RBI Cyber Security Framework — A Compliance Checklist for Banks

Published May 3, 2026 · 14 min read

The Reserve Bank of India's 2 June 2016 master direction Cyber Security Framework in Banksis the cornerstone of cyber regulation for the Indian banking sector. Subsequent updates — including separate guidance for urban cooperative banks, for non-banking financial companies, for payment system operators, and the cyber resilience framework for the financial sector at large — have layered on additional obligations without replacing the original. The CERT-In April 2022 directive on six-hour incident reporting and the NCIIPC reporting requirement under the IT Act for designated Critical Information Infrastructure sit alongside the master direction. This article walks through what each part of that stack actually requires for a regulated bank in India, and the engineering and governance work needed to satisfy the full set.

The 2016 master direction in context

The 2016 master direction obliges every scheduled commercial bank, regional rural bank, and small finance bank to put in place a board-approved cyber security policy distinct from the broader IT policy. It introduced the requirement for a Security Operations Centre, mandated baseline controls on customer data protection, prescribed VAPT cadence, and laid down incident reporting timelines to RBI. The text and supporting circulars are published by RBI at rbi.org.in; always reference the latest amended version when designing controls because RBI updates the specific control list periodically without re-issuing the master direction.

Board-approved cyber security policy

The first artefact RBI inspectors ask for is the board-approved cyber security policy. The framework requires this to be a standalone policy, not a subsection of the IT policy, with annual review by the board. The policy must address risk identification, protection, detection, response, recovery, and continuous improvement — the NIST CSF functions, although the master direction predates the NIST CSF naming convention.

• Asset inventory keyed to criticality.
• Network architecture documentation including the cyber crisis management plan.
• Cyber security baseline controls aligned with the prescriptive Annex to the master direction.
• Vendor and third-party risk management with cyber clauses in every material contract.
• Incident response and recovery procedures with explicit RBI reporting obligations.
• Customer data protection — both at rest and in transit, and during access by employees and contractors.

SOC requirements

The master direction requires every regulated bank to operate a Security Operations Centre on a 24x7 basis. The SOC must perform centralised log collection, correlation, and incident triage across all critical systems — the core banking system, payment gateways, internet banking, mobile banking, treasury systems, and the network perimeter. Subsequent RBI guidance has clarified that the SOC may be operated in-house, hybrid, or fully outsourced, but the regulated entity retains accountability for outcomes.

Where the SOC is outsourced or co-managed, the contract must specify data residency in India (with documented exceptions for specific telemetry classes), incident-handling SLAs, audit rights for both the bank and RBI, and a clear chain of command during a live incident. The regulator's consistent finding in inspections is that outsourced SOCs underperform on detection-engineering cadence; banks should retain in-house ownership of detection content even when monitoring is delegated.

Coverage standards inspectors look for include:

• Mean time to detect for high-severity events under defined thresholds.
• SIEM ingestion completeness on critical systems with documented gaps and a remediation backlog.
• Detection content library mapped to MITRE ATT&CK and reviewed quarterly.
• Documented SOC playbooks for the top ten incident scenarios relevant to banks — ransomware, payment fraud, data exfiltration, ATM jackpotting, SWIFT compromise, and so on.

VAPT cadence

The master direction requires VAPT — Vulnerability Assessment and Penetration Testing — for all internet-facing systems and any system that processes payment instructions. RBI does not specify a single cadence in the original 2016 text but references CERT-In's broader guidance. In practice, inspections expect:

• Annual VAPT for all in-scope systems performed by a CERT-In empanelled assessor.
• Quarterly internal vulnerability scans on the production estate with rescan after remediation.
• VAPT triggered on every significant change — new application launch, major architecture change, new third-party integration in the payment path.
• Critical findings remediated within 30 days, High within 60 days, with formal exception process for any extension and documented compensating controls.
• VAPT report retention for at least five years, available for RBI inspection on demand.

Banks designated as Critical Information Infrastructure additionally face VAPT obligations through NCIIPC under the IT Act — usually a more intensive, intelligence-led testing cadence coordinated with NCIIPC's sectoral threat picture. A coordinated annual programme that schedules the bank's commercial VAPT, the RBI-aligned testing, and the NCIIPC-aligned testing in a single calendar avoids overlap and inspection criticism. AxVeil's VAPT service can be scoped to satisfy the full stack.

