Mumbai, November 8: The RBI has issued a comprehensive new Master Direction for banks and NBFCs regarding Information Technology Governance, Risk Management, Controls, and Assurance Practices. These guidelines outline the responsibilities of Directors of these regulated entities in safeguarding the interests of customers.
These directives consolidate, update, and encompass the guidelines, instructions, and circulars on IT Governance issued previously, and will be effective from April 1, 2024.
The guidelines mandate that all regulated entities closely monitor the following:
- 'Cyber events,' defined as observable incidents within an information system, which may indicate the occurrence of a cyber incident.
- 'Cybersecurity,' involving the preservation of information confidentiality, integrity, and availability through digital means. This may also encompass other attributes like authenticity, accountability, non-repudiation, and reliability.
- 'Cyber incident,' which refers to a cyber event negatively impacting the cybersecurity of an information asset, whether stemming from malicious activity or other causes.
- 'Cyber-attack,' signifying malicious efforts through digital channels to exploit vulnerabilities, leading to damage, disruption, or unauthorized access to assets.
- 'De-militarized Zone' or 'DMZ,' a network segment situated between internal and external networks for security purposes.
- 'Information Asset,' denoting any data, device, or element within the environment supporting information-related operations, including information systems, data, hardware, and software.
Foreign banks operating in India are also required to adhere to these guidelines and must engage in discussions with the RBI if seeking an exemption from specific norms.
