The Reserve Bank of India (RBI) is set to implement a comprehensive master direction on information technology governance, risk, controls, and assurance practices for regulated entities (REs) from April 1, 2024. S Ravi Bse, former BSE Chairman, highlights the benefits of this directive, emphasizing its role in simplifying the administration of IT and cyber governance. The master direction applies to scheduled commercial banks (excluding regional rural banks), small finance banks, payments banks, NBFCs in top, upper, and middle layers, all India financial institutions, and credit information companies.
S Ravi Bse, explains that the master direction clearly outlines the roles and authorities of the board of directors, board-level committees, and senior management of REs. It consolidates and updates guidelines, instructions, and circulars related to IT governance, risk, controls, assurance practices, and business continuity/disaster recovery management issued earlier by the RBI. The directive aims to protect the interests of customers and streamline the existing multiple circulars.
One key aspect of the master direction is the mandatory implementation of a robust IT Service Management Framework by REs to support their information systems and infrastructure, ensuring operational resilience, including disaster recovery sites. The directive also emphasizes the need for a documented data migration policy, ensuring data integrity, completeness, and consistency in the migration process.
Addressing the rising concerns of cyber and IT fraud, the RBI stresses the importance of IT applications having necessary audit and system logging capabilities to provide audit trails. Additionally, the directive highlights the adoption of internationally accepted standards for IT infrastructure and configurations compliant with extant laws and regulatory instructions.
While the Board holds approval authority for IT-related strategies and policies, the directive places responsibility on the CEO to oversee effective planning and execution of IT strategy. The CEO is also accountable for ensuring robust cybersecurity measures and the overall contribution of IT to productivity, effectiveness, and efficiency in business operations. The directive designates a Chief Information Security Officer (CISO) responsible for driving IT/cybersecurity, compliance, and regulatory guideline adherence, as well as administering RE policies.