Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
ComplianceRBI Cyber Security Framework
India · RBI Master Direction on IT Governance (2023)

RBI cyber security and IT governance compliance

VAPT, secure SDLC, third-party risk and crypto controls for banks, NBFCs and payment operators.

The Reserve Bank of India's Master Direction on IT Governance, Risk, Controls and Assurance Practices (RBI/2023-24/107, dated 7 November 2023, effective 1 April 2024) is the umbrella rulebook for technology and cyber risk across regulated lenders. It sits on top of the 2016 Cyber Security Framework in Banks (DBS.CO/CSITE/BC.11/33.01.001/2015-16) and the 2021 Master Direction on Digital Payment Security Controls (RBI/2020-21/74), which still govern baseline controls, SOC monitoring and payment-app security.

Together these directions require board-owned IT policy, vulnerability assessment and penetration testing, a secure SDLC, cryptographic controls, third-party and outsourcing risk management, and incident reporting to RBI and CERT-In within prescribed timelines. This page explains how to meet each requirement and the official RBI sources to cite.

Talk to our advisory team Read it on rbi.org.in
At a glance
7 Nov 2023IT Governance Master Direction issued (RBI/2023-24/107)
1 Apr 2024Effective date of the IT Governance Master Direction
2 Jun 2016Cyber Security Framework in Banks circular
18 Feb 2021Digital Payment Security Controls Master Direction
RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices, 2023
Why it matters

A board-accountable mandate that turns application and supply-chain risk into a supervisory obligation.

The 2023 IT Governance Master Direction consolidated RBI's expectations on technology risk into a single, board-owned framework. It applies to Scheduled Commercial Banks (with limited exclusions), Small Finance Banks, Payments Banks, upper- and middle-layer NBFCs, Credit Information Companies and the all-India financial institutions (EXIM, NABARD, NHB, SIDBI). The board and a board-level IT Strategy Committee carry direct accountability for IT and cyber risk (RBI/2023-24/107).

Application security is now explicit. The Direction requires a secure software development life cycle, rigorous change and project management, vulnerability assessment and penetration testing, cryptographic controls and audit trails. Chapter III adds detailed controls for IT service management, third-party and outsourcing arrangements, and data-migration projects, so dependency and vendor risk is supervised, not optional.

For payment operators, the 2021 Digital Payment Security Controls Master Direction layers on a board-approved policy covering Functionality, Security and Performance, secure development and testing before rollout, and ongoing risk assessment of the technology stack and third-party dependencies. The 2016 Cyber Security Framework continues to mandate VAPT of critical infrastructure, a Security Operations Centre, and incident reporting to RBI and CERT-In within prescribed timelines.

How O3 helps

Find it before attackers do. Catch it if they try. Fix it fast.

Across these requirements, O3 runs one continuous loop on your own software so issues surface, get caught, and get fixed before they become an incident.

1 · Find it first

Test like an AI-assisted attacker

An agentic pentest probes your app across 50+ vulnerability classes the way a real attacker chains them, so exploitable flaws surface in your build before someone outside finds them.

2 · Catch it live

Detect and block exploitation at runtime

A kernel-level eBPF agent watches process trees and syscalls, recognises an attack sequence as it unfolds, and restricts the offending process on the spot rather than taking down the host.

3 · Fix it fast

Auto-patch what is reachable

Reachability ranks what genuinely matters, then autofix opens a pull request with the change, so remediation starts inside tight fix windows instead of sitting in a queue.

Risk-based prioritisation

From alert flood to a short list

KEV + EPSS + reachability turn a raw scan into the few findings that actually need action now.

Raw findings in dependency tree~12,400
Vulnerable & version-matched~4,700
Reachable in your code~1,360
KEV / high-EPSS · act now~370

Illustrative funnel. Reachability removes the bulk of unexploitable noise before triage.

Remediation expectations

The clock by finding type

Indicative fix windows. Tightest where exposure and active exploitation meet.

