The Reserve Bank of India (RBI) is introducing specific guidelines for information technology practices in banks and non-banking financial companies (NBFCs).
The Reserve Bank of India (Information Technology Governance, Risk, Controls, and Assurance Practices) Directions, 2023, take effect from 1 April 2024.
Key focus areas include strategic alignment, risk management, resource management, performance evaluation, and ensuring business continuity and disaster recovery management.
The norms call for regulated entities to maintain a robust IT service management framework that supports financial firms’ information systems and infrastructure. The framework aims to ensure operational resilience across their entire IT environment, encompassing disaster recovery sites.
The guidelines say a documented data migration policy is needed to provide a systematic approach that guarantees data integrity, completeness and consistency. It specifies the need for sign-offs from business users and application owners at each migration stage, which are attached to comprehensive audit trails.
Regulated entities must adhere to internationally accepted, non-deprecated and secure standards for cryptographic controls. To prevent unauthorised data modifications during the transfer between processes or applications, regulated entities must ensure the absence of manual intervention or modifications, particularly for critical applications.
In response to cyber incidents, the RBI has mandated that regulated entities conduct a thorough analyses, including forensic examinations where necessary, to assess severity, impact and root causes. Entities are obligated to implement corrective and preventive measures to mitigate the adverse effects of incidents on business operations.
