RBI Cyber Security Audit for NBFCs: A Compliance Guide
Most NBFCs discover the real scope of their RBI cyber security obligations on the morning the inspection team arrives. The Chief Information Security Officer is asked for the last board-approved information security policy, and someone quietly realises it was last ratified two years ago by a board that has since changed composition. That silence in the room is the sound of a finding being written.
An RBI cyber security audit is not a checkbox review. It is an examination of whether your controls actually exist, actually run, and can actually be evidenced on the day someone asks. This guide is written from the audit chair, not the marketing brochure. It walks through what the Reserve Bank of India expects from a Non-Banking Financial Company, where audits genuinely fall apart, and how to close the gaps before an examiner or an empanelled auditor finds them for you.
Which rulebook actually applies to your NBFC
The single biggest source of confusion is that NBFCs assume one uniform standard applies to all of them. It does not. The RBI runs a tiered model, and your tier decides how heavy your obligations are. Before you scope a single control, you must know which layer you sit in under the Scale Based Regulation (SBR) framework and which master direction governs your IT and cyber posture.
| Framework / direction | What it governs | Who it binds |
|---|---|---|
| Master Direction on IT Governance, Risk, Controls and Assurance Practices (Nov 2023, effective Apr 2024) | IT governance, IT and information security policy, cyber crisis management, business continuity, IT audit | All NBFCs in scope per the direction (broadly Middle Layer, Upper Layer and larger Base Layer entities) |
| Master Direction on Outsourcing of IT Services (Apr 2023) | Cloud, managed services, fintech and vendor risk, exit strategy, right-to-audit clauses | NBFCs outsourcing any material IT service |
| Scale Based Regulation (SBR) framework | Tiering into Base, Middle, Upper and Top Layer; proportional obligations | All NBFCs |
| Digital Lending Guidelines (Sep 2022) | Data collection, storage, Lending Service Provider controls, Key Fact Statement | NBFCs lending through digital channels or apps |
| CERT-In Directions (Apr 2022, 6-hour reporting) | Incident reporting timelines, log retention, ICT system clock sync | Every body corporate in India, NBFCs included |
Read that last row carefully. The CERT-In directions of 28 April 2022 apply to you regardless of your RBI tier. You must report a reportable cyber incident to the Indian Computer Emergency Response Team within six hours of noticing it, retain logs for a rolling period of 180 days within Indian jurisdiction, and synchronise all system clocks to NPL or NIC time servers. Auditors check these three items specifically because they are unambiguous and easy to fail.
What the examiner actually asks for
There is a gap between what NBFCs think an audit covers and what actually gets tested. The theory is policies. The practice is evidence. An RBI-empanelled auditor or an internal IT audit team following the master direction will spend most of the engagement asking one question in different forms: prove it. Here is the shape of the request list you should expect.
- The current information security policy and IT policy, with minutes showing board or IT Strategy Committee approval within the review period.
- The composition and meeting minutes of the IT Strategy Committee and the IT Steering Committee, including quorum and independent director presence.
- A named, designated Chief Information Security Officer with a role independent of the Chief Information Officer, and evidence the CISO reports to the board or its committee.
- The current information asset inventory, classified by criticality, with owners named.
- Vulnerability Assessment and Penetration Testing (VAPT) reports for internet-facing applications, the closure tracker, and re-test evidence for high and critical findings.
- User access review records, privileged access management logs, and evidence of quarterly recertification.
- The Cyber Crisis Management Plan (CCMP) and evidence of at least one tabletop or incident drill in the year.
- Business Continuity and Disaster Recovery test results with actual Recovery Time Objective and Recovery Point Objective figures, not target figures.
- Third-party and outsourcing contracts showing right-to-audit clauses, data localisation commitments and defined exit strategies.
- CERT-In incident reports (or a nil-incident register), log retention configuration, and NTP synchronisation evidence.
Notice what is not on that list: firewalls, antivirus, a shiny SIEM dashboard. Tools are assumed. The audit is about governance, evidence and closure. An NBFC with modest tooling and disciplined evidence passes cleaner than one with expensive tooling and no records of who reviewed what, when.
