Knowledge Center / RBI HFC Audit
Reserve Bank of India · India

RBI Housing Finance Company (HFC) IS & Cyber Audit

Information systems and cyber security audit for housing finance companies.

Introduction to the RBI Housing Finance Company (HFC) IS & Cyber Audit

Housing Finance Companies (HFCs) occupy a systemically important position in India's financial services landscape, channelling long-tenor credit into the residential mortgage market while simultaneously custodianing vast repositories of borrower personal, financial and property data. Following the transfer of regulatory oversight of HFCs from the National Housing Bank (NHB) to the Reserve Bank of India (RBI) with effect from 9 August 2019, HFCs have progressively been brought within the ambit of the RBI's Non-Banking Financial Company (NBFC) prudential and technology-risk framework. The RBI Housing Finance Company (HFC) IS & Cyber Audit is the independent information systems (IS) audit and cyber-security assurance exercise that an HFC must commission to demonstrate that its technology estate, cyber-resilience posture, IT governance and outsourcing arrangements are compliant with the Reserve Bank's directions.

This guide is written for two audiences at once: the auditor who must plan, evidence and opine on the control environment, and the implementer (CISO, Head of IT, CTO, compliance and risk functions) who must build, remediate and operate the underlying controls. It consolidates the applicable RBI Master Directions, the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (IT GRC Directions, 2023), the Master Directions on Digital Lending, the Cyber Security guidance issued for the NBFC/HFC sector, and the intersecting directions of UIDAI, NPCI, CERT-In and the Digital Personal Data Protection Act, 2023 (DPDP Act) into a single auditor-grade playbook.

Copyright and source note
This guide is an original CyberSigma work product. It references, paraphrases and interprets publicly issued Reserve Bank of India Master Directions, circulars and notifications (including the Master Direction - Information Technology Governance, Risk, Controls and Assurance Practices dated 7 November 2023, the Master Direction - Reserve Bank of India (Non-Banking Financial Company - Housing Finance Company) Directions, 2021, and the Digital Lending Directions, 2025), together with CERT-In, UIDAI, NPCI and DPDP Act instruments. The verbatim text of RBI, CERT-In and UIDAI circulars remains the copyright of the respective issuing authorities. Readers must consult the current, in-force official circular text on the RBI, CERT-In and UIDAI portals before finalising any audit opinion, as regulatory instructions are periodically amended and superseded.

What is the RBI HFC IS & Cyber Audit

The RBI HFC IS & Cyber Audit is a structured, evidence-based assurance engagement that evaluates whether a Housing Finance Company's information technology and cyber-security controls meet the requirements set out by the Reserve Bank of India. It is not a single monolithic circular but a composite obligation that draws on several instruments. The keystone is the Master Direction - Information Technology Governance, Risk, Controls and Assurance Practices dated 7 November 2023 (referenced in this guide as the IT GRC Directions), which applies to Regulated Entities (REs) including NBFCs and HFCs above defined asset thresholds, and which mandates an IT governance framework, IT and information security risk management, IT operations, information security controls, business continuity and disaster recovery, and independent assurance through IS Audit.

The audit typically spans the following interlocking obligations: (i) periodic Information Systems (IS) Audit covering IT general controls and application controls; (ii) an annual or event-driven Cyber Security posture assessment aligned to the RBI's cyber-security expectations for the NBFC/HFC sector; (iii) Vulnerability Assessment and Penetration Testing (VAPT) of internet-facing and internal assets; (iv) review of outsourcing and third-party/cloud arrangements against the RBI outsourcing framework; (v) Digital Lending controls where the HFC operates through Lending Service Providers (LSPs) or Digital Lending Apps (DLAs); (vi) data localisation and protection controls under the DPDP Act, 2023 and, where applicable, RBI storage-of-payment-data and Aadhaar (UIDAI/AUA-KUA) directions; and (vii) CERT-In cyber-incident reporting readiness under the 28 April 2022 Directions.

The output of the engagement is a formal IS Audit and Cyber Audit report, tabled before the IT Strategy Committee and the Board (or its Audit Committee / IT Committee), together with a risk-rated observations register, a remediation roadmap with target dates, and a management representation on the corrective action plan. The report and its closure evidence must be retained and made available to the RBI on demand or during supervisory inspection.

