Knowledge Center / RBI Cyber Security Framework
Reserve Bank of India · India

RBI Cyber Security Framework for Banks

Baseline cyber security and resilience controls mandated by RBI for banks.

The RBI Cyber Security Framework, introduced by the June 2016 circular (DBS.CO/CSITE/BC.11/33.01.001/2015-16), made cyber resilience a board-level obligation for Indian banks. It requires a board-approved cyber security policy and baseline security controls proportionate to the bank’s risk, with continuous surveillance and prompt incident reporting to RBI.

Core expectations

  • A board-approved cyber security policy, distinct from the IT/IS security policy.
  • Baseline cyber security and resilience controls (set out in the circular’s annexes).
  • A Cyber Crisis Management Plan (CCMP) covering detection, response, recovery and containment.
  • Continuous surveillance — typically a Security Operations Centre (SOC).
  • Reporting of unusual cyber-security incidents to RBI within the stipulated time.
  • A gap assessment against the required arrangements and periodic VAPT.
  • Board and top-management oversight, with a defined CISO role.

The baseline control areas

AreaExamples
Network & perimeterFirewalls/NSCs, segmentation, secure configuration
Access managementLeast privilege, MFA, privileged-access controls
Application & data securitySecure development, encryption, data protection
Vulnerability & patchScanning, patching, periodic VAPT
Monitoring & detectionSOC, SIEM, log management, anomaly detection
Incident responseCCMP, reporting to RBI, forensics readiness
Vendor/outsourcing riskThird-party security assessment and monitoring

Graded approach for co-operative banks

RBI extended cyber security expectations to Urban Co-operative Banks through a graded/level-based framework, so requirements scale with a bank’s digital footprint and risk. NBFCs are covered through parallel directions and the IT Governance master direction.

Implementation roadmap

  1. Adopt a board-approved cyber security policy and define the CISO role.
  2. Perform a gap assessment against the baseline controls.
  3. Stand up / strengthen the SOC and continuous surveillance.
  4. Implement the CCMP and the RBI incident-reporting workflow.
  5. Conduct periodic VAPT and remediate findings.
  6. Manage vendor/outsourcing risk; run awareness training.
  7. Report and continuously improve.

Evidence checklist

  • Board-approved cyber security policy and CISO appointment.
  • Gap-assessment report against the baseline controls.
  • SOC/SIEM monitoring evidence.
  • Cyber Crisis Management Plan and test records.
  • VAPT reports and remediation evidence.
  • Incident register and RBI incident-reporting records.
  • Vendor security assessments and awareness-training records.

Common gaps

  • Unpatched internet-facing systems and weak configuration.
  • Privileged access without proper approval or review.
  • Logs collected but never monitored.
  • Untested incident-response/CCMP arrangements.
  • Vendors onboarded without security due diligence.
How CyberSigma helps
CyberSigma is CERT-In empanelled — we perform the RBI cyber security gap assessment, VAPT and SOC/monitoring review, help operationalise the CCMP and incident reporting, and support co-operative banks through the graded framework.

Frequently asked questions

Who must comply with the RBI Cyber Security Framework?
Primarily scheduled commercial banks, with parallel directions extending cyber expectations to Urban Co-operative Banks and NBFCs based on their category.
Does it require VAPT?
Yes — periodic vulnerability assessment and penetration testing of critical systems is an expected control, ideally by CERT-In empanelled auditors.

Need help with RBI Cyber Security Framework?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.