The RBI has issued a new comprehensive Master Direction to banks and NBFCs on Information Technology Governance, Risk, Controls and Assurance Practices which spells out the role of Directors of these regulated entities to discharge their duties in order to safeguard the interests of customers.
These directions incorporate, consolidate and update the guidelines, instructions and circulars on IT Governance issued earlier and will come into effect from April 1, 2024.
The guidelines have directed all regulated entities to keep a close watch on:
‘Cyber events’ defined as any observable occurrence in an information system. Cyber events sometimes provide indication that a cyber incident is occurring.
Cyber security’ -- Preservation of confidentiality, integrity and availability of information through the cyber medium. In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
‘Cyber incident’ -- which is a cyber event that adversely affects the cyber security of an information asset whether resulting from malicious activity or not.
‘Cyber-attack’ -- Malicious attempts to exploit vulnerabilities through the cyber medium to damage, disrupt or gain unauthorised access to assets.
‘De-militarized Zone’ or ‘DMZ’ is a perimeter network segment that is logically between internal and external networks.
‘Information Asset’ -- Any piece of data, device or other component of the environment that supports information-related activities. Information Assets include information system, data, hardware and software.
Foreign banks operating in India have also been asked to follow the guidelines and to hold discussions with the RBI in case they have to seek an exemption in the case of any particular norm.