Five gaps that sink RBI audits
Across NBFC engagements the same failures recur. They are not exotic. They are the boring, governance-shaped gaps that accumulate when cyber security is treated as an IT problem rather than a board problem.
1. The board-approval trail is stale
The master direction is explicit that the board owns IT governance. Your policy can be technically excellent, but if the approval date predates the current board or falls outside the review cycle, it is treated as unapproved. Examiners want a live approval within the last twelve months and minutes that name the document version.
2. The CISO is a CISO on paper only
A common structure has the Chief Information Officer wearing the CISO hat too. The direction requires functional independence so that the person building the systems is not the sole person assuring them. If your CISO signs off their own controls, that is a segregation-of-duties finding on its own.
3. VAPT findings are open and un-retested
Running the test is the easy part. The failure is the closure gap. A VAPT report dated eight months ago with fourteen high-severity findings still open, and no re-test, tells the examiner your remediation process does not function. The finding is not the vulnerability; it is the absence of closure discipline.
4. Outsourcing is invisible
Your loan origination system, your KYC vendor, your cloud host and your collections dialer are all outsourced IT services. If contracts lack a right-to-audit clause, data localisation terms and a documented exit plan, the RBI outsourcing direction is breached. Most NBFCs cannot produce a complete inventory of material IT vendors on request, let alone their contracts.
5. Incident readiness is theoretical
A Cyber Crisis Management Plan filed and never rehearsed is a document, not a capability. The examiner will ask when you last ran a drill and who declared the incident. If the answer is that you have never tested the six-hour CERT-In reporting path, you have a control that will fail precisely when it matters.
What actually happens in the room
Picture a Middle Layer NBFC with a healthy loan book and a lean IT team. The audit opens on a Monday. By Tuesday afternoon the auditor has the information security policy, and it reads well. Then comes the request for the board minutes approving it. The version approved by the board is v2.1. The version live on the intranet is v2.4, updated by the IT head after a cloud migration, never taken back to the board. Three revisions of substantive control changes have gone in without governance sign-off.
That single mismatch cascades. If the live policy was never approved, then every control introduced in v2.2 through v2.4 is technically operating without a mandate. The auditor now has to test whether those controls exist independent of the unapproved policy, which widens the whole engagement. What began as a documentation slip becomes a governance finding with a management response, a remediation timeline and a follow-up review. All of it avoidable with one agenda item at one board meeting.
This is the pattern. RBI cyber findings rarely stem from a hacker at the gate. They stem from the distance between what is running and what has been governed and evidenced. Close that distance and the audit becomes calm.
What it costs and how long it takes
Budgets get set by people who have never scoped one of these, so here is a realistic view. Costs vary with tier, application count, environment complexity and whether you are cloud-native. These are indicative Indian market ranges for external, empanelled work.
| Activity | Indicative cost (INR) | Typical duration |
|---|---|---|
| External VAPT for a web and mobile app estate (up to ~5 apps) | 2,50,000 to 8,00,000 | 2 to 4 weeks |
| Independent IT and cyber security audit per the master direction | 3,00,000 to 12,00,000 | 4 to 8 weeks |
| Gap assessment and readiness review before a formal audit | 1,00,000 to 4,00,000 | 2 to 3 weeks |
| Cyber Crisis Management Plan and tabletop drill facilitation | 1,00,000 to 3,00,000 | 1 to 2 weeks |
| Full remediation support (policy, PAM, logging, closure) | Highly variable | 1 to 3 months |
The costs that hurt are not the audit fees. They are the consequences of a bad finding: RBI can issue a monetary penalty, impose business restrictions, direct a special audit at your expense, or in serious cases affect your Certificate of Registration. A single unreported incident that surfaces later, breaching the CERT-In six-hour window, invites both CERT-In and RBI scrutiny at once. The audit is the cheap path.
