Newsletter · Edition #11 · RBI · 4 min read
The RBI cyber audit findings that repeat every year
Regulated entities keep getting written up for the same handful of gaps. Here are the usual suspects.
Across RBI-regulated cyber audits, a small set of findings recur so often they’re almost predictable. Fixing these before the audit is the cheapest risk reduction available.
The repeat offenders
Unpatched internet-facing systems. Privileged access without proper approval or review. Logs that exist but are never monitored. Vendors onboarded without security due diligence. Incident response plans that have never been tested. None are exotic — all are consistently found.
Why they persist
They persist because they’re operational, not one-time. Patching, access reviews and log monitoring are habits, not projects. Entities that assign clear owners and cadence pass; those who treat security as an annual scramble get the same findings again.
The bottom line
Pre-audit yourself against last year’s findings. If any of the above sound familiar, close them now — the auditor will look there first.
Get the next edition in your inbox
Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.
