBI’s 6-hour timeline effectively means any personal data breach at a regulated entity must be simultaneously handled under both the RBI incident response protocol and the DPDP Act breach notification process.
RBI Cybersecurity Compliance for Banks and NBFCs
MYIT Manager delivers end-to-end RBI IT governance compliance — Board-level documentation, CCMP, VAPT coordination, IS audit support, and CISO-as-a-Service for regulated financial entities. Led by a CISM-certified practitioner with banking sector experience.
Book a Free RBI Compliance Assessment
