RBI Issues New IT Framework For Regulated Entities

The Reserve Bank of India (RBI) released regulations pertaining to Information Technology (IT) for regulated entities (REs), including banks and finance companies on Tuesday. Strategic alignment, risk and resource management performance, and business continuity/disaster recovery management are few of the key areas that REs must cover in a comprehensive IT governance framework. These will be implemented on 1 April 2024 and apply to all regulated entities (REs).

According to RBI’s final master circular, this framework should outline the governance structure and procedures required to meet the business and strategic objectives of the RE. In October 2022, it released a draft Master Direction on the topic and invited public feedback.

The Board of Directors, Senior Management, and Committees at the board level will all have their roles and responsibilities (including authority) explained in the framework. The topic of adequate oversight procedures to guarantee accountability and reduce the risks associated with IT and cyber/information security will also be covered.

Periodic evaluations of risks related to IT (both inherent and potential) will be incorporated into the enterprise-wide risk management policy or operational risk management policy.

The IT, information assets, business continuity, information security, and cyber security policies and strategies (including incident response and recovery management/cyber crisis management) would be approved by the board of RE. Such plans and procedures ought to be reviewed at least once a year.