RBI Cyber Framework: What It Requires and Who It Applies To

What is RBI Cyber Framework?

The RBI Cyber Security Framework for Banks is a regulatory directive (DBS.CO/CSITE/BC.11/33.01.001/2015-16) issued by the Reserve Bank of India on June 2, 2016, requiring every scheduled commercial bank to establish a formal cybersecurity program proportionate to its risk profile, IT architecture, and digital service footprint.

The directive came after a period of rapid digital expansion in Indian banking. By 2015, mobile banking transaction volumes had exceeded ₹5,000 crore per month, and cyber incidents at Indian banks were rising year-on-year with no standardized response playbook in place. RBI's own supervisory reviews found that most banks lacked formal incident response procedures, dedicated security teams, or board-level oversight of cyber risk.

The framework draws on international standards including ISO/IEC 27001, the NIST Cybersecurity Framework, and guidance from the Basel Committee on Banking Supervision on operational resilience. RBI did not intend it as a checkbox exercise. The circular explicitly states that banks must conduct genuine risk assessments and calibrate controls to their actual threat environment, not adopt templated policies written to satisfy an examiner.

Since 2016, RBI has supplemented the framework through additional circulars covering ATM network security, application whitelisting, and CERT-In reporting norms under the Information Technology Act. The framework sits alongside the RBI Master Direction on Frauds 2024 and PMLA 2002 as the primary operational risk and financial crime compliance stack for Indian banks.

Reading this framework in isolation will cause compliance gaps. It's designed to work alongside data localisation requirements (RBI's April 2018 Payment System Data Storage directions), the IT Act, and CERT-In's mandatory incident reporting rules.

Who does RBI Cyber Framework apply to?

The framework applies to all scheduled commercial banks licensed and regulated by the Reserve Bank of India. There is no minimum asset size threshold for exemption. A small finance bank with ₹500 crore in assets faces the same core obligations as a large public sector lender.

Covered entities include:

• Public sector banks: State Bank of India, Bank of Baroda, Canara Bank, Punjab National Bank, and the remaining government-owned lenders
• Private sector banks: HDFC Bank, ICICI Bank, Axis Bank, Kotak Mahindra Bank, IndusInd Bank, and all other licensed private lenders
• Foreign banks with India operations: Citi India, Standard Chartered India, HSBC India, DBS Bank India, and others operating through branches or wholly-owned subsidiaries
• Small finance banks: All licensed small finance banks, with requirements scaled to IT complexity
• Payments banks: Airtel Payments Bank and others maintaining settlement or customer data infrastructure
• Regional rural banks: Subject to baseline requirements, with proportionality flexibility in implementation

Urban cooperative banks were initially outside the framework's scope but were brought under comparable cybersecurity requirements through a separate 2019 RBI directive.

NBFCs are not directly covered. However, NBFCs operating payment aggregator or payment gateway services fall under separate RBI cybersecurity norms issued in March 2020. Fintech lenders with large customer data volumes face scrutiny under those rules.

Foreign banks' India branches are fully subject to the framework regardless of what their parent group applies globally. Indian regulators do not accept group-level compliance as a substitute for India-specific controls. A European bank that is fully compliant with DORA still needs to separately satisfy RBI's requirements for its Indian branch.

What does RBI Cyber Framework require?

The framework's obligations span nine control domains, with specific requirements added through subsequent circulars:

1. Board-approved cybersecurity policy: A standalone cybersecurity policy, distinct from the general IT security policy, approved by the bank's board of directors and reviewed at least annually. The CISO must have a direct reporting line to the board or its Risk Management Committee, not subordinated to the CTO or COO.

2. Chief Information Security Officer (CISO): Every bank must designate a full-time CISO with defined responsibilities, authority, and budget. The CISO cannot carry dual responsibility for IT operations, which would create a structural conflict of interest.

3. Cyber Security Operations Centre (C-SOC): A 24/7 security operations centre for continuous log monitoring, anomaly detection, and real-time alerting. Banks below a complexity threshold may use a shared SOC but must document the arrangement and retain full accountability for response.

4. Incident reporting: Cyber incidents must be reported to RBI's cybersecurity cell within 2 hours for events involving customer data compromise or financial loss, and within 6 hours for other significant incidents. A full post-incident analysis report is due within 21 days.