Building an evidence system, not a document pile
The teams that pass cleanly do one thing differently: they treat evidence as a running system, not a one-time scramble. Controls generate proof continuously, and that proof is filed where it can be produced in minutes.
| Control area | The evidence that satisfies an auditor | How often it must refresh |
|---|---|---|
| Policy governance | Board or committee minutes naming the approved version | Annual, plus on material change |
| Access management | Quarterly access recertification sign-offs and PAM logs | Quarterly |
| Vulnerability management | VAPT reports plus closure tracker plus re-test proof | At least annually and on major change |
| Incident response | Drill records, CERT-In reports or nil register, RCA documents | Per incident; drill at least annually |
| Third-party risk | Vendor inventory, contracts with audit and exit clauses, due diligence | On onboarding and annual review |
| Business continuity | Actual DR test results with measured RTO and RPO | At least annually |
The pre-audit fix-it checklist
Six weeks before any RBI cyber audit or empanelled review, work this list. It is ordered by how often each item causes a finding, most common first.
- Take your current, live information security and IT policies back to the board or IT Strategy Committee and get a dated approval with version numbers in the minutes.
- Confirm the CISO is a named individual, functionally independent of the CIO, with a documented reporting line to the board.
- Pull every VAPT report from the last twelve months, build a single closure tracker, and re-test every high and critical finding still open.
- Compile a complete material IT vendor inventory and check each contract for right-to-audit, data localisation and exit clauses.
- Verify CERT-In compliance: 180-day log retention within India, NTP sync to NPL or NIC, and a rehearsed six-hour incident reporting path.
- Run at least one cyber crisis tabletop drill and file the record, including who is authorised to declare an incident.
- Execute a live DR test and record measured RTO and RPO, not the targets in the plan.
- Complete the current quarter access recertification and archive the sign-offs.
- Reconcile your asset inventory so that every internet-facing system has a named owner and a criticality rating.
- Assemble all of the above into a single evidence index so nothing is hunted for during the engagement.
Where this leaves you
Come back to that silent audit room. The finding that gets written is almost never about a missing firewall. It is about the gap between what your NBFC does and what it can prove it governs. Close that gap deliberately, on a schedule, and the audit stops being an event to survive and becomes a health check you pass on the strength of ordinary discipline.
If you want a set of experienced eyes before the RBI brings its own, CyberSigma runs these reviews hands-on as CERT-In empanelled auditors and a PCI QSA practice. We sit in the same chair the examiner will, find what they would find, and help you close it while it is still your timeline and not theirs.
FAQs
Does the RBI IT Governance master direction apply to every NBFC?
Not identically. Obligations are proportional to your Scale Based Regulation layer. Middle, Upper and larger Base Layer NBFCs carry the fuller weight of the November 2023 IT governance direction, while the smallest Base Layer entities have lighter requirements. Regardless of RBI tier, the CERT-In directions of April 2022 apply to you as a body corporate in India.
How often must an NBFC undergo a cyber security or IT audit?
The master direction expects a periodic, independent IT audit, in practice at least annually, with the scope and frequency set by risk. VAPT on internet-facing systems should run at least annually and after any major change. Access recertification is typically quarterly. RBI can also direct a special audit at any time.
What is the six-hour CERT-In reporting rule and does it override RBI reporting?
CERT-In requires reportable cyber incidents to be reported to the Indian Computer Emergency Response Team within six hours of noticing them. It does not override RBI reporting; the two run in parallel. A significant incident at an NBFC typically triggers both a CERT-In report and notification to the RBI, so your incident plan must satisfy both timelines at once.
Do we need a CISO if we are a small NBFC?
The direction expects a designated senior official responsible for information security who is functionally independent of the technology delivery function. Even in a lean structure, the person assuring controls should not be the sole person building them. A CIO doubling as the sole CISO is a common segregation-of-duties finding.
What is the most common single reason NBFCs fail an RBI cyber audit?
Stale or missing board approval of the live security policy, closely followed by open VAPT findings with no re-test evidence. Both are governance and closure failures rather than technical weaknesses, and both are entirely preventable before the audit begins.
How long does a readiness review take before a formal audit?
A focused gap assessment usually runs two to three weeks, and it is best done six to eight weeks before the formal audit so there is time to remediate. The point of a readiness review is to surface findings while remediation is still on your schedule rather than the examiner's.
Liked the post? Share on:





Leave A Comment