Who must comply

Applicability is driven by the HFC's registration status, asset size and the RBI scale-based regulation (SBR) layer into which it falls. Under the SBR framework, HFCs are treated as a category within the NBFC universe and are ordinarily classified in the Middle Layer (NBFC-ML) or Upper Layer (NBFC-UL) depending on size, with correspondingly graded IT and cyber obligations.

Entity / populationApplicability of RBI HFC IS & Cyber Audit
Housing Finance Companies registered with RBI (post-NHB transfer)In scope; must comply with HFC Directions, 2021 and the IT GRC Directions per applicable asset threshold
HFCs in the NBFC Upper Layer (NBFC-UL)Full applicability of IT GRC Directions including IT Strategy Committee, CISO, IS Audit, BCP/DR and enhanced cyber controls
HFCs in the NBFC Middle Layer (NBFC-ML)Applicable with graded expectations; IT governance, IS Audit and cyber-resilience controls required
Smaller HFCs / Base Layer equivalentsProportionate, baseline cyber-hygiene and IS Audit expectations apply as prescribed
HFCs offering digital lending via DLAs / LSPsAdditional Digital Lending Directions, 2025 controls, KFS, and data-handling obligations apply
HFCs acting as Aadhaar AUA/KUA or Sub-AUAUIDAI Aadhaar Act, regulations and AUA/KUA audit obligations apply
HFCs storing or processing payment data (EMI collections, mandates)RBI payment-data storage and NPCI/NACH e-mandate controls apply
All HFCs as bodies corporate handling personal dataDPDP Act, 2023 obligations as Data Fiduciary; CERT-In incident reporting Directions, 2022
  • Board and IT Strategy Committee members, who bear ultimate accountability for the IT and cyber-risk framework.
  • Chief Information Security Officer (CISO) and Chief Technology / Information Officer, who own the control environment being audited.
  • Head of Compliance and Chief Risk Officer, who must ensure regulatory alignment and risk-acceptance governance.
  • Internal auditors and the appointed independent IS auditor / CERT-In empanelled assessor conducting the review.
  • Outsourced service providers, LSPs, cloud providers and fintech partners whose controls fall within the assessment perimeter.

Structure of the RBI HFC IS & Cyber Audit

The audit is organised around the control domains defined primarily in the IT GRC Directions (2023), supplemented by sector-specific obligations. The table below sets out the principal domains, their indicative control families and the anchoring regulatory reference. These domains form the backbone of the master assessment checklist that follows.

DomainIndicative control familiesAnchoring reference
D1. IT GovernanceBoard & IT Strategy Committee oversight, IT policy framework, roles and accountability, IT & cyber strategyIT GRC Directions Ch. II
D2. IT Infrastructure & Service ManagementCapacity, change, configuration, patch, asset and problem management, IT operationsIT GRC Directions Ch. III
D3. Information Security & Cyber ResilienceSecurity policy, access control, cryptography, network security, endpoint, SOC/monitoring, cyber-crisis managementIT GRC Directions Ch. IV; RBI cyber guidance
D4. IT & Information Security Risk ManagementRisk assessment, risk register, KRIs, third-party risk, risk acceptanceIT GRC Directions Ch. II-IV
D5. Business Continuity & Disaster RecoveryBIA, BCP, DR site, RTO/RPO, drills, resilience testingIT GRC Directions Ch. V
D6. IS Audit & AssuranceIS Audit charter, scope, competency, reporting, follow-upIT GRC Directions Ch. VI
D7. Outsourcing, Cloud & Third-PartyDue diligence, contracts, right-to-audit, concentration & exit, cloud shared responsibilityRBI Outsourcing of IT Services Directions
D8. Digital Lending ControlsDLA/LSP governance, KFS, cooling-off, data minimisation, grievance, direct disbursalDigital Lending Directions, 2025
D9. Data Protection & PrivacyDPDP Act obligations, consent, localisation, Aadhaar/UIDAI, payment-data storageDPDP Act 2023; UIDAI; RBI storage directions
D10. Incident Management & ReportingCERT-In 6-hour reporting, RBI incident reporting, forensic readiness, log retentionCERT-In Directions 28 Apr 2022; RBI
D11. Application ControlsLoan origination, LOS/LMS, collections, GL interface, input/processing/output controlsIS Audit application-control review

Master assessment checklist

This is the operative heart of the engagement. Each control domain below is decomposed into verifiable requirements. For every group the auditor should test design and operating effectiveness, and the implementer should ensure the control exists, is documented, and produces the typical evidence noted. The tables use two columns throughout: What to verify (the audit assertion) and Typical evidence (the artefacts an auditor will request and an implementer must be able to produce).

