In a significant move towards bolstering the security and operational resilience of Banks, financial institutions, Non-Banking Financial Companies (“NBFCs”) and credit information companies, the Reserve Bank of India (“RBI”) recently issued its Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices. A draft Master Direction on the subject was published in October 2022 seeking public comments. Based on the feedback received, the final Master Direction was issued on November 7, 2023. These guidelines will take effect from April 1, 2024, and emphasize crucial aspects such as strategic alignment, risk management, resource management, performance evaluation, business continuity and disaster recovery management.
An important element of the directions is the emphasis on building a robust IT Governance Framework. The responsibilities of the Board of Directors, IT Strategy Committee, Senior Management, and Head of IT Function are introduced to achieve strategic alignment and effective governance. Third-party agreements, project management, change and patch management, access controls, and other critical issues have also been addressed. System performance metrics and business recovery metrics take central stage, emphasizing the necessity of proactive performance review.
The directions posit for a risk-based approach and emphasizes on regular examination of IT-related risks. It calls for the creation of an effective IT and Information Security Risk Management Framework. With the establishment of an Information Security Committee and the appointment of a CISO, policies for information security and cyber security are also mandated.
The guidelines introduce Business Continuity Plan (“BCP”) and Disaster Recovery (“DR”) policies. It requires frequent DR exercises, testing under different circumstances, and data backup and restoration to ensure operational resilience. Lastly, while underlining the role of the Audit Committee of the Board (“ACB”) in overseeing Information Security (“IS”) Audit, the directives propose IS Audit planning through a risk-based approach, emphasizing continuous auditing for critical systems