The Reserve Bank of India (RBI) has introduced comprehensive master directions for information technology governance, risk management, and assurance practices in banks and Non-Banking Financial Companies (NBFCs). The Information Technology Governance, Risk, Controls and Assurance Practice Directions (“Directions”), effective from April 1, 2024, will enforce procedures around data migration, remote access to companies’ application systems, vulnerability testing on critical information systems, and conducting an impact assessment when outsourcing applications from third-party vendors. 

The Directions are aimed at bolstering operational resilience and data protection within certain financial entities but will not apply to local area banks and NBFC-core investment companies. Key aspects of these directions include strategic alignment, risk, resource, and performance management, along with business continuity and disaster recovery management. A significant focus of these guidelines is the establishment of a robust IT governance framework, which is expected to enhance support for IT systems and infrastructure, ensuring better operational efficiency and security. 

Banks and NBFCs are mandated to implement a service-level management (SLM) process, ensuring effective segregation of duties in IT operations. The RBI emphasizes the importance of identifying and categorising information assets based on confidentiality, integrity, and availability, especially considering their criticality. 

Another critical component is the avoidance of outdated and unsupported hardware or software. Financial institutions are required to monitor the end-of-support dates for software and maintenance contracts for IT hardware, developing technology refresh plans to replace obsolete systems timely. 

Regarding third-party IT and cybersecurity arrangements, the RBI directs banks and other regulated entities to establish comprehensive vendor risk assessment processes and controls. The requirements include maintaining a documented data migration policy with detailed procedures and provisions for audits and signoffs at every migration stage. 

Regular reviews of IT-related risks are mandated, with the risk management committee of the board updating these reviews annually. The RBI also highlights the importance of a robust security risk management system with internal controls and processes to mitigate risks. 

As a global B Corp Data Protection Officer (DPO), we assist organisations to maintain compliance to global data protection and privacy regulations. We have Subject Matter Experts who can support you with any queries you may have in relation to safeguarding your cybersecurity and data privacy.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at