D1 - IT Governance

What to verifyTypical evidence
Board-approved IT and cyber-security strategy aligned to business strategy exists and is reviewed at least annuallyBoard/IT Strategy Committee minutes, approved IT strategy document with review dates
An IT Strategy Committee (ITSC) with the required independent-director chair is constituted and meets at prescribed frequencyITSC terms of reference, member list, attendance registers, meeting minutes
A comprehensive, Board-approved IT policy and cyber-security policy framework is in place and version-controlledPolicy repository, approval sign-offs, version history, review calendar
Roles, responsibilities and accountability (CISO, CTO, IT heads) are formally defined and segregatedOrganisation chart, RACI matrix, CISO appointment letter, reporting-line evidence
IT and cyber budget, resourcing and investment are governed and trackedBudget approvals, IT spend reports, ITSC review of resourcing
Adequacy of the CISO function, reporting independently of business/IT operations, is establishedCISO charter, reporting structure, CISO reports to Board/ITSC

D2 - IT Infrastructure and Service Management

What to verifyTypical evidence
A change management process with segregation between development, test and production is enforcedChange tickets, CAB minutes, approvals, promotion logs, rollback plans
Patch management ensures timely deployment of security and OS patches per defined SLAsPatch policy, patch deployment reports, aged-patch exception register
Configuration and hardening baselines (CIS/vendor benchmarks) are applied and monitored for driftHardening standards, configuration scan reports, drift-remediation records
A complete IT asset inventory (hardware, software, cloud) is maintained with ownershipCMDB/asset register, reconciliation reports, licence compliance records
Capacity and performance are monitored to prevent service degradationCapacity plans, utilisation dashboards, threshold-breach alerts
Problem and incident management processes exist with root-cause analysisITSM tool records, RCA reports, problem register, trend analysis

D3 - Information Security and Cyber Resilience

What to verifyTypical evidence
A logical access control framework enforces least privilege, RBAC and periodic access recertificationAccess matrices, recertification reports, joiner-mover-leaver logs
Privileged access is managed through a PAM solution with session recording and just-in-time elevationPAM configuration, privileged-session logs, break-glass procedure evidence
Multi-factor authentication is enforced for remote, administrative and internet-facing accessMFA policy, authentication logs, VPN/remote-access configuration
Encryption is applied to data at rest and in transit using approved algorithms and key managementCrypto policy, TLS configuration, KMS/HSM records, key-rotation logs
Network segmentation, firewalls, IPS and DDoS protection are deployed and rule-reviewedNetwork diagrams, firewall rule-base review, IPS/DDoS reports
Endpoint protection (EDR/anti-malware) with centralised management is deployed on all assetsEDR console coverage report, detection/response logs, exception list
A Security Operations Centre / SIEM performs 24x7 monitoring with defined use-cases and correlationSIEM use-case catalogue, alert triage records, SOC SLA reports
Email and web security controls (anti-phishing, DMARC/SPF/DKIM, URL filtering) are enforcedDMARC records, phishing-simulation results, gateway configuration
A cyber-crisis management plan (CCMP) and cyber-drill programme are established and testedCCMP document, tabletop/drill reports, lessons-learned actions
Secure SDLC / secure configuration for applications and APIs is followedSDLC policy, code-review/SAST-DAST reports, API security testing

D4 - IT and Information Security Risk Management

What to verifyTypical evidence
A documented IT and information-security risk assessment methodology is applied periodicallyRisk methodology, latest risk assessment, scoring rationale
A maintained risk register with owners, treatment plans and residual-risk ratings existsRisk register, treatment-plan tracker, residual-risk sign-offs
Key Risk Indicators (KRIs) are defined, monitored and escalated to the ITSC/BoardKRI dashboard, threshold breaches, escalation records
Risk-acceptance decisions are governed with defined authority and time limitsRisk-acceptance forms, approver authority matrix, review dates
Third-party and concentration risks are assessed and aggregatedVendor risk assessments, concentration analysis, dependency mapping

