We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

RBI Cyber Security Framework for NBFCs: Requirements Explained

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

RBI Cyber Security Framework for NBFCs: Requirements Explained

Most NBFCs think they are compliant with the RBI's cyber framework until the day an RBI inspection team sits across the table and asks a deceptively simple question: show me the board minute where your cyber security policy was approved, and show me the date it was last reviewed. The silence that follows is where a lot of NBFCs lose the room.

The framework itself is not exotic. It is a set of clear expectations dressed up in RBI circular language. The problem is that most non-banking financial companies treat it as an IT department chore rather than a board-owned obligation, and then discover during a Supervisory review that the paperwork does not exist, the responsibilities were never assigned, and the incident nobody reported to CERT-In is now a supervisory finding with your name on it.

What the RBI actually issued, and which one applies to you

The confusion starts because there is not one master document. RBI has released the requirements in layers over several years, and which layer binds you depends on your asset size and your customer interface. Getting this classification wrong is the first mistake, because you either over-engineer controls you do not need or, far more dangerously, ignore ones you do.

The foundational circular is the June 2017 Master Direction on Information Technology Framework for the NBFC Sector (DNBS.PPD.No.04/66.15.001/2016-17). That was the baseline. It was then significantly strengthened and superseded in practice by the November 2023 Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (RBI/DoS/2023-24/107, effective 1 April 2024), which now covers NBFCs alongside banks and other regulated entities. On top of that sits the Digital Lending guidelines and, for anyone touching payments, the broader RBI cyber expectations.

LayerWhat it governsWho it binds
IT Framework for NBFC (2017)Baseline IT policy, IS audit, BCP, cyber securitySystemically important NBFCs (asset size at or above the threshold notified)
IT Governance MD (2024)IT governance, risk, controls, assurance, board rolesNBFCs in the applicable categories, banks, credit info companies and more
Digital Lending Guidelines (2022)LSP oversight, data localisation, borrower dataNBFCs lending through digital channels or apps
CERT-In Directions (April 2022)6-hour incident reporting, log retention, clock syncEvery service provider and body corporate, NBFCs included

A practical rule: if you are a Base Layer NBFC under the Scale Based Regulation with a small book and no digital lending, your obligations are lighter but not zero. The moment you cross into Middle or Upper Layer, or run a lending app, assume the full 2024 IT Governance framework applies and build for that. Regulators do not accept we thought we were exempt as a defence.

The nine things the framework really demands

Strip away the circular prose and the RBI framework comes down to nine expectations. Every audit finding I have seen maps back to one of these being missing, stale, or owned by nobody.

  • A board-approved IT and cyber security policy, reviewed at least annually with the minute to prove it.
  • A defined IT governance structure with a Board-level IT Strategy Committee and a management IT Steering Committee.
  • A designated Chief Information Security Officer who is not the same person running IT operations.
  • An information security policy plus supporting standards for access control, cryptography, network security and change management.
  • Business Continuity Plan and Disaster Recovery arrangements that are tested, with a documented Recovery Time Objective and Recovery Point Objective.
  • A vendor and outsourcing risk framework, because most NBFC breaches enter through a third party.
  • Incident detection and reporting, including the CERT-In 6-hour clock and RBI's own incident reporting expectations.
  • Independent Information Systems audit, conducted at a frequency proportionate to risk.
  • Data governance and localisation controls, sharpened by the DPDP Act 2023.

Governance is not a diagram, it is who signs what

The single most common gap is governance that exists only on a slide. NBFCs draw a neat org chart with an IT Strategy Committee and a Steering Committee, and then never actually convene them. The 2024 IT Governance Master Direction is explicit here: the Board is responsible for IT governance, an IT Strategy Committee of the Board must meet at least once a quarter, and a Steering Committee at the executive level must assist it.

The framework also expects a clear separation between the Chief Information Security Officer and the head of IT. This trips up smaller NBFCs constantly. You cannot have the same person who builds the systems also independently attest that they are secure. That is marking your own homework, and an examiner will call it out immediately. If your CISO reports to your CTO, you already have a finding waiting.

BodyMinimum cadenceWhat it must own
BoardAs part of regular board cycleApprove IT and cyber policy, own overall risk appetite
IT Strategy Committee (of Board)At least quarterlyIT strategy alignment, budget, major project and risk oversight
IT Steering Committee (executive)Monthly or as neededProject delivery, resource allocation, monitoring implementation
CISOContinuous, reports independentlySecurity posture, incident response, control assurance

BCP and DR: the drill nobody ran

Here is where documentation and reality diverge most sharply. Almost every NBFC has a BCP document. Almost none can produce evidence of a DR drill in the last twelve months with results, gaps found and gaps closed. The framework does not just want a plan; it wants a tested plan with defined recovery objectives.

