The RBI Cyber Security Framework, introduced by the June 2016 circular (DBS.CO/CSITE/BC.11/33.01.001/2015-16), made cyber resilience a board-level obligation for Indian banks. It requires a board-approved cyber security policy and baseline security controls proportionate to the bank’s risk, with continuous surveillance and prompt incident reporting to RBI.
Core expectations
- A board-approved cyber security policy, distinct from the IT/IS security policy.
- Baseline cyber security and resilience controls (set out in the circular’s annexes).
- A Cyber Crisis Management Plan (CCMP) covering detection, response, recovery and containment.
- Continuous surveillance — typically a Security Operations Centre (SOC).
- Reporting of unusual cyber-security incidents to RBI within the stipulated time.
- A gap assessment against the required arrangements and periodic VAPT.
- Board and top-management oversight, with a defined CISO role.
The baseline control areas
| Area | Examples |
|---|---|
| Network & perimeter | Firewalls/NSCs, segmentation, secure configuration |
| Access management | Least privilege, MFA, privileged-access controls |
| Application & data security | Secure development, encryption, data protection |
| Vulnerability & patch | Scanning, patching, periodic VAPT |
| Monitoring & detection | SOC, SIEM, log management, anomaly detection |
| Incident response | CCMP, reporting to RBI, forensics readiness |
| Vendor/outsourcing risk | Third-party security assessment and monitoring |
Graded approach for co-operative banks
RBI extended cyber security expectations to Urban Co-operative Banks through a graded/level-based framework, so requirements scale with a bank’s digital footprint and risk. NBFCs are covered through parallel directions and the IT Governance master direction.
Implementation roadmap
- Adopt a board-approved cyber security policy and define the CISO role.
- Perform a gap assessment against the baseline controls.
- Stand up / strengthen the SOC and continuous surveillance.
- Implement the CCMP and the RBI incident-reporting workflow.
- Conduct periodic VAPT and remediate findings.
- Manage vendor/outsourcing risk; run awareness training.
- Report and continuously improve.
Evidence checklist
- Board-approved cyber security policy and CISO appointment.
- Gap-assessment report against the baseline controls.
- SOC/SIEM monitoring evidence.
- Cyber Crisis Management Plan and test records.
- VAPT reports and remediation evidence.
- Incident register and RBI incident-reporting records.
- Vendor security assessments and awareness-training records.
Common gaps
- Unpatched internet-facing systems and weak configuration.
- Privileged access without proper approval or review.
- Logs collected but never monitored.
- Untested incident-response/CCMP arrangements.
- Vendors onboarded without security due diligence.
How CyberSigma helps
CyberSigma is CERT-In empanelled — we perform the RBI cyber security gap assessment, VAPT and SOC/monitoring review, help operationalise the CCMP and incident reporting, and support co-operative banks through the graded framework.
Frequently asked questions
Who must comply with the RBI Cyber Security Framework?
Primarily scheduled commercial banks, with parallel directions extending cyber expectations to Urban Co-operative Banks and NBFCs based on their category.
Does it require VAPT?
Yes — periodic vulnerability assessment and penetration testing of critical systems is an expected control, ideally by CERT-In empanelled auditors.
Official documents
CyberSigma resources
Need help with RBI Cyber Security Framework?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