D5 - Business Continuity and Disaster Recovery

What to verifyTypical evidence
A Business Impact Analysis identifies critical systems, RTO and RPO targetsBIA document, criticality ratings, RTO/RPO register
A Board-approved BCP covering people, process and technology exists and is currentBCP document, approval, review dates, call trees
A geographically separate DR site with adequate capacity is maintainedDR architecture, site details, capacity parity evidence
DR drills and failover tests are conducted at prescribed frequency with documented resultsDR test plans, drill reports, RTO/RPO achievement vs target
Backup, restoration and data-integrity testing are performed and validatedBackup policy, restore-test logs, backup success/failure reports
Resilience of critical outsourced/cloud services is contractually assured and testedProvider DR/SLA clauses, cloud region-failover evidence

D6 - IS Audit and Assurance

What to verifyTypical evidence
A Board/Audit Committee-approved IS Audit charter and risk-based annual IS Audit plan existIS Audit charter, approved plan, coverage universe
IS Audit is performed by competent, independent auditors (CISA/CERT-In empanelled)Auditor credentials, empanelment proof, independence declaration
IS Audit scope covers IT general controls and application controls across critical systemsAudit scope documents, workpapers, coverage matrix
Findings are risk-rated, reported to the Audit Committee and tracked to closureIS Audit report, ACB minutes, open-observation tracker
Prior-period observations are followed up and closure evidence is validatedFollow-up audit, closure evidence, re-test results

D7 - Outsourcing, Cloud and Third-Party Management

What to verifyTypical evidence
An outsourcing policy consistent with RBI Outsourcing of IT Services Directions is Board-approvedOutsourcing policy, Board approval, materiality assessment
Due diligence is performed before onboarding IT and cloud service providersVendor due-diligence reports, financial/security assessments
Contracts include right-to-audit, confidentiality, SLA, data-location and exit clausesExecuted contracts, clause matrix, right-to-audit invocation records
Sub-contracting and fourth-party dependencies are identified and controlledSub-contractor register, chain-of-outsourcing mapping
Cloud shared-responsibility model and data-residency requirements are documented and honouredShared-responsibility matrix, data-residency evidence, cloud config reviews
Exit and business-continuity strategy for material outsourcing is defined and testedExit plan, data-return/destruction procedure, portability evidence

D8 - Digital Lending Controls

What to verifyTypical evidence
All Digital Lending Apps (DLAs) and Lending Service Providers (LSPs) are inventoried and Board-approvedDLA/LSP register, agreements, RBI DLA reporting/directory submission
A Key Fact Statement (KFS) with all-inclusive APR is provided to every digital borrowerKFS templates, sample disbursals, APR computation evidence
A cooling-off / look-up period is enforced for digital loansProduct configuration, borrower communications, cancellation logs
Loan disbursal and repayment flow directly between borrower and HFC bank accounts (no pass-through/pool)Disbursal/collection reconciliation, no third-party pool-account evidence
Data collected by DLAs is need-based, consent-driven and minimised; no access to phone contacts/mediaDLA permission audit, consent architecture, data-minimisation review
A grievance redressal mechanism and nodal officer for digital lending are published and functionalGrievance SOP, nodal officer details, complaint MIS, TAT reports

D9 - Data Protection, Privacy and Localisation

What to verifyTypical evidence
The HFC's obligations as a Data Fiduciary under the DPDP Act, 2023 are mapped and operationalisedData inventory, RoPA equivalent, consent notices, purpose limitation
Consent management, notice and grievance/data-principal rights processes existConsent records, DPB/grievance workflow, rights-request logs
Aadhaar handling (as AUA/KUA/Sub-AUA) complies with UIDAI Act, regulations and audit requirementsUIDAI licence, AUA/KUA audit report, Aadhaar data-vault, tokenisation
Payment/EMI/mandate data storage complies with applicable RBI storage directionsData-storage location evidence, storage-compliance audit, NPCI mandate config
Data retention, archival and secure disposal schedules are defined and enforcedRetention schedule, disposal certificates, media-sanitisation records
Data classification and DLP controls protect PII and sensitive financial dataClassification policy, DLP incident reports, PII discovery scans

