RBI proposes to prescribe a Master Direction on IT Governance, Risk, Controls and Assurance Practices for NBFCs in Top, Upper and Middle Layers as per Scale Based Regulation

The Reserve Bank of India has issued a Draft Master Direction – Information Technology Governance, Risk, Controls and Assurance Practices (“Draft MD”) for comments of stakeholders and members of the public.

Comments / feedback from Regulated Entities (RE) and other stakeholders may be submitted by 20th November, 2022 through email with the subject line ‘Feedback on Master Direction – Information Technology Governance, Risk, Controls and Assurance Practices’.

The final Master Direction will be issued by Reserve Bank after considering the feedback received and will come into effect 6 months from the date of issue, i.e., date on which the final Master Direction is placed on the official website of the Reserve Bank of India (RBI).

Applicability– The Draft MD applies to all Non-Banking Financial Companies (NBFCs) in Top, Upper and Middle Layers as per Scale Based Regulation (SBR) (hereinafter referred to as “RE”).

Key Takeaways:

1. REs have to put in place a robust IT Governance Framework comprising of governance structure and processes necessary to meet the RE’s business/ strategic objectives. The governance framework shall specify the role (including authority) and responsibilities of the Board of Directors (Board) / Board level Committee/ Local Management Committee (in case of foreign banks operating as branches in India)2and Senior Management. The Framework must, inter alia, include adequate oversight mechanisms to ensure accountability and mitigation of business risks. The key focus areas of IT Governance shall include strategic alignment, value delivery, risk management, resource management, performance management and Business Continuity/ Disaster Recovery Management.

 

2. Strategies, Policies related to IT, Information Systems (IS), Business Continuity, Information Security, Cyber Security (including Incident Response and Recovery Management/ Cyber Crisis Management) shall be approved by the Board and reviewed at least annually. Enterprise-wide risk management policy or operational risk management policy needs to incorporate IT-related risks also.

 

3. IT Strategy Committee:

• • REs have to establish a Board-level IT Strategy Committee (ITSC) with a minimum of two directors as members. At least one member should have substantial expertise in managing/ guiding technology initiatives. The IT Strategy Committee shall meet at least on quarterly basis.
  • Separate compliance requirements for the Board/ IT Strategy Committee have also been provided.

 

4. Senior Management:

• • CEO of the RE shall have the overall responsibility and institute an effective oversight on the plan and execution of IT Strategy; put in place appropriate mechanism to ensure IT/ IS and their support infrastructure are functioning effectively and efficiently; cyber security posture of the RE is robust; and overall, IT contributes to productivity, effectiveness and efficiency in business operations.

 

5. REs have to establish an IT Steering Committee with representation at Senior Management level from IT, business functions for assisting the Board/ IT Strategy Committee in the implementation of the IT Policy and IT Strategy. The IT Steering Committee shall meet at least on quarterly basis.

 

6. Head of IT Function:

• • REs have to appoint a sufficiently senior level, technically competent and experienced person in IT related aspects as Head of IT Operations . The Head of IT Operations shall play a key role in decision-making involving the use of IT in the RE.

 

7. Requirements for trained resources with requisite skill sets for the IT function shall be understood and assessed appropriately by the Head of IT Operations. A periodic assessment of the training requirements for human resources shall be made to ensure that sufficient, competent and capable human resources are available.

 

8. REs shall have a documented training plan/ programme for periodic training/ awareness workshops for the members of its Board, Senior Management, CxOs, members of the IT Function and other employees on aspects pertaining to IT and Information Security. The plan shall be implemented and tracked for its effectiveness.

 

9. IT Services Management:

• • A robust IT Service Management Framework shall be established for supporting IT systems and infrastructure of the RE, to ensure the operational resilience of the entire IT environment of the RE (including DR sites).
  • A Service Level Management (SLM) process shall be put in place to manage the IT operations while ensuring effective segregation of duties.
  • For seamless continuity of business operations, REs shall avoid using outdated and unsupported hardware or software and shall monitor software’s end-of-support (EOS) date and Annual Maintenance Contract (AMC) dates of IT hardware on ongoing basis. REs shall develop a technology refresh plan for the replacement of hardware and software in a timely manner before they reach EOS.
  • REs shall ensure clock/ time synchronisation between all its IT systems using appropriate protocols.

 

10. Capacity Management:

• • Capacity management is a critical objective of IT Function and REs are required to proactively assess any capacity constraint based on past trend (peak usage), business activities (current as well as future plans) and address the issues effectively. Annual assessment of capacity vis-a-vis the expectations, with sufficient safety margin shall be carried out, and the same shall be reviewed by the Board/ Board level IT Strategy Committee.

 

11. REs shall ensure that IT systems and infrastructure are able to support business functions and ensure availability of all service delivery channels.

 

12. IT Capacity planning across all components, services, system resources, supporting infrastructure shall be consistent with the current business requirements and projected future needs as per the IT strategy of the RE.

