RBI Guidelines for CERT-In Empaneled Cyber Security Audits on Banks
The Reserve Bank of India (RBI) mandates that regulated entities, including scheduled commercial banks, urban cooperative banks, NBFCs, and payment system operators, adhere to strict cybersecurity frameworks to maintain operational resilience and protect financial data.
Mandatory Audits
The RBI requires banks and other regulated financial institutions to conduct regular audits of their information systems and cybersecurity controls. A core component of this regulatory compliance is the engagement of CERT-In empanelled auditors to perform these assessments.
Scope of Audits
- Vulnerability Assessment and Penetration Testing (VAPT): Mandatory testing of critical infrastructure, applications, and network systems to identify and remediate security loopholes.
- Information Systems (IS) Audit: Comprehensive reviews of IT governance, application controls, data integrity, and IT risk management.
- Compliance Validation: Validating the entity’s adherence to the RBI’s specific cybersecurity frameworks, including board-approved policies, incident response mechanisms, and business continuity plans (BCP).
Summary for Compliance
If you are operating a bank or an RBI-regulated entity, you must ensure that audits are performed periodically by authorized CERT-In empanelled firms, maintaining comprehensive documentation of audit findings, remediation efforts, and board-level reporting.