Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices
FinTech BizNews Service
Mumbai, November 8, 2023: The RBI has, in a communication addressed to the chairman/managing director/chief executive officer scheduled commercial banks (SCBs excluding regional rural banks); small finance banks; payments banks; non-banking financial companies; credit information companies; and all India financial institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI), asked them to refer to paragraph IV (8) of the Statement on Developmental and Regulatory Policies released with the Bi-monthly Monetary Policy Statement 2021-22 on February 10, 2022, wherein it was announced that draft guidelines, updating and consolidating the instructions relating to Information Technology (IT) Governance and Controls, Business Continuity Management and Information Systems Audit, will be issued by the Reserve Bank of India. Accordingly, a draft Master Direction on the subject was published in October 2022 seeking public comments. Based on feedback received, the final Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023 have been issued on 7 Nov 2023. These Directions shall be applicable to the entities referred to as ‘regulated entities’ or ’REs.
IT Governance Framework
(a) The key focus areas of IT Governance shall include strategic alignment, risk management, resource management, performance management and Business Continuity/ Disaster Recovery Management. (b) REs shall put in place a robust IT Governance Framework based on the aforementioned focus areas that inter alia: (i) specifies the governance structure and processes necessary to meet the RE’s business/ strategic objectives; (ii) specifies the roles (including authority) and responsibilities of the Board of Directors (Board) / Board level Committee and Senior Management; and (iii) includes adequate oversight mechanisms to ensure accountability and mitigation of IT and cyber/ information security risks. (c) Enterprise-wide risk management policy or operational risk management policy shall also incorporate periodic assessment of IT-related risks (both inherent and potential risk).
Role of the Board of Directors
(a) The strategies and policies related to IT, Information Assets, Business Continuity, Information Security, Cyber Security (including Incident Response and Recovery Management/ Cyber Crisis Management) shall be approved by the Board of Directors. (b) Such strategies and policies shall be reviewed at least annually by the Board.
IT Strategy Committee of the Board
(a) REs shall establish a Board-level IT Strategy Committee (ITSC). (b) While constituting the ITSC, REs shall ensure: (i) Minimum of three directors as members; (ii) The Chairperson of the ITSC shall be an independent director and have substantial IT expertise9 in managing/ guiding information technology initiatives; and (iii) Members are technically competent10. (c) The ITSC shall meet at least on a quarterly basis. (d) The ITSC shall:
(i) Ensure that the RE has put an effective IT strategic planning process in place; (ii) Guide in preparation of IT Strategy and ensure that the IT Strategy aligns with the overall strategy of the RE towards accomplishment of its business objectives; (iii) Satisfy itself that the IT Governance and Information Security Governance structure fosters accountability, is effective and efficient, has adequate skilled resources, well defined objectives and unambiguous responsibilities for each level in the organisation; (iv) Ensure that the RE has put in place processes for assessing and managing IT and cybersecurity risks; (v) Ensure that the budgetary allocations for the IT function (including for IT security), cyber security are commensurate with the RE’s IT maturity, digital depth, threat environment and industry standards and are utilised in a manner intended for meeting the stated objectives; and (vi) Review, at least on annual basis, the adequacy and effectiveness of the Business Continuity Planning and Disaster Recovery Management of the RE.
Senior Management and IT Steering Committee
(a) The Senior Management of the RE shall, inter alia, ensure: (i) Execution of the IT Strategy approved by the Board; (ii) IT/ IS and their support infrastructure are functioning effectively and efficiently; (iii) Necessary IT risk management processes are in place and create a culture of IT risk awareness and cyber hygiene practices in the RE; (iv) Cyber security posture of the RE is robust; and (v) Overall, IT contributes to productivity, effectiveness and efficiency in business operations.
(b) REs shall establish an IT Steering Committee with representation at Senior Management level from IT and business functions. (c) The responsibilities of IT Steering Committee, inter alia, shall be to: (i) Assist the ITSC in strategic IT planning, oversight of IT performance, and aligning IT activities with business needs; (ii) Oversee the processes put in place for business continuity and disaster recovery; (iii) Ensure implementation of a robust IT architecture meeting statutory and regulatory compliance; and (iv) Update ITSC and CEO periodically on the activities of IT Steering Committee. (d) The IT Steering Committee shall meet at least on a quarterly basis.
Head of IT Function
(a) REs shall appoint a sufficiently senior level, technically competent and experienced official in IT related aspects as Head of IT Function12. (b) The Head of IT Function shall, inter alia, be responsible for the following: (i) Ensuring that the execution of IT projects/ initiatives is aligned with the RE’s IT Policy and IT Strategy; (ii) Ensuring that there is an effective organisational structure to support IT functions in the RE; and (iii) Putting in place an effective disaster recovery setup and business continuity strategy/ plan. (c) As a first line of defence, the Head of IT Function shall ensure effective assessment, evaluation and management of IT controls and IT risk, including the implementation of robust internal controls, to (i) secure the RE’s information assets (ii) comply with extant internal policies, regulatory and legal requirements on IT related aspects.
IT Services Management
(a) REs shall put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment (including DR sites). (b) A Service Level Management (SLM) process shall be put in place to manage the IT operations while ensuring effective segregation of duties. (c) REs shall ensure identification and mapping of the security classification (in terms of Confidentiality, Integrity, and Availability) of information assets based on their criticality to the REs’ operations. (d) For seamless continuity of business operations, REs shall avoid using outdated and unsupported hardware or software and shall monitor software’s end-of-support (EOS) date and Annual Maintenance Contract (AMC) dates of IT hardware on an ongoing basis. (e) REs shall develop a technology refresh plan for the replacement of hardware and software in a timely manner before they reach EOS.
Third-Party Arrangements
Where third-party arrangements in the Information Technology/ Cyber Security ecosystem are not within the applicability of the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, REs shall, put in place appropriate vendor risk assessment process and controls proportionate to the assessed risk and materiality to, inter alia: (a) mitigate concentration risk; (b) eliminate or address any conflict of interests; (c) mitigate risks associated with single point of failure; (d) comply with applicable legal, regulatory requirements and standards to protect customer data; (e) provide high availability (for uninterrupted customer service); and (f) manage supply chain risks effectively.
For further details, you may access: https://www.rbi.org.in/Scripts/NotificationUser.aspx