D10 - Incident Management and Regulatory Reporting

What to verifyTypical evidence
Cyber incidents are reported to CERT-In within 6 hours per the 28 April 2022 DirectionsIncident register, CERT-In reporting acknowledgements, timelines
Material cyber incidents are reported to the RBI within prescribed timelinesRBI incident-report submissions, escalation matrix
An incident response plan with severity classification and roles is documented and testedIR plan, severity matrix, playbooks, drill records
Logs are synchronised to Indian Standard Time (NTP) and retained for the mandated period (180 days)NTP configuration, log-retention policy, log-storage evidence
Forensic readiness and evidence-preservation procedures exist for post-incident investigationForensic SOP, retainer with DFIR provider, chain-of-custody templates

D11 - Application Controls (LOS / LMS / Collections / GL)

What to verifyTypical evidence
Input controls prevent unauthorised or erroneous data entry in loan origination and servicingValidation rules, maker-checker configuration, rejection logs
Processing controls ensure accurate interest, EMI, NPA classification and provisioning computationRecalculation testing, EMI/interest reconciliation, NPA logic review
Output and interface controls ensure integrity of GL, regulatory returns and reportingGL reconciliation, interface logs, return-generation validation
Segregation of duties is enforced within the LOS/LMS through role configurationRole-permission matrix, SoD conflict report, override log review
Audit trails capture create/modify/delete with user, timestamp and before/after valuesApplication audit-log samples, tamper-protection evidence

Scoping the engagement

Accurate scoping determines both audit effort and regulatory sufficiency. Scoping must be risk-based and traceable to the HFC's actual technology footprint rather than a generic checklist. The following dimensions define the assessment perimeter.

  • Business criticality: the core Loan Origination System (LOS), Loan Management System (LMS), collections, treasury, general ledger, regulatory-reporting and customer-facing channels are always in scope.
  • Channel exposure: internet-facing portals, mobile apps, DLAs, APIs and partner integrations that expand the attack surface.
  • Data sensitivity: systems processing Aadhaar, PAN, bank details, credit-bureau data, property documents and other PII/financial data.
  • Hosting model: on-premises data centres, co-location, private/public cloud and SaaS, with the cloud shared-responsibility split clearly delineated.
  • Outsourcing perimeter: material IT outsourcing, LSPs, managed-service providers and fourth-party dependencies within right-to-audit reach.
  • Regulatory triggers: SBR layer (ML/UL), digital-lending activity, Aadhaar AUA/KUA status and payment-data processing that pull in additional directions.
  • Exclusions and rationale: any system deliberately excluded must be documented with justification and residual-risk acknowledgement.
Scoping tip
Anchor scope to a validated asset and data-flow inventory. The most common reason an RBI supervisory team challenges an IS Audit is an incomplete scope that omitted a shadow-IT system, an unlisted DLA, or a fourth-party sub-processor holding borrower data. Reconcile the audit universe against the CMDB, the vendor register and the DLA/LSP directory before fieldwork begins.

Implementation approach (phased)

For an HFC preparing for or remediating against the RBI IS & Cyber Audit, a phased programme reduces disruption and produces defensible, board-reportable milestones. Each phase below lists indicative activities and deliverables.

Phase 1 - Discovery and gap assessment (Weeks 1-4)

  • Activities: build the asset, data-flow and vendor inventory; map obligations across IT GRC Directions, digital-lending, DPDP, UIDAI and CERT-In; run a control-by-control gap assessment against the master checklist.
  • Deliverables: current-state assessment report, regulatory-obligation register, prioritised gap list with risk ratings.

Phase 2 - Governance and policy foundation (Weeks 3-8)

  • Activities: constitute/refresh the IT Strategy Committee; formalise the CISO charter and reporting line; author or update the IT, cyber-security, outsourcing, BCP and data-protection policy suite; obtain Board approval.
  • Deliverables: approved policy framework, ITSC terms of reference, RACI matrix, governance calendar.

