The Reserve Bank of India (RBI) has issued comprehensive Master Directions on Cyber Resilience and Digital Payment Security Controls aimed at bolstering the cyber security and resilience of non-bank Payment System Operators (PSOs). This announcement follows the draft released on June 2, 2023, and incorporates feedback from various stakeholders.
The primary objective of these directions is to ensure the safety and security of payment systems operated by PSOs by providing a robust framework for information security preparedness and cyber resilience. The guidelines are set to be implemented in a phased manner:
The guidelines mandate PSOs to establish strong governance controls with their Board of Directors responsible for overseeing information security risks. Key measures include:
- Formulating a Board-approved Information Security (IS) policy.
- Establishing a Cyber Crisis Management Plan (CCMP).
- Defining Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for continuous monitoring.
The directions outline various baseline security measures, such as maintaining records of all critical information assets; implementing digital identities and multi-factor authentication for system access; configuring network devices with security rules and ensuring a Security Operations Centre (SOC) is in place.
The RBI mandates a comprehensive incident response mechanism and a Business Continuity Plan (BCP) to manage cyber incidents and ensure rapid recovery of critical operations. This includes regular DR drills and setting up a Disaster Recovery (DR) facility in a different seismic zone from the Primary Data Centre (PDC).
For more details, the full Master Directions are available on the official RBI website.
