RBI Cyber Resilience Controls: What NBFCs Must Do in 2026

Indian NBFCs and payment fintechs operating under RBI oversight must meet a layered set of cyber resilience obligations — not suggestions, but binding Master Directions. The two frameworks that matter most in 2026 are the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (IT GRC Master Direction, 2023) and the Master Direction on Digital Payment Security Controls (DPSC, 2021). Together, they mandate formal governance structures, vulnerability management cadences including VAPT, incident reporting timelines, and periodic audits. This article breaks down each control domain, maps the common gaps in NBFC implementations, and explains what operationalizing compliance actually requires.

USD 5.9Maverage cost of a financial-sector data breach globally in 2023 — the highest of any regulated industry (IBM Cost of a Data Breach 2023)

63%financial institutions in India that lack a formal cyber resilience testing programme (DSCI India FinTech Report 2024)

72 hoursmaximum window for regulated entities to report cyber incidents to RBI under the DPSC framework (RBI 2021)

Why RBI Frameworks Apply to Your NBFC

Many NBFC founders assume cyber compliance is the territory of large banks. It is not. The RBI's IT GRC Master Direction — applicable to all regulated entities including NBFCs, payment aggregators, and prepaid instrument issuers — sets a baseline that scales to the size and risk profile of the entity. Smaller NBFCs are not exempt; the proportionality principle means the depth of controls must match the scale of digital operations.

The Digital Payment Security Controls Master Direction specifically targets payment system participants, covering mobile banking, internet banking, card payment infrastructure, and payment aggregator operations. If your NBFC operates a digital lending app, a co-lending platform, or a payment gateway integration, you are in scope.

⚠️

WARNING

Operating a digital payment or lending product without formal IT GRC documentation is not a grey area under current RBI regulation. Supervisory reviews and IS audits check for documented policies, not just technical controls.

Control Domain 1 — IT Governance and Board-Level Accountability

The IT GRC Master Direction requires a dedicated IT Strategy Committee at the Board level and an IT Steering Committee at the management level. Governance is not just a policy document; RBI expects an audit trail of board-approved IT risk appetite statements, periodic board-level review of IT performance and risk KPIs, and a Chief Information Security Officer (CISO) with direct reporting to the board or Managing Director.

For most mid-tier NBFCs, the gap here is structural. Technology decisions sit entirely with operations leadership, and no board-level IT risk review occurs. RBI's IS Audit framework explicitly checks for minutes of board IT committee meetings — their absence is a finding.

What to implement:

Board-approved IT and Cybersecurity Policy, reviewed annually
Documented IT risk appetite statement tied to business risk
Quarterly board reporting on cyber incidents, audit findings, and control gaps
Nominated CISO (or equivalent) with mandate and escalation authority

Control Domain 2 — Access Control and Identity Management

Both the IT GRC and DPSC frameworks mandate Privileged Access Management (PAM), multi-factor authentication for administrative access, and formal user access review cycles. Under the DPSC, customer-facing payment systems must enforce multi-factor authentication for all transactions above defined thresholds, and must not rely on static passwords as the sole credential.

For internal systems, segregation of duties is a recurring audit finding. Developers who can also deploy to production, DBAs who have unrestricted access to customer financial records, and shared service accounts for critical systems are common gaps that IS auditors flag.

🛡️

SECURITY

RBI's DPSC framework requires that session tokens for internet banking and payment interfaces carry defined expiry controls and that re-authentication is enforced for high-value or sensitive operations. Implementing this at the application layer — not just at the network layer — is an audit requirement, not just a best practice.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Control Domain 3 — Vulnerability Management and VAPT Cadence

This is where most NBFCs have the largest documented gap. The RBI IT GRC Master Direction requires a structured vulnerability management programme, and the DPSC explicitly mandates Vulnerability Assessment and Penetration Testing (VAPT) for internet-facing and critical internal systems at periodic intervals. The direction specifies that VAPT must be conducted before major system changes and at least annually for all critical systems, with findings tracked to closure.

A key requirement that many NBFCs miss: VAPT must be conducted by CERT-In empanelled organisations for systems that fall under India's cybersecurity reporting obligations. This matters for procurement — internal team assessments or non-empanelled vendors do not satisfy this requirement. Automated VAPT combined with a CERT-In empanelled partner review delivers the structured, evidence-backed reports that RBI auditors and IS reviewers expect.

