The RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (issued June 2023, replacing the 2016 Cyber Security Framework) establishes mandatory IT governance standards for all RBI-regulated entities including banks, NBFCs, and payment systems. It prescribes Board-level accountability, stringent cybersecurity controls, data localization requirements, third-party risk management, incident reporting timelines, and periodic audits. The framework adopts a risk-based approach with enhanced obligations for systemically important entities, mandating appointment of Chief Information Security Officers and comprehensive Business Continuity Plans with defined RTOs and RPOs.

• Establishes clear Board and senior management accountability for IT risks, elevating cybersecurity from technical to strategic governance level with mandatory quarterly reviews
• Mandates structured incident response protocols with strict timelines (6 hours for critical incidents), enabling faster regulatory intervention and system-wide threat intelligence sharing
• Requires comprehensive third-party vendor risk management and security audits, addressing supply chain vulnerabilities exposed in multiple Indian banking breaches
• Enforces data localization and encryption standards ensuring customer financial data remains within Indian jurisdiction with audit trails
• Prescribes detailed business continuity testing with specific recovery metrics, reducing operational disruption during cyber events or system failures

• Many smaller NBFCs and cooperative banks lack qualified CISOs and dedicated cybersecurity teams, treating IT governance as compliance checkbox rather than continuous risk management
• Incident reporting mechanisms remain fragmented with delays beyond prescribed 6-hour window; several banks reported ransomware attacks days after detection due to internal escalation failures
• Third-party vendor assessments are often superficial with inadequate ongoing monitoring; the 2022 Juspay data breach affecting multiple banks highlighted weak API security and vendor oversight
• Business Continuity Plans frequently remain untested in realistic scenarios; many banks' DR sites lack adequate capacity or network segregation as revealed during COVID-19 stress
• Compliance documentation often exceeds actual implementation maturity, with significant gaps between policy frameworks and operational security controls on ground

• In November 2024, RBI imposed penalties on several banks including Kotak Mahindra Bank and Yes Bank for IT governance failures and inadequate cybersecurity controls, reinforcing stricter compliance expectations for 2025-26.
• HDFC Bank faced RBI restrictions in December 2020 on new digital launches due to IT outages, with continued scrutiny through 2024 requiring enhanced IT risk management frameworks and board-level oversight of technology resilience.
• ICICI Bank and Axis Bank invested significantly in 2024-25 to strengthen their IT governance frameworks, implementing AI-based threat detection and establishing dedicated Chief Information Security Officer roles following RBI inspections.

• Establish board-approved IT strategy with quarterly reviews covering cloud adoption, AI/ML integration, and third-party vendor risk management aligned with RBI's expected 2025 guidelines on emerging technologies
• Implement comprehensive cybersecurity incident response plans with mandatory reporting to RBI within 2-6 hours as per updated cyber incident reporting norms effective 2024
• Conduct independent IS audits at least annually with specialized focus on API security, mobile banking vulnerabilities, and data localization compliance under RBI's Payment System Vision 2025
• Enhance IT governance by appointing qualified CISOs reporting directly to CEOs, establishing IT steering committees, and ensuring 99.5%+ uptime for critical digital banking services with documented BCP-DR testing quarterly