The Cyber Security Framework in Banks (circular RBI/2015-16/418, dated 2 June 2016) sets out a baseline of cyber-security and resilience requirements that every bank must put in place. Annex 1 of the circular defines 24 baseline requirements โ which our engine maps into 106 discrete controls.
Issued by the Department of Banking Supervision, the framework requires every bank to put in place a Board-approved Cyber Security Policy โ distinct from its broader IT or IS policy โ and to confirm this to the Cyber Security and Information Technology Examination (CSITE) Cell of the RBI.
The circular has three annexes: Annex 1 lists the baseline cyber-security and resilience requirements; Annex 2 covers setting up and operationalising a Cyber Security Operations Centre (C-SOC); and Annex 3 provides the template for reporting cyber incidents to the RBI.
Banks must also evolve a Cyber Crisis Management Plan (CCMP) addressing Detection, Response, Recovery and Containment, arrange continuous surveillance through a SOC, and report unusual cyber incidents promptly โ within two to six hours.
Annex 1 of RBI/2015-16/418 sets out an indicative baseline of cyber-security and resilience requirements. Our engine maps all 24 into 106 discrete, evidence-backed controls.
Maintain an up-to-date inventory of assets, classify data by sensitivity, and protect information across its lifecycle by business criticality.
Maintain authorised/unauthorised software inventory, control installation centrally, and apply security patches expeditiously.
Secure the location of critical assets against natural and man-made threats; monitor temperature, power, smoke and access alarms.
Maintain network architecture diagrams, device inventories, multi-layered boundary defences, and SOC monitoring of network activity.
Document and apply baseline secure configurations to all device categories throughout their lifecycle and review periodically.
Embed security across the application lifecycle โ secure coding, threat modelling, OWASP-aligned testing and segregated environments.
Follow a risk-based patch strategy, robust change management, and periodic VA/PT of internet-facing applications and components.
Least privilege, centralised authentication, MFA based on risk, control of privileged access, and monitoring of abnormal logons.
Provide positive identity verification of the bank to customers, keep customer identity information secure, and act as identity provider.
Implement secure mail/messaging โ including for partners and vendors โ with anti-spoofing, attachment protection and server controls.
Remain accountable for outsourced and partner risk; due diligence, right-of-audit, background checks and NDAs for third parties.
Restrict and secure removable media and BYOD; scan for malware, limit transfers, and default to disallowing unless authorised.
Build robust defence against malicious code at multiple points โ anti-malware, behavioural detection and secure web gateways.
Subscribe to anti-phishing / anti-rogue app services to identify and take down phishing websites and rogue applications.
Develop a comprehensive DLP strategy covering endpoints, data in transit and data at rest โ including at vendor-managed facilities.
Consult stakeholders on log scope and retention; manage and analyse logs systematically to detect, understand and recover from attacks.
Validate log/audit-trail settings for every device and application so logs uniquely identify events with timestamps and addresses.
Periodically conduct vulnerability assessment, penetration testing and red-team exercises on critical, internet-facing systems.
Run a Board-approved incident response programme with written procedures, BCP/DR recovery and resilience testing.
Implement risk-based transaction surveillance across delivery channels and alert customers to transactions above a chosen value.
Develop prospective and retrospective metrics โ KPIs and KRIs such as anti-malware coverage, patch latency and training reach.
Arrange network forensics, forensic investigation and DDoS mitigation on stand-by; participate in CERT-In / IDRBT cyber drills.
Communicate security policy, run targeted training, mandatory programmes for new recruits, and annual Board sensitisation.
Improve customer awareness of cyber-security risks, encourage phishing reporting, and educate on the risks of sharing credentials.
RBI consequences are supervisory and regulatory rather than a fixed fine schedule โ which makes demonstrable, evidence-backed compliance essential at examination time.
The RBI can impose monetary penalties on banks for contravention of its directions, including the Cyber Security Framework, under the penal provisions of the Banking Regulation Act, 1949. Such penalties are typically disclosed publicly.
Material control gaps surface during RBI on-site inspections and IT examinations by the CSITE Cell. Findings can lead to directions, enhanced monitoring, and remediation timelines tracked by the regulator.
Banks must report unusual cyber incidents โ whether successful or attempted โ to the RBI within two to six hours using the Annex 3 template, and to CERT-In, NCIIP and IB-CART. Reporting gaps compound supervisory concern.
โ ๏ธ Reputational & Operational Risk
Beyond regulatory action, a cyber incident at a bank carries severe reputational and operational consequences โ loss of customer trust, service outages affecting CBS / payment systems, and erosion of market confidence. The framework exists to reduce exactly this exposure.
RBI/2015-16/418 is structured as a main circular plus three annexes that together define the baseline, the SOC, and incident reporting.
The indicative baseline of cyber-security and resilience requirements โ 24 areas spanning asset inventory, network security, access control, ASLC, monitoring, incident response and awareness. The core of our engine.
Guidance on setting up and operationalising a Security Operations Centre: governance, technology (SIEM, deep packet inspection), people (L1/L2/L3 analysts), and the in-house vs outsourced decision.
The structured template for reporting cyber incidents to the RBI โ basic information, impact assessment, chronology, root cause analysis, attack vectors and indicators of compromise.
A Board-approved CCMP addressing the four aspects โ Detection, Response, Recovery and Containment โ prepared for emerging threats such as zero-day, ransomware, DDoS and targeted attacks.
The circular set early milestones โ gap assessment to the CSITE Cell by 31 July 2016 and confirmation of a Board-approved policy by 30 September 2016 โ establishing the framework as immediate, not aspirational.
A SOC providing continuous surveillance, kept updated on emerging threats, with the capability to monitor logs in real time and escalate abnormal activity โ a standing obligation, not a one-off project.
The framework translates into a set of obligations a bank must be able to evidence at any time.
A distinct cyber-security policy approved by the Board, separate from the broader IT / IS policy, with confirmation communicated to the CSITE Cell.
Identification of inherent risk (low to very high), assessment of controls in place, and a documented gap assessment submitted to the RBI.
A SOC providing continuous surveillance with real-time / near real-time monitoring of logs and the ability to escalate abnormal activity.
A Board-approved plan covering Detection, Response, Recovery and Containment, aligned to CERT-In / NCIIP / IDRBT guidance.
Prompt reporting of unusual cyber incidents within 2โ6 hours via the Annex 3 template, plus active CISO Forum and IB-CART participation.
Periodic VA/PT and red-team exercises, independent compliance checks, and structured awareness for staff, management and the Board.
The Baseline Is the Floor, Not the Ceiling
The circular is explicit that the baseline is indicative and not exhaustive โ banks must proactively fine-tune their controls as new threats, products and processes emerge. The Cognisec RBI Cyber Security Engine gives you a living, evidence-backed view of where you stand against all 24 requirements at any moment.
Start your free 30-day trial. All 24 requirements. All 3 panels. No complexity.