5. Baseline security controls: Mandatory controls across patch management, privileged access management, network segregation, encryption of data at rest and in transit, and mobile application security. Supplementary circulars added application whitelisting and ATM network isolation requirements.

6. Annual penetration testing: All internet-facing systems and critical internal applications must be tested by CERT-In empanelled auditors at minimum once per year. Vulnerability remediation must be tracked and completed within agreed timeframes.

7. Cyber Crisis Management Plan (CCMP): A documented and tested response plan covering incident classification, escalation paths, communication protocols, and recovery time objectives. The CCMP must be exercised through simulations or tabletop drills at least annually.

8. Third-party and vendor risk management: Technology vendors with access to bank systems must comply with the bank's cybersecurity standards. Contracts must include right-to-audit clauses and incident notification obligations. Zero Trust Security Solutions are increasingly how banks implement continuous verification for third-party access rather than relying on periodic reviews.

9. Customer data localisation: Customer data generated in India must be stored on servers physically located in India, per the April 2018 Payment System Data Storage directions.

What evidence do regulators expect?

RBI's IT examination teams arrive with a structured inspection framework. Examiners and technology supervisors look for the following on audit day:

• Signed board minutes: Resolution approving the cybersecurity policy, with version history and the date of the most recent review. Policies last approved before 2021 draw immediate questions. Examiners check whether the board actually reviewed the substance of the policy or simply ratified a management submission.

• CISO appointment documentation: Written appointment letter confirming the CISO's role, reporting line, and independence from IT operations. Examiners interview the CISO directly to assess whether the role carries real authority and budget control.

• C-SOC operational records: Shift logs, alert queues, escalation tickets, and key metrics including mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR). A SOC that produces few alerts is more suspicious than one with a high alert volume.

• Incident register and RBI notification records: A complete log of all cyber events, classified by severity, with timestamps from detection through RBI notification. Missing entries, particularly for events that appear in system logs but not the register, are treated as unreported incidents. Filed RBI notifications are cross-referenced against this register.

• Penetration test reports and remediation tracking: Audit reports from CERT-In empanelled firms for the last two cycles, with documented evidence that identified vulnerabilities were remediated within committed timelines. Unresolved critical findings from the prior year's test are a serious finding on their own.

• CCMP exercise records: Attendance sheets, scenario documentation, and after-action reports from the most recent drill. A plan that has never been tested is treated as non-functional for examination purposes.

• Vendor contracts and access reviews: Technology agreements containing cybersecurity clauses, with evidence that vendor access is reviewed and recertified at defined intervals.

• Training completion data: Staff training records by department and date, with certifications for security team members.

Common failure modes

Banks cited under the RBI Cyber Framework fail in predictable patterns:

• Unreported incidents: The most common finding. Banks maintain an internal definition of "reportable cyber incident" that is narrower than RBI's. Events classified internally as "minor disruptions" appear in system logs as actual incidents. RBI enforcement orders against mid-sized private banks have cited failure to report 9 to 12 separate cyber events over two-year examination periods.

• CISO without real authority: The CISO exists on paper but reports to the CTO, lacks an independent budget, and has no direct board access. RBI examiners test this by asking the CISO to describe their last board presentation. The answer determines whether the control functions.

• SOC coverage gaps: Banks outsource SOC operations on contracts specifying business-hours support only. Incidents occurring between 11 PM and 7 AM go undetected for 8 to 10 hours. This is a direct violation of the 24/7 monitoring obligation.

• Penetration testing without remediation discipline: Test reports are filed. Findings are acknowledged. Remediation is not tracked to closure. Examiners have found identical critical vulnerabilities in back-to-back annual penetration test reports at the same institution.

• Unmanaged vendor access: Third-party vendors retain persistent privileged access to core banking systems years after project completion, with no periodic review or revocation. RBI's 2022 thematic review of IT governance across 20 banks found unmanaged vendor access at more than half of the institutions reviewed.

• Outdated CCMP never tested: The Cyber Crisis Management Plan was written in 2017 and never updated to reflect product launches, infrastructure changes, or revised RBI contact details. No exercises have been conducted.