CERT-In reportable incident notification6 hours
Initial cyber-incident report to RBI (unusual / serious incidents)2-6 hours
VAPT of critical / internet-facing applicationsAt least annually
Information Systems (IS) audit cycleAnnual
Governance

How to establish board-owned IT and cyber security governance

RBI makes the board, not the CISO alone, accountable for technology and cyber risk. The IT Governance Master Direction requires a documented governance structure with clear roles before any control activity is judged adequate.

RBI/2023-24/107, Chapter IIRBI/2020-21/74 (Digital Payment Security Controls)
Constitute a board-level IT Strategy Committee and an IT Steering Committee, and appoint a senior-level Head of IT and a CISO with defined, separate mandates (IT Governance MD, Ch. II).
Approve a board-level IT and information/cyber security policy, reviewed at least annually, that covers risk appetite, roles and escalation.
Maintain a current IT and digital asset inventory and a risk-assessment methodology that feeds the policy.
For payment operators, add a board-approved Functionality, Security and Performance (FSP) policy per the Digital Payment Security Controls MD, 2021.
Application security

How to implement a secure SDLC and change management

Both the IT Governance MD and the 2021 payment controls require security to be built into development, not bolted on. Secure SDLC, code review and pre-release testing are named obligations.

RBI/2023-24/107, Chapter IIIRBI/2020-21/74
Embed security requirements, threat modelling and code review into every phase of development, and gate releases on security testing (IT Governance MD, Ch. III; DPSC 2021).
Run static application security testing (SAST) and software composition analysis (SCA) in CI to catch injection, secrets and known-vulnerable libraries before merge.
Enforce formal change, project and release management with segregation of duties between development, test and production.
For payment apps, complete secure development and testing before rollout and reassess on every material change (DPSC 2021).
Where O3 helps

O3 runs interprocedural SAST (code-property-graph, source-to-sink taint), SCA against OSV, and secret scanning directly in CI, with autofix and auto-PR so issues are closed inside the SDLC rather than logged for later.

Vulnerability management

How to meet RBI VAPT and vulnerability management expectations

VAPT of critical infrastructure, applications and networks is a recurring requirement across the 2016 framework, the IT Governance MD and the payment controls. Findings must be tracked to closure with risk-based prioritisation.

DBS.CO/CSITE/BC.11/33.01.001/2015-16 (2016)RBI/2023-24/107
Perform vulnerability assessment and penetration testing of critical and internet-facing systems at least annually and after major changes (2016 Cyber Security Framework, Annexes; IT Governance MD).
Use CERT-In-empanelled auditors where the engagement must be independently attested.
Prioritise remediation by real exploitability and business context, not raw CVSS, and document the closure timeline for each finding.
Re-test after fixes and retain evidence for the IS audit and RBI inspection.
Where O3 helps

O3's agentic DAST/pentest covers 50+ vulnerability classes, while function-level reachability plus EPSS and KEV ranking show which findings are actually exploitable, so banks remediate the few that matter first.

Third-party risk

How to manage third-party, outsourcing and dependency risk

Chapter III of the IT Governance MD and the DPSC 2021 both require ongoing risk assessment of vendors, outsourced services and the wider technology stack, including open-source dependencies.

RBI/2023-24/107, Chapter IIIRBI/2020-21/74
Maintain a register of IT service providers and outsourced arrangements with due-diligence, contractual security clauses and exit plans (IT Governance MD, Ch. III).
Assess the technology stack and third-party software dependencies on an ongoing basis (DPSC 2021).
Generate and maintain a software bill of materials for procured and in-house applications so transitive open-source components are visible.
Screen dependencies for known vulnerabilities and signs of malicious or compromised packages before they enter production.
Where O3 helps

O3 produces a CycloneDX SBOM (with deps.dev and VEX enrichment) and runs malicious-dependency detection for typosquats, malicious post-install scripts and compromised maintainers, giving auditable evidence of third-party software risk.

Cryptographic controls

How to implement and inventory cryptographic controls

The IT Governance MD requires cryptographic controls for data in transit and at rest, and the payment controls require strong cryptography for digital payment channels. Knowing what crypto you run is the first step.

