Isometric illustration of API security architecture with encryption, cloud and database protection

For banks and NBFCs in India, cybersecurity is a board-level, regulator-watched obligation — and the rules got sharper in 2024. The RBI’s Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, effective 1 April 2024, consolidated years of scattered circulars into one framework covering banks, NBFCs, payments banks and more. This guide explains who it applies to, what it requires — especially around VAPT and incident reporting — and how NBFCs of different sizes are treated.

What is the RBI IT Governance framework?

The Master Direction is RBI’s consolidated standard for how regulated entities govern and secure their technology. It puts accountability at the board and senior-management level, mandates a board-approved IT and cyber-security policy, and requires structured risk management, assurance (audit) and a defined VAPT programme. It replaces and updates earlier RBI cyber-security circulars into a single reference.

Who does it apply to?

The direction covers a broad set of Regulated Entities:

  • Scheduled commercial banks (excluding regional rural banks)
  • Small finance banks and payments banks
  • Non-Banking Financial Companies (NBFCs)
  • Credit information companies
  • All-India financial institutions (EXIM Bank, NABARD, NHB, SIDBI, NaBFID)

How NBFCs are treated: a tiered approach

RBI applies its scale-based regulation here — obligations scale with the NBFC’s layer and size:

NBFC layer What to expect
Upper Layer & Middle Layer Requirements close to banks — full IT governance, robust VAPT, SOC/monitoring, assurance
Base Layer Lighter, proportionate requirements — but still a real baseline

Regardless of layer, every NBFC needs a board-approved IT/security policy, incident-reporting capability, and a VAPT programme. “We’re small” is not an exemption.

VAPT requirements

Testing is central. As a general baseline, the framework points to vulnerability assessment at least half-yearly and penetration testing at least annually for critical systems — with larger entities (upper/middle-layer NBFCs and banks) typically running more frequent VA and annual PT. Note that for certain regulatory audits, RBI expects testing by CERT-In empanelled auditors — confirm the specific requirement that applies to your entity.

Activity Typical minimum cadence
Vulnerability assessment At least half-yearly (often quarterly for larger entities)
Penetration testing (critical systems) At least annually
Re-test after major change Recommended / expected

Incident reporting

Regulated entities must be able to detect and report cyber incidents promptly. Significant incidents are expected to be reported to RBI within a matter of hours — aligned with CERT-In’s six-hour rule — followed by a detailed root-cause analysis. A tested incident-response and forensics capability is what makes fast, accurate reporting possible. (See our data-breach response playbook.)

Governance, SOC and assurance

Beyond testing, the framework expects board-level oversight of IT and cyber risk, a defined cyber-risk appetite, continuous monitoring (a SOC or MDR), and periodic independent assurance. Many entities also align to ISO 27001 as the practical backbone — and if you juggle multiple regulators, our compliance-overlap guide shows how to plan one programme instead of several.

RBI cyber-security checklist for banks & NBFCs

  • □ Board-approved IT & cyber-security policy and risk framework
  • □ Confirm your NBFC layer and proportionate obligations
  • □ VAPT programme — VA at least half-yearly, PT at least annually for critical systems
  • □ Continuous monitoring (SOC / MDR) and threat detection
  • □ Incident detection, response and prompt RBI/CERT-In reporting
  • □ Independent IT audit / assurance
  • □ Data security, access control and secure configuration baselines
  • □ Third-party / outsourcing risk management

Frequently asked questions

When did the RBI IT Governance Master Direction take effect?

1 April 2024. It consolidates and updates RBI’s earlier cyber-security and IT circulars into one framework.

Do small (Base Layer) NBFCs have to comply?

Yes — obligations are lighter and proportionate, but every NBFC needs a board-approved policy, incident reporting and a VAPT programme.

How often must banks and NBFCs run VAPT?

As a baseline, vulnerability assessment at least half-yearly and penetration testing at least annually for critical systems, with larger entities testing more often. Confirm your specific obligation and whether a CERT-In empanelled auditor is required.

Does RBI require ISO 27001?

RBI doesn’t mandate ISO 27001 by name, but an ISO 27001 ISMS delivers most of what the framework expects and is a common way to demonstrate maturity.

Get RBI-ready with Selkey

Selkey Cyber Security helps banks and NBFCs strengthen their security posture and prepare for RBI expectations — RBI cyber-security compliance consulting, VAPT, SOC/MDR monitoring, incident-response readiness and ISO 27001 alignment. Our team holds credentials including ISO 27001 Lead Auditor, OSCP, CEH Master and CPENT.

Explore Selkey’s RBI compliance services or book an RBI readiness consultation →

This article is general information, not legal or regulatory advice. Confirm your obligations against the current RBI Master Direction and any updates, or with qualified advisors.

Leave A Comment

All fields marked with an asterisk (*) are required