Phase 3 - Technical control remediation (Weeks 6-16)

  • Activities: deploy/tune PAM, MFA, EDR, SIEM/SOC, DLP and encryption; harden configurations; segment networks; remediate VAPT findings; implement secure SDLC and API security.
  • Deliverables: remediation tracker with closure evidence, VAPT re-test report, hardened-baseline attestation.

Phase 4 - Resilience and third-party assurance (Weeks 10-18)

  • Activities: complete BIA, refresh BCP/DR, conduct DR drill; execute outsourcing due-diligence, contract remediation and right-to-audit; validate cloud data-residency and exit plans.
  • Deliverables: BIA/BCP pack, DR drill report, vendor-assurance dossier, cloud-compliance evidence.

Phase 5 - Independent IS & Cyber Audit (Weeks 16-22)

  • Activities: engage the independent CERT-In empanelled / CISA-qualified auditor; conduct fieldwork across all domains; risk-rate observations; agree the management action plan.
  • Deliverables: IS & Cyber Audit report, observations register, Board/ACB presentation, corrective action plan.

Phase 6 - Closure, reporting and continuous assurance (Ongoing)

  • Activities: remediate observations; re-test; embed KRIs and continuous monitoring; establish periodic re-audit and CERT-In/RBI reporting readiness.
  • Deliverables: closure-evidence pack, continuous-assurance dashboard, annual re-audit plan.

Maturity and capability model

To communicate progress to the Board and to prioritise remediation, CyberSigma rates each control domain against a five-level capability model. The audit report assigns a maturity level per domain, enabling a heat-map view of the HFC's overall cyber and IT-governance posture.

LevelDescriptorCharacteristics
Level 1Initial / Ad hocControls undocumented, reactive, person-dependent; no consistent evidence trail
Level 2Developing / RepeatableBasic policies exist but coverage is partial; controls applied inconsistently
Level 3Defined / EstablishedPolicies approved, controls documented and consistently operated across scope
Level 4Managed / MeasuredControls monitored with metrics/KRIs; exceptions governed; regular testing and review
Level 5Optimised / LeadingContinuous improvement, automation, threat-informed defence and predictive assurance

For RBI supervisory sufficiency, an HFC should target a minimum of Level 3 (Defined) across all mandatory domains, with Level 4 (Managed) on information security, incident management and business continuity given their systemic and customer-impact significance.

Assessment and audit approach

The independent IS & Cyber Audit follows a disciplined, repeatable methodology so that the resulting opinion is defensible before the RBI. The typical sequence is as follows.

  1. Engagement planning: agree scope, timelines, access and rules of engagement; confirm auditor independence and CERT-In empanelment where required.
  2. Risk-based scoping: finalise the audit universe from the asset, data-flow, vendor and DLA/LSP inventories; rank systems by criticality.
  3. Control design evaluation: review policies, standards, architecture and configuration against each domain of the master checklist.
  4. Operating-effectiveness testing: sample transactions, logs and tickets; perform walkthroughs, re-performance and inspection to test controls in operation.
  5. Technical testing: conduct VAPT, configuration reviews, access-recertification testing and application-control testing on in-scope systems.
  6. Third-party and cloud review: assess outsourcing contracts, right-to-audit exercise, cloud shared-responsibility and data-residency.
  7. Findings analysis and risk rating: classify each observation by severity (Critical/High/Medium/Low) with impact and likelihood rationale.
  8. Reporting and validation: table the draft report, agree management responses and target dates, and issue the final IS & Cyber Audit report.
  9. Governance tabling: present to the IT Strategy Committee and Audit Committee of the Board; obtain acceptance of the action plan.
  10. Follow-up and closure: re-test remediated observations, validate closure evidence and confirm residual-risk acceptance where remediation is deferred.

Evidence request list

The following categorised evidence list is what an auditor will request at kick-off and what an implementer should assemble in advance to compress fieldwork. Gathering these artefacts before the audit begins is the single biggest lever on engagement efficiency.

