Top-5 NBFC: RBI IT & Cyber Security Audit Readiness Before Regulator Inspection
For large NBFCs, RBI inspections examine the substance behind cyber-security assertions — evidence, ownership, and board oversight. This engagement shows how one of India’s top-5 NBFCs converted a broad framework gap assessment into a closed set of critical findings and a standing board reporting rhythm before its scheduled inspection.
Client Overview
The client is a top-5 NBFC by assets under management, operating lending and collections businesses across India through branch, digital, and partner channels. The regulatory driver was the RBI Master Direction on IT Governance and the Cyber Security Framework, with a supervisory inspection on the calendar. Scope covered core lending systems, digital channels, the data centre and DR site, and third-party technology providers.
- Industry: NBFC / BFSI (top-5 by AUM)
- Region: India (pan-India operations)
- Regulatory driver: RBI IT Governance Master Direction + Cyber Security Framework; scheduled inspection
- Timeline: Two quarters, gap assessment to inspection-ready
- CyberSigma team: Engagement lead (BFSI regulatory), two IS auditors, VAPT team, GRC consultant
Challenge
The NBFC’s controls had grown faster than its evidence. A regulator-lens gap assessment surfaced critical findings in privileged access, DR testing, vendor oversight, and audit-trail completeness — with an inspection date already fixed.
- Critical findings across privileged access management, DR testing, and vendor risk oversight
- Evidence not traceable to specific framework clauses regulators would test against
- Board cyber reporting ad hoc rather than a standing, minuted agenda item
- IS audit and VAPT cycles not aligned to RBI submission expectations
- Fixed inspection window leaving no room for slippage
Objectives
- Close all critical findings before the RBI inspection date
- Map every control and its evidence to specific framework clauses
- Institutionalise quarterly board-level cyber risk reporting
- Complete IS audit and VAPT cycles with submission-grade reports
- Rehearse the inspection so control owners could speak to their evidence
Our Approach
1. Regulator-Lens Gap Assessment
Controls were assessed clause-by-clause against the RBI IT Governance Master Direction and Cyber Security Framework, with each gap rated by inspection exposure rather than generic severity alone.
2. Critical-Finding Remediation
Privileged access management, DR test execution with documented results, vendor oversight controls, and audit-trail completeness were remediated under weekly tracking with executive escalation for slippage.
3. Evidence & Traceability Build
An evidence register was built mapping every framework clause to its control, owner, and artefact — so any inspector question could be answered with a documented, dated exhibit.
4. Board Reporting Cadence
A quarterly cyber risk pack for the board and IT Strategy Committee was designed and delivered, converting cyber posture into a minuted governance record inspectors expect to see.
5. Inspection Rehearsal
Mock inspection sessions walked control owners through likely question lines and evidence retrieval, closing gaps in narrative and artefact readiness before the real event.
Solution
- Clause-level gap assessment against RBI IT Governance and Cyber Security Framework requirements
- Tracked remediation of all critical findings with weekly executive reporting
- Evidence register tracing every clause to control, owner, and dated artefact
- Quarterly board cyber risk reporting pack, adopted as a standing agenda item
- Mock-inspection rehearsals for control owners ahead of the supervisory visit
Results
- All critical findings closed before the RBI inspection commenced
- Every framework clause backed by traceable, dated evidence at inspection time
- Board-level cyber reporting institutionalised as a minuted quarterly cadence
- IS audit and VAPT completed with submission-ready reporting aligned to RBI expectations
- Control owners able to evidence their areas directly during inspection sessions
Liked the case study? Share on:



