RBI issues new directions for IT governance in banks, NBFCs

The Reserve Bank of India (RBI) has released new master directions for ‘information technology governance’, risk, controls and assurance practices among regulated entities like banks and NBFCs. Their key areas will include “strategic alignment, risk, resource and performance management, and business continuity or disaster recovery management”, the central bank in its 26-page master directions.

These directions will not be applicable to local area banks and NBFC-core investment companies. These directions will come into effect from April 1, 2024.

Under this, REs will put in place a robust 'IT Governance Framework' for supporting IT systems and infrastructure, which will improve their operational resilience. Also, a service-level management (SLM) process will be put in place to manage the IT operations while ensuring effective segregation of duties, says the central bank.

They must also do "identification and mapping" of the security classification in terms of confidentiality, integrity, and availability of information assets, depending upon their criticality.

To ensure operations run smoothly, banks will avoid using "outdated and unsupported hardware or software", says the RBI, adding that they must monitor software’s end-of-support (EOS) date and annual maintenance contract (AMC) dates of IT hardware.

To improve this, they will develop a "technology refresh plan" to replace outdated hardware and software before they reach EOS.

In case of third-party arrangements in IT and cyber security, which is not within the applicability of the RBI Directions, 2023, banks and other entities must put in place “appropriate vendor risk assessment process and controls”.

It’ll help them understand risk and any conflict of interest. For the migration of any data, they’ll have a "documented data migration policy", specifying a systematic process. The policy will contain provisions for signoffs from business users and application owners at each stage of migration, maintenance of audit trails, etc.

The RBI has asked banks and other REs to conduct a “periodic review of IT-related risks”. These risks include cyber-security ones, and the risk management committee of the board will update them yearly.

For a robust “security risk management system”, the RBI says REs must cut risks by placing internal controls and processes.

On business continuity plan (BCP) and disaster recovery (DR) policy, the central bank says such capabilities must be designed to support “resilience objectives” and rapidly recover and resume critical operations after any cyber-attack or other related incidents.

"Periodicity of DR drills for critical information systems shall be at least on a half-yearly basis and for other information systems, as per RE’s risk assessment. (b) Any major issues observed during the DR drill shall be resolved and tested again to ensure successful conduct of drill before the next cycle."

In the case of the information system audit, the RBI says the audit committee of the board (ACB) will exercise oversight of the IT systems audit. “REs shall put in place an IS Audit Policy. The IS Audit Policy shall contain a clear description of its mandate, purpose, authority, audit universe, periodicity of audit etc. The policy shall be approved by the ACB and reviewed at least annually.”