  • Governance: Board and ITSC minutes, IT/cyber strategy, approved policy suite, CISO appointment and charter, organisation chart and RACI.
  • Risk: risk-assessment methodology, current risk register, KRI dashboards, risk-acceptance records.
  • Infrastructure & operations: asset inventory/CMDB, network diagrams, change/patch/configuration records, capacity reports.
  • Information security: access matrices and recertification, PAM/MFA configuration, encryption and key-management records, SIEM/SOC reports, EDR coverage, VAPT reports.
  • Business continuity: BIA, BCP, DR architecture, DR drill reports, backup and restore-test logs.
  • Outsourcing & cloud: outsourcing policy, due-diligence reports, executed contracts with right-to-audit, cloud shared-responsibility and data-residency evidence, exit plans.
  • Digital lending: DLA/LSP register and agreements, KFS samples, disbursal/collection reconciliations, grievance MIS.
  • Data protection: data inventory, consent records, retention/disposal schedules, UIDAI AUA/KUA audit, DLP incident reports.
  • Incident management: incident register, CERT-In and RBI reporting acknowledgements, IR plan, log-retention and NTP evidence.
  • Prior assurance: previous IS Audit reports, open-observation tracker, closure evidence and re-test results.

Roles and responsibilities

RolePrimary responsibilities in the audit
Board / Audit CommitteeApprove IS Audit charter and plan; receive audit report; own residual-risk acceptance and remediation oversight
IT Strategy CommitteeOversee IT/cyber strategy and posture; review audit findings; ensure resourcing for remediation
Chief Information Security OfficerOwn information-security controls; coordinate evidence; drive remediation; report posture to Board/ITSC
Chief Technology / IT OfficerOwn IT operations, infrastructure and application controls; provide technical evidence and access
Chief Risk OfficerEnsure risk framework integration; validate KRIs and risk-acceptance governance
Head of ComplianceConfirm regulatory alignment across RBI, CERT-In, UIDAI, DPDP; track reporting obligations
Internal AuditCoordinate the engagement; maintain the observation tracker; validate closure evidence
Independent IS & Cyber AuditorPlan and execute the audit; perform testing and VAPT; issue risk-rated opinion and report
Business / Process OwnersProvide walkthroughs, transaction samples and process documentation for in-scope systems
Outsourced / Cloud ProvidersFurnish assurance reports, configuration evidence and support right-to-audit exercises

KPIs to track

  • Percentage of control domains at or above target maturity (minimum Level 3).
  • Number of open Critical/High audit observations and mean time to remediation.
  • VAPT critical/high vulnerability count and closure rate against SLA.
  • Patch compliance percentage within defined SLA windows.
  • Privileged-access recertification completion rate and orphaned-account count.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents.
  • CERT-In / RBI incident-reporting timeliness (percentage reported within mandated windows).
  • DR drill success rate against RTO/RPO targets.
  • Third-party assurance coverage (percentage of material vendors with current assessments and right-to-audit).
  • Digital-lending compliance metrics: KFS issuance rate, grievance TAT, direct-disbursal reconciliation exceptions.
  • Phishing-simulation failure rate and security-awareness training completion.

Readiness checklist

  • IT Strategy Committee constituted with independent-director chair and meeting at prescribed frequency.
  • CISO appointed with an independent reporting line and a Board-approved charter.
  • Board-approved IT, cyber-security, outsourcing, BCP and data-protection policy suite is current and version-controlled.
  • Complete, reconciled asset, data-flow, vendor and DLA/LSP inventories are maintained.
  • IT and information-security risk register with owners, treatment plans and KRIs is live.
  • PAM, MFA, EDR, SIEM/SOC, DLP and encryption controls are deployed and monitored.
  • Latest VAPT completed with critical/high findings remediated and re-tested.
  • BIA, BCP and DR are current and a DR drill has been conducted with results within RTO/RPO.
  • Outsourcing contracts include right-to-audit, data-residency and exit clauses; cloud residency validated.
  • Digital-lending controls (KFS, cooling-off, direct disbursal, data minimisation, grievance) are operational.
  • DPDP, UIDAI AUA/KUA and payment-data storage obligations are mapped and evidenced.
  • CERT-In 6-hour and RBI incident-reporting processes are documented, tested and NTP/log-retention configured.
  • Prior IS Audit observations are closed with validated evidence.
  • Independent CERT-In empanelled / CISA-qualified auditor is engaged with agreed scope.