RBI/2023-24/107, Chapter IIIRBI/2020-21/74
Define a cryptographic policy covering approved algorithms, key lengths, key lifecycle and TLS configuration (IT Governance MD, Ch. III).
Enforce strong encryption for digital payment transactions and sensitive data flows (DPSC 2021).
Inventory cryptographic assets across code and infrastructure to find weak, deprecated or unmanaged algorithms.
Plan crypto-agility so algorithms can be replaced, anticipating the post-quantum transition flagged in CERT-In guidance.
Where O3 helps

O3 generates a Cryptographic Bill of Materials (CBOM) and a quantum readiness QBOM in CycloneDX, surfacing weak or deprecated algorithms in code and giving banks an evidence base for crypto-agility planning. Key management itself stays a bank responsibility.

Detection and reporting

How to run monitoring and report incidents to RBI and CERT-In

A Security Operations Centre, continuous monitoring, and timely incident reporting are mandatory. CERT-In's 28 April 2022 Directions impose a 6-hour reporting window that banks must hit alongside RBI reporting.

DBS.CO/CSITE/BC.11/33.01.001/2015-16CERT-In Directions u/s 70B(6), 28 Apr 2022
Operate a SOC with real-time monitoring and log correlation across critical systems (2016 Cyber Security Framework, Annex on SOC).
Maintain detection and response runbooks so reportable incidents are identified quickly.
Report cyber incidents to RBI within the prescribed timelines and to CERT-In within 6 hours of noticing a reportable incident (CERT-In Directions, 28 Apr 2022).
Retain logs for 180 days within India and synchronise clocks to NPL/NIC as required by the CERT-In Directions.
Where O3 helps

O3's eBPF runtime agent (kayo) builds kernel process trees and detects attack chains with per-PID enforcement, and its L7 deep packet inspection (ecapture) flags exfiltration and DNS-tunnelling, surfacing incidents fast enough to meet the 6-hour CERT-In window. Full SIEM/SOC tooling remains separate.

Assurance

How to satisfy IS audit and assurance practices

The IT Governance MD's assurance pillar requires periodic, independent information systems audit and continuous control testing, with results escalated to the board and available to RBI.

RBI/2023-24/107 (Assurance)
Conduct an annual Information Systems (IS) audit covering IT controls, application security and the cyber framework (IT Governance MD, assurance chapter).
Ensure auditors have IT and cyber competence, and track audit findings to closure with board oversight.
Maintain audit trails and evidence for VAPT, SBOM, crypto inventory and incident response to support RBI inspection.
Feed control gaps back into the annual policy review and risk register.
Where O3 helps

O3 produces machine-readable evidence (SBOM/CBOM, reachability-ranked findings, scan and fix history) that maps cleanly into IS-audit and RBI inspection workpapers.

The whole framework

Every RBI requirement mapped to a practical, vendor-neutral way to meet it.

All 20 requirement areas, each with the reference and a vendor-neutral note on how teams meet it.

3Ch. II
Governance & policy
6Ch. III
IT controls & secure SDLC
2VAPT
Vulnerability management
4Detect/Report
SOC, incident & CERT-In reporting
4DPSC 2021
Digital payment security controls
1Assurance
IS audit & data migration
Requirement area
Board-level IT governance structureIT Gov MD, Ch. IIIT Strategy & Steering Committees, CISO mandate
Board-approved IT & cyber security policyIT Gov MD, Ch. IIAnnual policy with risk appetite and roles
IT and digital asset inventoryIT Gov MD, Ch. IIMaintain current asset and risk register
Secure SDLCIT Gov MD, Ch. IIISecurity gates, code review, SAST/SCA in CI
Change & project managementIT Gov MD, Ch. IIIFormal change control, segregation of duties
Vulnerability Assessment & Penetration Testing2016 Framework; IT Gov MDAnnual VAPT of critical and internet-facing systems
Risk-based vulnerability prioritisationIT Gov MD, Ch. IIIRank by exploitability, track to closure
Cryptographic controlsIT Gov MD, Ch. IIIApproved algorithms, key lifecycle, crypto inventory
Audit trails & loggingIT Gov MD; CERT-In DirectionsTamper-evident logs, 180-day India retention
Third-party & outsourcing riskIT Gov MD, Ch. IIIVendor due diligence, contracts, exit plans
Technology-stack & dependency riskDPSC 2021Ongoing SBOM and dependency assessment
Security Operations Centre & monitoring2016 Framework, SOC AnnexReal-time monitoring and log correlation
Cyber incident response & recoveryIT Gov MD; 2016 FrameworkRunbooks, BCP/DR, post-incident review
Incident reporting to RBI2016 FrameworkReport within RBI prescribed timelines
CERT-In 6-hour incident reportingCERT-In Directions, 28 Apr 2022Notify CERT-In within 6 hours of detection
Functionality-Security-Performance policyDPSC 2021Board-approved policy for payment operators
Secure development & testing before rolloutDPSC 2021Pre-release security testing of payment apps
Digital payment app & API securityDPSC 2021App hardening, authentication, fraud controls
Information Systems (IS) auditIT Gov MD (Assurance)Annual independent audit, board oversight
Data-migration project controlsIT Gov MD, Ch. IIIIntegrity, validation and rollback controls