Penalties for non-compliance

RBI's enforcement authority for cybersecurity failures derives from Sections 46 and 47A of the Banking Regulation Act, 1949. These provisions give RBI authority to impose monetary penalties on banks for non-compliance with its directions.

Penalty ranges in practice:

• Procedural violations (delayed policy review, incomplete training records, late incident reports): ₹10 lakh to ₹1 crore, typically accompanied by a formal warning and directed remediation plan.

• Significant control failures (inadequate SOC coverage, systematic unreported incidents, unmanaged vendor access): ₹1 crore to ₹10 crore. RBI's December 2020 penalty order against HDFC Bank imposed ₹10 crore for deficiencies in IT inventory management, patch and change management, user access management, vendor risk management, data leak prevention, and business continuity and disaster recovery. The full order is published at RBI's enforcement orders portal.

• Major incidents with inadequate response: Penalties of ₹5 crore to ₹10 crore, combined with public disclosure on RBI's website and, in some cases, directed external audits at the bank's expense.

Beyond monetary penalties, RBI can impose business restrictions and enhanced supervisory reporting requirements. Persistent failures in cyber governance can trigger inclusion in the Prompt Corrective Action (PCA) framework. Public disclosure of penalty orders creates reputational consequences that most banks consider more damaging than the fine. All orders are searchable by institution name and date on RBI's portal.

The Banking Regulation Act (Amendment) 2020 increased the maximum penalty ceiling, and RBI's enforcement function has applied its powers with greater consistency since the establishment of the Department of Regulation's dedicated enforcement unit in 2017.

Related regulations and frameworks

The RBI Cyber Framework doesn't operate in isolation. It sits within a broader stack of Indian and international requirements that compliance teams must manage together.

Indian regulatory stack:

The RBI Master Direction on KYC 2016 requires banks to protect customer identity data with strict access controls. That data is the same data the cyber framework requires encrypted and protected from unauthorized access. A breach involving Know Your Customer (KYC) records triggers obligations under both frameworks simultaneously, with different reporting timelines to different RBI teams.

The RBI Master Direction on Frauds 2024 requires banks to report fraud incidents to the Central Fraud Registry. Cyber-enabled fraud, including phishing, account takeover, and business email compromise, triggers concurrent reporting under the Frauds Direction and the Cyber Framework. The reporting timelines differ: the Cyber Framework requires a 2-hour initial notification to RBI's cybersecurity cell, while the Frauds Direction has its own cadence to the Central Fraud Monitoring Cell. Banks handle these as parallel tracks.

CERT-In's 2022 mandatory incident reporting directions (IT Amendment Act 2008, Section 70B) separately require reporting cyber incidents to CERT-In within 6 hours. This runs in parallel to RBI's 2-hour obligation for serious events. Banks with mature incident response programs maintain dual reporting workflows for any significant cyber event.

International alignment:

FATF Recommendation 15 requires financial institutions to assess and manage money laundering and terrorist financing risks from new technologies, including the cyber risks embedded in digital onboarding and real-time payment channels. Indian banks with cross-border correspondent relationships face FATF-aligned expectations from foreign counterparts as well.

DORA's third-party ICT risk provisions under Article 28 are more prescriptive than RBI's vendor risk requirements. Indian banks with EU operations or EU parent companies face both regimes. Most implement to the higher DORA standard across the group.

BCBS 323 on operational risk treats cyber risk as a subset of operational risk. RBI's capital adequacy directions implement the Basel framework's approach, meaning severe cyber incidents with financial impact can affect a bank's operational risk capital charge under the standardised measurement approach.

How FluxForce supports RBI Cyber Framework compliance

FluxForce AI agents provide continuous monitoring of transaction patterns and access events, generating tamper-proof evidence records for every decision. Aiden Flux and Nova Sentinel map directly to the framework's requirements for 24/7 threat detection and documented incident escalation. The platform maintains immutable audit trails for all security events with full decision explanations, satisfying RBI's incident register and reporting documentation requirements. Configurable autonomy lets compliance teams set escalation thresholds and kill switches without vendor dependency. To see how FluxForce maps to RBI's specific control domains, request a demo.