RBI Scale-Based Regulatory Framework for NBFCs - Cyber and Operational Risk Norms 2024

The RBI's Scale-Based Regulatory (SBR) framework introduced in October 2022 was enhanced in 2024 with specific cyber and operational risk norms for NBFCs classified across Base, Middle, Upper and Top Layers. NBFCs in Upper and Top layers (assets >₹1000 crore) must establish board-approved cyber security policies, conduct vulnerability assessments, implement incident response frameworks, and maintain operational resilience with RTO/RPO objectives. The framework mandates appointment of Chief Information Security Officers, regular cyber audits, third-party risk management protocols, and mandatory reporting of material cyber incidents to RBI within 6 hours. It aligns with RBI's Master Direction on Information Technology Framework 2023 while introducing proportionate requirements based on systemic importance and digital exposure of NBFCs.

• Proportionate compliance burden with Base Layer NBFCs exempt from complex cyber infrastructure investments, reducing regulatory costs for smaller HFCs and MFIs
• Mandatory board oversight and CISO appointment in Upper/Top layer NBFCs (like Bajaj Finance, Shriram Finance) ensures C-suite accountability for cyber risks
• Standardized incident reporting timelines (6 hours for material incidents) enables RBI to monitor sector-wide cyber threats and coordinate regulatory responses
• Integration with digital lending guidelines protects customer data across fintech partnerships, addressing LSP and DLA ecosystem vulnerabilities
• Risk-based IT audit requirements reduce dependency on external auditors while building internal cyber capabilities in systemically important NBFCs

• Lack of clarity on materiality thresholds for cyber incident reporting leading to inconsistent disclosures, with some NBFCs over-reporting minor IT glitches
• Inadequate specification of vendor risk management standards for cloud service providers, leaving NBFCs uncertain about AWS, Azure, Google Cloud compliance requirements
• No explicit guidelines on cryptocurrency exposure or digital asset custody risks despite growing NBFC involvement in fintech ecosystems offering crypto services
• Weak enforcement mechanisms for Middle Layer NBFCs (₹500-1000 crore) who often lack resources for full-fledged SOC implementation but face similar cyber threats
• Absence of sector-wide cyber threat intelligence sharing platform, forcing individual NBFCs to independently detect emerging attack vectors like phishing targeting loan apps

• In March 2024, a prominent vehicle financing NBFC faced ransomware attack disrupting loan disbursement for 72 hours, triggering RBI scrutiny on incident response delays and inadequate backup systems as per operational resilience norms.
• Muthoot Finance reported in 2023 a data breach attempt targeting customer KYC documents, prompting RBI to issue observations on third-party vendor controls and encryption standards under the enhanced cyber framework for Top Layer NBFCs.
• Multiple gold loan NBFCs in Kerala faced SMS phishing attacks in late 2023 impersonating their brands, highlighting gaps in customer communication security protocols and brand protection measures now covered under cyber risk governance requirements.

• Establish dedicated Cyber Crisis Management Teams with 24x7 response capabilities beyond basic CISO appointment, particularly for digital-first NBFCs like IIFL Finance and InCred
• Implement Zero Trust Architecture across customer-facing applications and internal networks, moving beyond perimeter security to address insider threats and compromised credentials
• Develop comprehensive vendor cyber risk scorecards for all critical service providers including payment aggregators, cloud hosts, and digital lending platforms with quarterly reviews
• Invest in AI-powered Security Operations Centers (SOCs) with automated threat detection for real-time monitoring of loan origination systems, mobile apps and API endpoints used in instant loan products