The RBI’s proposed norms cover network security, application security life cycle, security testing, vendor risk management, business continuity plans and other key issues.
The draft directions cover governance mechanisms for the identification, assessment, monitoring and management of cybersecurity risks, including information security risks and vulnerabilities
The Reserve Bank of India (RBI) has proposed to establish robust governance mechanisms for authorised non-bank payment system operators (PSOs) to effectively address emerging cybersecurity risks. For this, the central bank has issued a ‘Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators’.
“These directions aim to improve safety and security of the payment systems operated by PSOs by providing a framework for overall information security preparedness with an emphasis on cyber resilience,” the RBI said.
What Are The Proposed Norms?
The draft directions cover governance mechanisms for the identification, assessment, monitoring and management of cybersecurity risks, including information security risks and vulnerabilities. They also specify baseline security measures to ensure safe and secure digital payment transactions.
According to the proposed norms, the Board of Directors of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board which shall meet at least once every quarter.
The PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised.
The PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks. Relevant guidelines from CERT-In / National Critical Information Infrastructure Protection Centre (NCIIPC) / IDRBT and other agencies may be referred for guidance.
The central bank said existing instructions concerning security and risk mitigation for card payments, prepaid payment instruments (PPIs) and mobile banking will remain in effect.
“To effectively identify, monitor, control and manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities, who are part of their digital payments ecosystem, PSOs shall ensure adherence to these Directions by such unregulated entities as well, subject to a mutual agreement,” the draft directions said.
The RBI has invited stakeholders to provide comments and feedback on the draft by June 30.
It further highlights the importance of inventory management, where PSOs should maintain records of key roles, information assets, critical functions, processes, third-party service providers, and their interconnections, and document their levels of usage, criticality and business value.
It also covers network security, application security life cycle (ASLC), security testing, vendor risk management, business continuity plans and other key issues.
Regarding data security, the draft stipulates that PSOs must implement a comprehensive data leak prevention policy to ensure the confidentiality, integrity, availability and protection of business and customer information, both within the PSO’s control and at vendor-managed facilities.