Concretely, the examiner will ask for your documented Recovery Time Objective, which is how fast you must be back up, and your Recovery Point Objective, which is how much data you can afford to lose. Then they will ask for the last DR test report showing whether you actually met them. If your RTO on paper is four hours but your last failover took a day, or you have never failed over at all, that gap is your finding.

  • A BCP covering people, process, technology and premises, not just servers.
  • Defined RTO and RPO for each critical system, signed off by business owners, not just IT.
  • A DR site or cloud region geographically separated from primary, with tested replication.
  • At least one live failover drill per year with a written report of what broke and what was fixed.
  • A crisis communication plan naming who informs the RBI, CERT-In, customers and the board.

Vendor risk: the door most breaches walk through

If you run a lending app, your data is almost certainly flowing through a Lending Service Provider, a cloud host, a KYC vendor, a bureau and an SMS or WhatsApp gateway. The RBI's outsourcing and digital lending expectations make one thing unambiguous: you remain fully responsible for a control failure at any of them. Outsourcing the activity does not outsource the accountability.

The Digital Lending guidelines add hard requirements. Data collected by the app must be need-based and with explicit borrower consent. It must be stored on servers located in India. The borrower must be able to see, and where relevant delete, their data. And the LSP arrangement must be governed by a written agreement that gives you audit rights over their controls. Most NBFCs sign a commercial contract and skip the security annexure entirely.

Vendor typeKey control expectedCommon gap found in audit
Cloud / hostingData residency in India, encryption, shared responsibility clarityNo signed shared-responsibility matrix, backups outside India
Lending Service ProviderConsent capture, audit rights, data minimisationNo security annexure, unrestricted data pull from the app
KYC / bureauPurpose limitation, access logging, secure transmissionBureau credentials shared across staff, no access review
Communication gatewayNo storage of full PII in message logsFull customer data sitting in third-party message history

Reporting: the six-hour clock that catches everyone

When an incident hits, you are actually running two clocks at once, and NBFCs routinely miss both. The CERT-In Directions of April 2022 require you to report a cyber incident within six hours of noticing it. Six hours is not a business day; it is a genuine sprint, and the only way to hit it is to have the template, the contacts and the escalation path ready before the incident, not after.

Separately, RBI expects prompt reporting of material cyber incidents through its own supervisory channels. The framework also requires you to synchronise all system clocks to the Network Time Protocol servers of NIC or NPL, and to retain logs securely for a rolling 180 days within Indian jurisdiction. That log retention clause is the one auditors love, because it is trivially verifiable and frequently failed.

Picture the scene an examiner walks you through. A collections agent clicks a phishing link on a Tuesday afternoon. Your endpoint tool flags anomalous outbound traffic at 3pm. Nobody is watching the console until Wednesday morning. By the time your IT head decides it is serious enough to report, forty hours have passed. You have breached the six-hour CERT-In window, your logs from the affected server were rotated out because retention was set to thirty days, and you cannot reconstruct what left the network. That is not a hypothetical; that is a Thursday at a mid-sized NBFC.

What audit-ready actually costs and how long it takes

NBFCs consistently underestimate both the timeline and the spend, then try to compress everything into the fortnight before an inspection. Real readiness for a mid-sized NBFC is a three to six month programme, and the cost depends heavily on how much documentation and tooling already exists.

WorkstreamTypical effortIndicative cost (INR)
Policy and governance framework build4 to 8 weeks2,00,000 to 6,00,000
Gap assessment against RBI framework2 to 4 weeks3,00,000 to 8,00,000
BCP-DR design and first drill6 to 10 weeks4,00,000 to 12,00,000
Independent IS audit (annual)3 to 6 weeks3,00,000 to 10,00,000
VAPT of apps and infrastructure2 to 4 weeks1,50,000 to 6,00,000 per cycle

These are indicative ranges for a mid-sized NBFC and scale with the number of applications, cloud footprint and whether you run a lending app. The expensive mistake is not the audit fee. It is the remediation you are forced to do at speed when a finding lands, or worse, the supervisory action that follows a reportable incident you handled badly.

