In a significant move towards streamlining IT and cyber governance, the Reserve Bank of India (RBI) is introducing a comprehensive master direction for regulated entities (REs). Scheduled to be implemented on April 1, 2024, this master direction aims to replace multiple circulars and enhance the efficiency of IT and cyber governance and compliance practices across the financial sector.
Former BSE Chairman, Sethurathnam Ravi, sheds light on the transformative impact of this master direction, particularly in simplifying the administration of IT governance and compliance. The directive applies to a broad spectrum of regulated entities, including scheduled commercial banks, small finance banks, payments banks, NBFCs in various layers, all India financial institutions, and credit information companies.
For foreign banks, the master direction adopts a ‘comply or explain’ approach, providing flexibility in the applicability of the directions. These banks are not required to form specific committees at the branch level but can leverage higher-level committees for compliance as long as governance obligations are met.
The master directive lays out the responsibilities of boards of directors, board-level committees, and senior management in safeguarding consumer interests. S Ravi Bse, emphasizes that it consolidates and updates previously scattered guidelines, instructions, and circulars related to IT governance, risk, controls, assurance practices, and business continuity/disaster recovery management.
Key Highlights of the Master Direction:
- Role of Boards and Committees:
- Clearly defines the role and power of boards of directors, board-level committees, and senior management in ensuring consumer protection.
- CEO Oversight:
- Places responsibility on the CEO to oversee the planning and execution of IT strategy, cybersecurity posture, and overall IT effectiveness for business operations.
- Chief Information Security Officer (CISO):
- Identifies a Chief Information Security Officer (CISO) responsible for driving IT/cybersecurity, compliance, and managing the entity’s policies.
- Vendor Risk Assessment:
- Requires REs to ensure an acceptable vendor risk assessment process and controls proportional to evaluated risk are in place.
- Enterprise Data Dictionary:
- Mandates the maintenance of an enterprise data dictionary to facilitate data exchange throughout applications and information systems.
- IT Systems Review:
- Emphasizes the mandatory implementation and review of IT systems and applications to ensure process efficiency, data security, integrity, disaster recovery, and business continuity.
- Procedures and Processes:
- Mandates the adoption of various procedures and processes, including IT Strategic Planning, Service Level Management, and product approval processes, to ensure secure delivery of products and services.
S Ravi Bse, concludes by noting that in the era of digitization and growing threats, the master direction provides the necessary structure and procedures to fortify banking systems and secure the interests of various stakeholders, including customers.