The Reserve Bank of India's cyber security regulatory framework is one of the most comprehensive in the world — covering all Scheduled Commercial Banks, Urban Co-operative Banks (UCBs), Non-Banking Financial Companies (NBFCs), Payment System Operators (PSOs), and Payment Aggregators/Gateways through a series of circulars, master directions, and guidelines. Key frameworks include the Cyber Security Framework for Banks (2016), Guidelines on Information Security for UCBs (2019), PA/PG Master Directions (2020), and the landmark Master Direction on IT Governance, Risk, Controls and Assurance for REs (2023) — which consolidates IT governance requirements across all RBI-regulated entities.
The 2023 IT Master Direction introduces a risk-based approach to IT governance — requiring a formal IT governance framework, IT risk management, IT audit, business continuity, cyber security, and outsourcing controls proportionate to the scale and complexity of each regulated entity. Critical requirements include a Board-approved Cyber Security Policy, designated CISO, a Security Operations Centre (SOC), and cyber incident reporting to RBI CERT-In within defined timelines.