The new comprehensive master direction on information technology governance, risk, controls and assurance practices to be implemented by Regulated entities (REs) will be effective from 1st April 2024. Sethurathnam Ravi, former BSE Chairman speaks about how this will facilitate the easy administration of IT and cyber governance and compliance in place of the prevalent multiple circulars. The master direction comprises of scheduled commercial banks (excluding regional rural banks); small finance banks; payments banks; NBFCs in top, upper and middle layers; all India financial institutions and credit information companies.
“The master direction clearly outlines the role (including authority) of the board of directors, board-level committee and senior management of these REs in discharging their responsibilities to protect the interests of customers and consolidates and updates the guidelines, instructions and circulars on IT Governance Risk, Controls, Assurance Practices and Business Continuity/ Disaster Recovery Management issued earlier”, S Ravi, former BSE Chairman informs the public.
S Ravi Bse also explains that the master direction makes it mandatory for the REs to put in place a robust IT Service Management Framework for supporting their information systems and infrastructure to ensure the operational resilience of their entire IT environment (including Disaster Recovery sites). Further its stresses the need to have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency.
In the wake of cyber and IT fraud, RBI in its master direction has stressed the need for IT applications to have the necessary audit and system logging capability and ability to provide audit trails. Further, in order to strengthen the IT infrastructure, the RBI through its direction highlights the need to adopt internationally accepted and published standards that are not deprecated/ demonstrated to be insecure/ vulnerable and the configurations involved in implementing controls to be compliant with extant laws and regulatory instructions, the former BSE Chairman elucidates.
While the approval of strategies and policies related to the IT function lies in the hands of the Board, these directions put the responsibility on the CEO to institute effective oversight on the planning and execution of IT Strategy as well as to ensure that cyber security posture of the RE is robust; and overall, IT contributes to productivity, effectiveness and efficiency in business operations. The financial expert and former BSE Chairman, S Ravi Bse concluded saying that the directions have designated a Chief Information Security Officer (CISO) who will be responsible for driving IT/ cyber security, compliance and related regulatory guidelines, and administering policies of the RE.