CERT-In six-hour incident reporting (April 2022 directive)

The CERT-Indirective of 28 April 2022 (CERT-In/2022) requires every body corporate and government entity to report defined cybersecurity incidents within six hours of noticing or being notified of the incident. The directive applies to a long list of incident classes including unauthorised access to information systems, identity theft, phishing attacks, denial of service, data breaches, and attacks targeting critical infrastructure. For banks, every incident class in the directive is relevant.

• Six-hour reporting clock starts from the moment of notice, not from the moment of confirmed root cause.
• Reports submitted to CERT-In via the prescribed channels — email, web form, or fax as listed in the directive.
• Logs to be maintained for 180 days within Indian jurisdiction, available for CERT-In analysis.
• Designated point of contact registered with CERT-In and kept current.
• Time synchronisation with NPL or NIC NTP servers.

The six-hour clock is the single tightest reporting obligation in Indian cyber regulation. Build the IR runbook so that the on-call SOC analyst can file the initial CERT-In report inside the window without escalation friction — pre-approved templates, named delegates with filing authority, and a documented escalation path for cases where details are still emerging.

NCIIPC reporting for designated CII

The National Critical Information Infrastructure Protection Centre(NCIIPC) is the designated agency under section 70A of the IT Act for protection of Critical Information Infrastructure. Many large bank systems — particularly core banking, RTGS/NEFT interfaces, and SWIFT gateways — are designated CII or sit within designated CII organisations. Where designation applies, additional incident reporting flows to NCIIPC alongside the CERT-In channel, with sectoral coordination through RBI.

Practical implication: an incident affecting a CII-designated system triggers three parallel reporting threads — RBI under the master direction, CERT-In under the April 2022 directive, and NCIIPC under the IT Act. The IR commander should have a single matrix listing each destination, the timeline, and the named contact. Reconstructing this under live-incident pressure is how reports get late or misdirected.

Board-level cyber security committee

The master direction requires a board-level committee with explicit cybersecurity oversight. In most banks this is delegated to the IT Strategy Committee or a dedicated Information Security Sub-Committee, with a written charter approved by the full board. The committee must:

• Meet at least quarterly with cybersecurity as a standing agenda item.
• Receive a quarterly cyber-risk dashboard covering incidents, top findings, threat-intel highlights, and remediation status.
• Review and approve the annual cybersecurity policy refresh and the cybersecurity budget.
• Sign off on the cyber crisis management plan and on the bank's designation of critical systems.
• Document its decisions in minutes that are made available to RBI on inspection.

Like CSCRF in the SEBI world, the minute book of the cyber committee is the most-frequently- requested artefact in an RBI inspection. A pattern of substantive discussion and recorded decisions earns inspection credit; a pattern of items merely "noted" signals weak oversight.

Customer data protection

The master direction obliges banks to encrypt customer data in transit and at rest, restrict employee access on a need-to-know basis, and audit privileged access. Two specific obligations often missed in inspection:

• Data localisation for payment data, per RBI's 6 April 2018 circular on storage of payment system data — payment data must be stored only in India, with a documented exception process for cross-border transactions.
• Vendor and third-party access reviewed and recertified at least annually, with cyber clauses in every contract granting RBI inspection rights to the third party.

Independently, the Digital Personal Data Protection Act 2023 imposes its own obligations on data fiduciaries; banks fall under both regimes simultaneously and should implement the higher standard wherever the two diverge. See our DPDP Act checklist for the detailed control set on the data-protection side.

IS audit and gap assessment

Annual Information Systems Audit (IS Audit) is mandatory under RBI guidance, conducted by a CERT-In empanelled audit firm. The IS Audit covers: control design, operating effectiveness, gap remediation from the previous cycle, and conformity with the prescriptive Annex to the master direction. The auditor's report is reviewed by the bank's audit committee and the cyber security committee, with action plans tracked to closure.

On top of IS Audit, every bank performs an annual gap assessment against the master direction's Annex (the "Baseline Cyber Security and Resilience Requirements"). The gap assessment is a self-attested document but RBI inspectors often validate it during their on-site visit by sampling control evidence. Treat it as audit-grade work, not a desk-check.

