We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Quarterly Report · Q3 2026

BFSI Cyber-Resilience Benchmark — Q3 2026

Where India's banks, NBFCs and payment firms stand on RBI, SEBI and PCI obligations — and the resilience gaps that matter most this quarter.

Summary

Indian BFSI carries the country's most demanding overlapping regulatory load — RBI cyber and AI governance, SEBI CSCRF for market intermediaries, and PCI DSS v4.0.1 for card systems. This quarter's theme: the shift from point-in-time audits to continuous, examination-grade evidence.

~25
RBI MRM documentation artefacts per AI model
51
PCI v4.0.1 requirements now mandatory
6 hrs
CERT-In incident-reporting window

The quarter's biggest gaps

  • AI-model governance is the least-mature area — most banks and NBFCs lack model inventories and independent validation ahead of RBI's MRM regime.
  • Evidence quality, not policy existence, is what RBI examinations turn on — and it is where many entities are thinnest.
  • PCI v4.0.1's continuous-evidence expectation is under-served by annual-audit operating models.
  • Third-party/vendor risk remains a common blind spot across the sector.

By entity type

  • Banks: strongest audit muscle, weakest AI-model governance.
  • NBFCs: layer-dependent obligations; digital-lending and IT-outsourcing directions are frequent gaps.
  • Payment firms: the heaviest stack — PCI v4.0.1 + RBI PA/PSS + DPDP simultaneously.
  • Capital-markets intermediaries: SEBI CSCRF deadline-driven; VAPT-submission readiness is the common gap.

What to prioritise this quarter

  • Stand up an AI-model inventory and validation programme now.
  • Move to continuous evidence for PCI and RBI controls.
  • Map overlapping controls once (RBI/PCI/ISO/SOC 2) to cut duplicate effort.
  • Use CERT-In empanelled, senior assessors for examination-accepted evidence.

Benchmark your BFSI programme

A senior auditor maps your RBI/SEBI/PCI gaps in one prioritised plan.

Banking security & complianceBook a Consultation