Common gaps

  • Incomplete audit scope that omits shadow-IT systems, unlisted DLAs or fourth-party sub-processors holding borrower data.
  • CISO reporting into IT operations rather than independently, undermining segregation and challenge.
  • Outsourcing contracts lacking enforceable right-to-audit, data-residency or exit clauses for material services.
  • DR sites present but never failover-tested, so RTO/RPO targets are unproven.
  • Log retention shorter than the mandated 180 days, or clocks not synchronised to Indian Standard Time, weakening incident forensics.
  • CERT-In 6-hour reporting process undocumented or untested, risking non-compliance during a live incident.
  • Digital-lending flows using pass-through or pool accounts instead of direct borrower-to-HFC disbursal and repayment.
  • Key Fact Statement omitting the all-inclusive APR, or DLAs requesting excessive permissions (contacts, media, location).
  • Privileged access unmanaged by a PAM tool, with shared admin credentials and no session recording.
  • Risk-acceptance decisions taken informally without defined authority, expiry or Board visibility.
  • VAPT performed but findings not tracked to closure, or re-testing skipped after remediation.
  • Aadhaar data handled without a compliant data-vault/tokenisation and current UIDAI AUA/KUA audit.

RBI HFC IS & Cyber Audit mapped to other frameworks

HFCs frequently maintain overlapping certifications and obligations. Mapping the RBI audit domains to widely adopted frameworks lets the HFC reuse control evidence and avoid duplicate effort across assurance cycles.

RBI HFC domainISO/IEC 27001:2022NIST CSF 2.0PCI DSS / DPDP relevance
IT GovernanceClauses 5-6 (Leadership, Planning); A.5 policiesGOVERN (GV)DPDP accountability of Data Fiduciary
IT Infrastructure & Service ManagementA.8 Asset & operations controlsPROTECT (PR), IDENTIFY (ID)PCI DSS Req 2, 6 (config, secure systems)
Information Security & Cyber ResilienceA.5-A.8 across access, crypto, networkPROTECT (PR), DETECT (DE)PCI DSS Req 1,3,4,7,8,10; DPDP security safeguards
Risk ManagementClause 6.1; A.5.7 threat intelIDENTIFY (ID), GOVERN (GV)DPDP risk-based safeguards
Business Continuity & DRA.5.29-A.5.30 continuityRECOVER (RC), RESPOND (RS)PCI DSS Req 12 (BCP elements)
IS Audit & AssuranceClauses 9-10 (evaluation, improvement)GOVERN (GV)PCI DSS Req 12 assessment; DPDP audits
Outsourcing, Cloud & Third-PartyA.5.19-A.5.23 supplier relationshipsIDENTIFY (ID), GOVERN (GV)PCI DSS Req 12.8; DPDP processor obligations
Digital Lending ControlsA.5.34 privacy & PIIGOVERN (GV), PROTECT (PR)DPDP consent & data minimisation
Data Protection & PrivacyA.5.34; ISO/IEC 27701 PIMSPROTECT (PR)DPDP Act 2023; PCI DSS Req 3 (data storage)
Incident Management & ReportingA.5.24-A.5.28 incident mgmtRESPOND (RS), DETECT (DE)PCI DSS Req 10, 12.10; CERT-In reporting
Application ControlsA.8.25-A.8.31 secure developmentPROTECT (PR)PCI DSS Req 6 secure software
How CyberSigma helps
CyberSigma is a CERT-In empanelled information-security auditing organisation and PCI QSA firm that delivers end-to-end RBI HFC IS & Cyber Audit engagements for Housing Finance Companies. We combine a regulatory gap assessment against the IT GRC Directions, Digital Lending Directions, DPDP Act, UIDAI/AUA-KUA and CERT-In obligations with hands-on remediation support, VAPT, cloud and outsourcing assurance, BCP/DR validation and independent IS & Cyber Audit reporting fit for RBI supervisory scrutiny. Our auditors produce a board-ready maturity heat-map, a risk-rated observations register and a pragmatic remediation roadmap, then re-test to closure. Engage CyberSigma to move your HFC to a defensible, audit-ready cyber posture and stay ahead of the Reserve Bank's evolving expectations.

Frequently asked questions

Who signs the HFC IS audit?
An appropriately qualified independent CISA takes responsibility for the IS-audit opinion; engagement acceptance should name that individual.

Need help with RBI HFC Audit?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.