 

13. Project Management:

• • REs while adopting new/ emerging technologies, tools or revamping their existing ones in the technology stack, shall follow a standard enterprise architecture planning methodology/ framework. Such adoption including Artificial Intelligence, Automation, Application Programming Interfaces (APIs), new emerging technologies shall be commensurate with the risk appetite and align with overall Business/ IT strategy of the RE. This should facilitate optimal creation, use and/ or sharing of information by a business, in a way that it is secure and resilient. REs shall maintain enterprise data dictionary to enable the sharing of data among applications and systems and promote a common understanding of data among IT and business users
  • A consistent and formally defined project management approach shall be applied to IT projects undertaken by the RE. The project management approach shall, inter alia, enable appropriate stakeholder participation for effective monitoring and management of project risks and progress.
  • Information on major IT projects that have a significant impact on the RE’s risk profile and strategy shall be reported to the IT Strategy Committee. Such projects shall undergo appropriate strategic and cost/ reward analysis on a periodic basis.

 

14. Change Management:

• • REs shall put in place a ‘Change Management’ procedure for handling any changes in technology and processes to ensure that the changes in the IT systems are implemented and reviewed in a controlled manner and in a controlled environment.
  • Similarly, procedures to assess the effectiveness of integration and interoperability of complex IT processes shall be put in place. Patches as per their criticality shall be evaluated in a test environment before being pushed into live environment.

 

15. Data Migration Controls:

• • REs shall have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency. The policy shall, inter-alia, contain provisions pertaining to signoffs from business users/ application owners at each stage of migration, audit trails etc.

 

16. Audit Trails:

• • Every IT application which can access or affect critical/ sensitive information, shall have audit trails/ logging capability with details like transaction id, date, time, originator id, authoriser id, actions undertaken by a given user id, etc. Other details like logging IP address of client machine, terminal identity or location shall also be available, wherever applicable
  • The IT policy of the RE shall articulate the preservation period of such audit trails and logs, considering the regulatory and legal requirements.
  • The audit trails shall satisfy a RE’s business requirements apart from regulatory and legal requirements. The audit trails must be detailed enough to facilitate the conduct of audit, serve as forensic evidence when required and assist in dispute resolution, including for non-repudiation purposes. Audit trails shall be secured to ensure the integrity of the information captured and preservation of evidence. REs shall put in place effective log management and retention framework that is comprised of tools to manage, collect and store system and application logs that would be required to facilitate incident investigation and analysis.

 

17. IT Risk Management:

• • The risk management policy of the RE shall include IT related risks, including the Cyber Security related risks, and the Risk Management Committee of the Board shall periodically review and update the same at least on a yearly basis
  • REs should establish a robust IT Risk Management Framework covering specific aspects provided in the draft MD.

 

18. IT Risk Metrics:

• • REs shall define appropriate metrics for system performance, recovery and business resumption, including Recovery Point Objective (RPO) and Recovery Time Objective (RTO), for each IT system/ service/ application.
  • REs shall implement appropriate scorecard/ metrics/ methodology to measure IT performance and IT maturity level.

 

19. Information Security Management:

• • REs must define and implement necessary systems, procedures and controls to ensure secure storage/ transmission/ processing of data/ information.
  • REs may consider implementing security standards/ IT control frameworks (such as ISO 27001) for their critical functions
  • REs have to ensure that the privacy-related safeguards, as required by laws and regulations, are built into their information management framework.

 

20. The risk assessment for each information asset within the RE’s scope shall be guided by appropriate security standards/ IT control frameworks. It shall entail identifying the threat/ vulnerability combinations that have a likelihood of impacting the confidentiality, integrity and availability of that information asset (including stored and processed data/ information) – from a business, compliance and/ or contractual perspective

 

21. RE must ensure that all staff members and service providers comply with the extant information security and/ or acceptable-use policies as applicable to them.

 

22. REs must review their security infrastructure and security policies at least annually, factoring in their own experiences and emerging threats and risks. REs shall take steps to adequately tackle cyber-attacks including phishing, spoofing attacks and mitigate their adverse effects.

 

23. Physical and Environmental Controls:

• • REs shall implement suitable physical and environmental controls to prevent impairment of data through physical access and damage or destruction to physical infrastructure/ facilities (DC and DR sites)
  • RE’s DC and DR sites should be geographically well separated so that both the sites are not affected by a similar threat associated to their location. REs shall ensure that their DC and DR sites are adequately monitored through CCTV cameras and recordings thereof are reviewed on an ongoing basis.

 

24. Access Controls:

• • Access to information assets shall be allowed only where a valid business need exists. There shall be documented standards/ procedures, which are approved by the competent authority and kept up to date, for administering need-based access to an IT system
  • Personnel with elevated system access entitlements shall be closely supervised with all their systems activities logged and periodically reviewed. REs shall adopt multi-factor authentication for privileged users.

25. There are other compliance requirements proposed under the Draft MD with reference to the following:

• • Incident Response and Recovery Management
  • VA/PT Assessments
  • Controls on Teleworking
  • Business Continuity and Disaster Recovery Management
  • Information Systems (IS) Audit

 

26. Further, the draft MD also proposes to repeal a list of previous RBI Notifications.

 

Please refer to the hyperlink below for a detailed read of the draft MD.

Source: Reserve Bank of India