How To Follow Reserve Bank Of India Rbi Cyber Security Guidelines For Banks Finance

  1. Home

We must thank IT virtualization as it led us to cloud technology. Today's IT infrastructures are already running their mission critical business applications on virtual machines.

Like the physical infrastructure, virtualization is also cursed with cyber security challenges. This article talks about a typical open source virtualization solution and depicts the steps to secure its.

Are we following Reserve Bank Of India (RBI) guidelines which are published periodically?

Keywords: pentesting, penetration testing, pentesting services, penetration testing services, security penetration testing, pentesting companies, best pentesting companies, pentest, pentesting consultants, list of pentesting companies, pentesters, penetration testers


Reserve Bank of India (RBI) is highly active when it comes to vigilance and corporate governance in the cybersecurity space. From a technical stand-point, it has laid out guidelines and regulations that all institutions must adhere to. This has enabled greater scale and strength in security measures across the board. With a vision to increase stability within the Indian technology sphere, the RBI has instituted clear guidelines in handing and processing information.

Evolving policies, technologies and talent

RBI has laid out the need for constantly evolving core processes and technologies within the security infrastructure in the organization. It has done so in the introduction of the circular issued as RBI/2015-16/418.

"Use of Information Technology by banks and their constituents has grown rapidly and is now an integral part of the operational strategies of banks. The Reserve Bank, had, provided guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (G.Gopalakrishna Committee) vide Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011, wherein it was indicated that the measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns." - R.Ravikumar, Chief General Manager.

It's important for all financial institutions to continue to evolve their technology and talent to keep up with changing trends. As more companies delve into digital technologies, they need to reinforce security measures to apply to these platforms as well. From mobile app technologies to faster KYC, RBI says that companies must evolve to keep their systems secure.

Banks also need to create a cyber-security focused policy around the particular frameworks they have in place when it comes to network security. They have to communicate the same to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision. All financial institutions have to remain compliant to the regulations laid out by RBI and perform regular penetration testing to ensure compliance.

Creating a robust crisis management plan

RBI has mandated that all financial institutions must maintain a crisis detection and management plan. This has been done to ensure that all data leaks be reported at the right time and security measures be put in place immediately. When it comes to customer data and sensitive information, it's critical to ensure that a remediation plan is in place. That's why institutions hire the best pentesting companies to draft an exhaustive plan when it comes to crisis management.

RBI has also stated the all companies must remain compliant to the governing rules around privacy, data handling and encryption. They shouldn't cut corners and avoid technical duties owed to their customers. In one of their most recent circulars titled "Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs)", ref - RBI/2018-19/63, they explain further.

"4.3.1 Since cyber risk is different from many other risks, the traditional BCP/DR (Business Continuity Plan/Disaster Recovery) arrangements may not be adequate and hence needs to be revisited keeping in view the nature of cyber risk. A Government of India organisation, CERT-In (Computer Emergency Response Team - India, a Government entity) has been taking important initiatives in strengthening Cyber Security by providing proactive/reactive services and guidelines, threat intelligence and assessment of preparedness of various agencies in different sectors, including the financial sector. CERT-In also has come out with National Cyber Crisis Management Plan and Cyber Security Assessment Framework. UCBs may refer to CERT-In/NCIIPC/RBI/IDRBT guidelines as reference material for their guidance." - Ranjeev Shanker, General Manager In - Charge RBI has also stated that the cyber compliance office must be different from the general IT office that manages the technology. Cyber security must be a separate entity working with the company, focusing on strengthening the overall architecture of the firm.

A reference cybersecurity framework is shared below.

Image ref: http://www.pitcher.com.au/news/mitigating-cyber-risk-%E2%80%93-risky-business

Regular testing and auditing

TRBI has also stated that firms should conduct pentesting regularly in an effort to strengthen the network within. They need to hire the right pentesting services companies to ensure that there are no gaps within the network. Pentesting consultants can also be hired, so long as they make the organization more compliant to the existing norms and guidelines.

Penetration testers need to perform routine checks regularly to create a more compliant and secure environment. They also need to draft policies around using specific assets, so that they can do so via a compliant protocol. Pentesting companies, like Valency Networks, allow banks to function more effectively while relying on their exhaustive security measures put in place.


RBI has stated in subsequent communications that companies must have measures in place to manage assets within the institution. This includes physical and digital assets and inventory. It has stated the need for greater accountability within the security framework as well. From a policy perspective, as per Annex I for Cyber Security Framework for Primary (Urban) Cooperative Banks,the following are the key takeaways -
  • Inventory Management of Business IT Assets -Institutions must maintain an updated inventory of IT assets, including servers, data, information and proprietary elements. They need to do so to avoid any lapses in detail pertaining to critical information. Since RBI needs to remain on top of breaches, they should be notified anytime there is an error in the management of these business assets.
  • Preventing access of unauthorised software - The best pentesting companies have a robust framework in which they can discover unauthorized software in the company. They can then root out the software that has been installed on corporate end-points. This helps in maintaining greater quality control over information being shared through hardware. Additionally, it allows for greater control over data.

    • There are other critical components that institutions need to remain compliant to including network security and environmental controls. Companies need to hire the right pentesters to remain compliant to the evolving nature of IT security. From a compliance stand-point, RBI prefers companies that constantly evolve their infrastructure to capture a larger scope in terms of security.