Turn RBI VAPT, secure SDLC and third-party risk into evidence

O3 Security helps banks, NBFCs and payment operators meet the technical core of RBI's directions: SAST, SCA and reachability for secure SDLC and VAPT, SBOM and malicious-dependency detection for third-party risk, CBOM for cryptographic controls, and eBPF runtime and L7 monitoring to surface incidents inside the CERT-In 6-hour window. Governance, IAM and full SOC stay yours; O3 generates the audit-ready evidence.

Read it on rbi.org.in
FAQ

Common
questions.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • It is RBI/2023-24/107, the Master Direction on IT Governance, Risk, Controls and Assurance Practices, issued on 7 November 2023 and effective from 1 April 2024. It consolidates RBI's expectations on board-owned IT governance, secure SDLC, VAPT, cryptographic controls, third-party risk and IS audit, sitting above the 2016 Cyber Security Framework.
  • It applies to Scheduled Commercial Banks (with limited exclusions), Small Finance Banks, Payments Banks, upper- and middle-layer NBFCs, Credit Information Companies and the all-India financial institutions (EXIM, NABARD, NHB, SIDBI). It excludes Local Area Banks, NBFC-CICs and base-layer NBFCs.
  • Yes. The 2016 Cyber Security Framework and the 2023 IT Governance Master Direction both require vulnerability assessment and penetration testing of critical and internet-facing systems, generally at least annually and after major changes. Many engagements must use CERT-In-empanelled auditors, with findings tracked to closure for IS audit and RBI inspection.
  • Chapter III of the IT Governance MD requires a secure software development life cycle with security built into every phase, code review and pre-release testing, plus formal change and project management. The 2021 Digital Payment Security Controls add secure development and testing before any payment app rollout.
  • Banks report cyber incidents to RBI within the timelines prescribed in the 2016 Cyber Security Framework. Separately, CERT-In's Directions of 28 April 2022 require notification of reportable incidents within 6 hours of detection, along with 180-day log retention within India and clock synchronisation to NPL/NIC.
  • RBI does not name SBOM explicitly. However, Chapter III of the IT Governance MD and the 2021 payment controls require ongoing assessment of third-party dependencies and the technology stack, which an SBOM directly evidences. SEBI's CSCRF is the Indian financial regulation that mandates SBOM by name.
  • RBI/2020-21/74, dated 18 February 2021, applies to banks, Small Finance Banks, Payments Banks and credit-card-issuing NBFCs. It requires a board-approved Functionality, Security and Performance policy, secure development and testing before rollout, app and API security, and continuous risk assessment of third-party dependencies.
  • The IT Governance MD requires cryptographic controls for data in transit and at rest, covering approved algorithms, key lengths and lifecycle, and the payment controls require strong encryption for digital payment channels. Maintaining a cryptographic inventory and crypto-agility, anticipating the post-quantum transition flagged by CERT-In, is the practical way to demonstrate this.

See O3 Security in Action

See why security and engineering leaders trust O3
to secure their entire software supply chain.