Five gaps that sink RBI audits

After enough inspections you start to see the same failures recur. If you fix only five things before your next review, fix these.

  • Stale policy: a cyber policy approved three years ago with no annual review minute. Undated or unreviewed is treated as absent.
  • Phantom governance: committees that exist on paper but have no meeting minutes for the last four quarters.
  • Untested DR: a BCP with RTO and RPO on paper but zero evidence of a live failover drill.
  • Blind vendor risk: LSP and cloud contracts with no security annexure, no audit rights and no data-residency confirmation.
  • Broken reporting: no CERT-In template, no six-hour escalation path, and log retention set below 180 days.

The DPDP overlay you cannot ignore

The Digital Personal Data Protection Act 2023 now sits on top of everything above, and for an NBFC the two frameworks reinforce each other. Borrower data is personal data. Your consent capture, your purpose limitation, your breach notification and your data-retention decisions are now legal obligations, not just RBI expectations. When the DPDP rules and the Data Protection Board become fully operational, a mishandled breach can attract both a supervisory finding and a financial penalty. Build your consent and data-governance controls once, and map them to both regimes.

Your pre-inspection fix-it checklist

If an inspection were confirmed for next month, this is the list I would hand you. None of it is optional, and most of it is documentation you either have or you do not.

  • Locate the board minute approving your cyber and IT policy, and confirm the review date is within twelve months.
  • Produce the last four quarters of IT Strategy Committee minutes; if they do not exist, convene and minute now.
  • Confirm your CISO is independent of IT operations and has a written mandate.
  • Pull the last DR drill report with RTO and RPO actuals against targets.
  • Verify every critical vendor contract has a security annexure, audit rights and India data-residency confirmation.
  • Check that your CERT-In incident template and six-hour escalation contacts are current and known to the on-call team.
  • Confirm log retention is at least 180 days within India and system clocks are synced to NIC or NPL.
  • Have your latest independent IS audit and VAPT reports, with a tracked closure status for every finding.
  • Map your consent and data-retention controls to both the RBI framework and the DPDP Act.

Come back to that opening question: show me the board minute, and show me the review date. If you can answer that one cleanly, and produce the DR drill report, the vendor annexures and the incident template behind it, you are most of the way to a clean inspection. The framework is not trying to catch you out. It is asking whether the people who run the money also own the risk. Most of the work is proving that they do.

If you would rather not discover the gaps in the inspection room, our team at CyberSigma are senior CERT-In empanelled auditors and PCI QSAs who run these RBI readiness reviews hands-on, from policy and governance through to the DR drill and the VAPT. We are happy to walk your framework with you before someone from RBI does.

FAQs

Does the RBI cyber framework apply to small Base Layer NBFCs?

Even Base Layer NBFCs have baseline IT and security obligations, plus the CERT-In incident-reporting and log-retention directions which apply to every body corporate. The heavier IT Governance framework of 2024 bites hardest on Middle and Upper Layer NBFCs and anyone running a digital lending app. Do not assume small means exempt; assume you must at least demonstrate a board-approved policy, incident reporting and basic controls.

What is the deadline to report a cyber incident?

Under the CERT-In Directions of April 2022 you must report a covered cyber incident within six hours of noticing it. Separately, RBI expects prompt reporting of material incidents through its supervisory channels. The practical answer is to treat six hours as your hard clock and have the template and contacts ready in advance.

Do I need a separate CISO if I already have a head of IT?

Yes, and the two roles should be independent. The framework expects the Chief Information Security Officer to provide security assurance without being the same person accountable for building and running the systems. At smaller NBFCs this is the most common structural finding, because one person is doing both.

How often must the DR plan be tested?

At least annually, and you must retain the test report showing your actual recovery time and data loss against your documented RTO and RPO. A plan on paper with no live failover drill is treated as untested, which in an audit is close to having no plan at all.

Where must NBFC customer and lending data be stored?

For digital lending, borrower data collected by the app must be stored on servers located in India, kept to what is needed, and captured with explicit consent. The CERT-In log-retention requirement also expects logs to be maintained within Indian jurisdiction for a rolling 180 days. The DPDP Act adds further purpose-limitation and consent obligations on the same data.

How long does it take to become RBI audit-ready?

For a mid-sized NBFC starting from a weak position, plan for three to six months across policy, governance, BCP-DR, IS audit and VAPT. Compressing it into the fortnight before an inspection is where most avoidable findings come from, because you cannot retro-fit a year of committee minutes or a tested DR drill overnight.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205