Beyond the 2016 master direction

• Urban cooperative banks — separate cyber security framework circular issued in December 2019 with a graded approach by deposit size.
• NBFCs — Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023) extends comparable obligations to NBFCs, payment system operators, and credit information companies, with categorisation by entity size.
• Payment system operators — additional guidance on tokenisation, card-not-present transactions, and payment fraud monitoring.
• Cyber resilience framework — subsequent RBI guidance has emphasised resilience over pure prevention, with explicit RTO/RPO obligations on critical services.

Common gaps RBI inspections find

• SIEM ingestion gaps on legacy systems — ATM switch logs, branch infrastructure, treasury middleware.
• VAPT scope omits mobile banking apps or the underlying API.
• CERT-In six-hour reporting playbook missing a named delegate empowered to file outside business hours.
• Vendor SOC contract lacking RBI audit rights flow-down.
• Cyber crisis management plan never exercised — tabletop or live drill required at least annually.
• Customer data encryption keys handled by the same operations team that runs the application — no segregation of duties.

A 90-day improvement plan

1. Days 0-30 — refresh asset inventory, validate SIEM coverage on critical systems, confirm CERT-In point of contact and the six-hour playbook.
2. Days 30-60 — close documentation gaps (policy, charter, runbook), schedule the annual VAPT and IS Audit, run a tabletop exercise on the cyber crisis management plan.
3. Days 60-90 — execute the VAPT, remediate criticals, present the cyber risk dashboard at the next board committee meeting, file the annual board-attested confirmation.

For an RBI-aligned VAPT engagement — whether direct on AxVeil paper for advisory and readiness work, or routed through a CERT-In empanelled partner for the formal regulator submission — see the AxVeil VAPT service and the section below on where AxVeil fits.

Where AxVeil Fits

Plain language, because regulated buyers have heard the dance too often. AxVeil AI LLP is not currently CERT-In empanelled. The CERT-In Information Security Auditing Organisation empanelment list is the legal floor for the auditor signature on an RBI cyber security framework submission, the SAR (System Audit Report), the cyber resilience baseline audit for UCBs, the NBFC IT framework audit and the digital lending guidelines audit. AxVeil is a 2026-registered LLP. Empanelment requires three years of audited financials, ISO 27001 firm-level certification, a 5+ qualified-auditor headcount and a turnover floor — we are on track to file in the 2027 cycle and expect empanelment in 2028. Until then we are honest about the list.

That does not mean RBI-regulated buyers cannot work with AxVeil today. The value AxVeil actually delivers, framed against the master direction:

• Pre-audit readiness sweep.Find what the empanelled audit will find — before the empanelled auditor walks in. Same OWASP / CREST / NIST SP 800-115 methodology, same MITRE ATT&CK mapping, same CVSS rigor, same retest discipline. Critical and high findings get fixed during AxVeil's window, so the empanelled audit submission goes in clean.
• Operator-led VAPT outside the regulator-facing submission.Internal continuous offensive security on the production estate, change-trigger VAPT on new applications and integrations, ad-hoc red team exercises against named threat actors — none of this requires an empanelled signature because none of it is the formal RBI submission. AxVeil contracts directly.
• Advisory on findings. Translation between the master direction Annex (Baseline Cyber Security and Resilience Requirements), the NIST CSF function taxonomy your engineering team thinks in, and the remediation backlog your auditor will sample. The bridge between regulator language and engineering tickets is most of the value in a good security programme; an empanelled stamp is not required to deliver it.
• Partner referral to a vetted CERT-In empanelled firm we work with for the formal piece. When the SAR is due, when the IS Audit is on the calendar, when an RBI inspection finding requires an empanelled-firm-attested remediation review, we refer the regulator-facing engagement to one of our CERT-In empanelled partner primes — see /partnersfor the partner roster and the subcontract-economics breakdown — or, where the prime accepts, we deliver under sub-contract on the prime's letterhead. Either way the buyer gets a compliant signed audit and AxVeil's operator depth, with no pretence about the empanelment list.

Honesty is the differentiator. RBI inspectors and bank CISOs have heard every flavour of empanelment fudge — "our partner is empanelled", "we have an empanelled associate", "we apply CERT-In methodology" — and the credibility tax is real. Saying out loud that AxVeil is not on the list, then explaining the two paths available today, is the trust play. Most of the work that improves a bank's actual cyber posture happens outside the regulator submission window; AxVeil is built for that work, and the partner network handles the submission window.

FAQ