RBI Cybersecurity Framework for Banks: Controls, Assurance, and DPDP Alignment

The RBI Cybersecurity Framework — Background and Scope

The RBI Cybersecurity Framework for Banks was originally issued in 2016 and has been progressively strengthened through subsequent circulars. The current framework, incorporating all updates through 2021, applies to all commercial banks, small finance banks, payment banks, and their service providers handling banking data.

The framework mandates a “defence-in-depth” approach with baseline security controls across six domains.

The Six Control Domains

Domain 1: Cyber Security Policy

Every bank must maintain a Board-approved Cybersecurity Policy that:

• Covers all aspects of cyber risk management
• Is reviewed annually and updated for emerging threats
• Defines the cyber risk appetite and tolerance levels
• Is supported by an implementation roadmap

The policy must specifically address: network security, access management, patch management, data security, vendor risk, incident response, and business continuity.

Domain 2: IT Architecture and Security

Security must be built into IT architecture, not retrofitted:

• Network segmentation: Internal networks must be segmented. Customer-facing systems must be segregated from back-office systems and internal administrative systems.
• Perimeter security: Multiple layers including firewalls, intrusion detection/prevention systems, web application firewalls for internet-facing applications.
• Endpoint security: Comprehensive endpoint protection on all devices including mobile devices used for banking operations.
• Data encryption: All sensitive data (particularly customer personal and financial data) must be encrypted at rest and in transit.

Domain 3: Access Controls

Access control requirements are among the most prescriptive in the framework:

• Principle of least privilege: Users have access only to what they need for their role
• Privileged access management: All privileged accounts (DBA, sysadmin, network admin) must be managed through a PAM solution with session recording
• Multi-factor authentication: Mandatory for all privileged access, remote access, and access to sensitive customer data systems
• Annual access review: All user access rights must be formally reviewed annually with documented approval

Domain 4: Patch and Vulnerability Management

• All systems must be within supported versions (no end-of-life software in production)
• Critical patches must be applied within 30 days of release
• Vulnerability assessments must be conducted quarterly for internet-facing systems
• Annual penetration testing of all critical systems by qualified external agencies

Domain 5: Incident Response and Reporting

The Cybersecurity Framework establishes a mandatory reporting requirement to RBI:

• Immediate (within 6 hours): All cyber incidents that could have systemic impact or affect customer data
• Within 24 hours: All confirmed cyber incidents
• Detailed report (within 72 hours): Root cause, impact assessment, remediation actions

This reporting requirement pre-dates and complements the DPDP Act’s 72-hour breach notification requirement. Enterprises subject to both must have a coordinated response procedure.

Domain 6: Security Assurance

Annual security assurance activities required:

• Comprehensive IS Audit by a CISA-qualified internal or external auditor
• Red team exercise or penetration test by CERT-empanelled security auditors
• Security Operations Centre (SOC) with 24×7 monitoring capability
• Threat intelligence integration and vulnerability disclosure programme

DPDP Act Alignment with the Cybersecurity Framework

The DPDP Act §8(5) requires “reasonable security safeguards” — a standard that is explicitly informed by frameworks like the RBI Cybersecurity Framework for regulated entities. Implementing the Cybersecurity Framework’s controls provides strong evidence of §8(5) compliance.

Specifically:

• Domain 3 (Access Controls) → evidences protection of personal data against unauthorised access
• Domain 4 (Patch/Vulnerability) → evidences reasonable technical safeguards
• Domain 5 (Incident Response) → operationalises DPDP breach notification obligation
• Domain 2 (Encryption) → evidences protection of data in transit and at rest

The CreativeCyber DPDP Assurance Platform’s Assurance Readiness module includes the RBI Cybersecurity Framework as a mapped control pack, allowing banks to conduct a single control assessment that produces evidence for both regulatory programmes.