RBI VAPT requirements in practice:

Pre-launch VAPT for all new digital products before go-live
Annual VAPT for internet-facing applications (payment portals, customer-facing APIs)
Periodic internal network vulnerability scans (typically quarterly)
Documented remediation plans with SLA-based closure tracking
VAPT reports retained for audit and regulatory review

💡

TIP

Running VAPT once before a product launch and treating it as a checkbox is the most common gap cited in RBI IS Audit findings. The framework expects a continuous programme with evidence of remediation, not a one-time report.

The NBFC Compliance Implementation Flow

graph TD
    A[Board IT Committee
Approved] -->|Governance Gate| B[IT Risk Appetite
Statement Documented]
    B --> C[CISO Appointed
and Reporting Path Set]
    C --> D[Policy Suite Drafted
IT Security / BCP / Access]
    D -->|Access Controls Gate| E[MFA Enabled
for Admin and Payments]
    E --> F[PAM System
Deployed]
    F -->|VAPT Gate| G[Baseline VAPT
Conducted via Empanelled Partner]
    G --> H{Findings
Severity Check}
    H -->|Critical or High Findings| I[Remediation Sprint
Tracked to Closure]
    I --> G
    H -->|Clean or Medium Only| J[Annual VAPT
Schedule Set]
    J -->|Incident Management Gate| K[Incident Response Plan
Tested and Live]
    K --> L[72-hr RBI Reporting
Workflow Operational]
    L -->|Audit Gate| M[IS Audit Conducted
Annually]
    M --> N[Audit Findings
Board-Reviewed]
    N -->|Continuous Loop| D

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style I fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style J fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style L fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style M fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style N fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Control Domain 4 — Cyber Incident Management and Reporting

The DPSC framework mandates that regulated entities have a tested Cyber Crisis Management Plan (CCMP) and report cyber incidents to RBI within 72 hours of detection. The incident report must include the nature of the attack, affected systems, financial and customer data impact, and initial containment measures taken.

The 72-hour window is frequently misunderstood. It is not 72 hours from when the full incident is understood — it is 72 hours from first detection. An NBFC that discovers an anomaly on a Monday must file an initial report by Thursday, even if the investigation is incomplete. The framework requires a follow-up detailed report within 30 days.

Beyond regulatory reporting, the framework requires:

Classified incident severity tiers with escalation triggers
Documented runbooks for common incident types (ransomware, data exfiltration, payment fraud)
Annual tabletop exercises to test the CCMP

Control Domain 5 — IS Audit and Third-Party Risk

RBI mandates annual Information Systems Audits for regulated entities, conducted by qualified auditors, with findings reported to the Board IT Committee. For larger NBFCs, the IS Audit must cover the entity's critical third-party service providers — cloud platforms, payment processors, core banking system vendors, and data analytics partners.

Third-party risk management is increasingly scrutinized. If your NBFC relies on a cloud-hosted core banking or lending origination system, RBI expects documented due diligence including vendor security assessments, contractual security obligations, data localization compliance, and exit strategies.

NBFC IS Audit scope typically covers:

Control Area	What Auditors Check
Governance	Board IT committee minutes, CISO mandate, policy approval records
Access Control	MFA deployment, PAM audit logs, user access reviews (quarterly)
VAPT	Reports from empanelled vendor, remediation closure evidence
Change Management	Documented approval trail for production changes
BCP and DR	Recovery Time Objectives tested, DR drills conducted
Incident Management	CCMP document, 72-hour reporting drill evidence
Third-Party Risk	Vendor security assessments, contractual clauses
Data Protection	Encryption at rest and in transit, data classification policy

NBFC Control Domain Readiness — Where the Gaps Cluster

The chart below reflects control domains where NBFC IS Audits most commonly identify findings, based on RBI supervisory guidance and DSCI sector assessments.

xychart-beta
    title "Common Control Gap Distribution in NBFC Cyber Audits"
    x-axis ["Governance", "Access Control", "VAPT Programme", "Incident Mgmt", "Third-Party Risk", "BCP and DR"]
    y-axis "Percentage of Audits with Findings" 0 --> 100
    bar [38, 52, 71, 64, 58, 44]

Common Gaps and How to Close Them

Gap 1 — No documented VAPT programme. Running a VAPT once before a product launch is not a programme. Close this by establishing a fixed annual calendar, a pre-change testing gate, and a remediation SLA (typically 30 days for Critical, 60 days for High).

Gap 2 — Incident reporting workflow exists on paper only. Most NBFCs have an incident policy but have never tested the 72-hour reporting workflow. Run a tabletop simulation quarterly. Designate a specific team member as the RBI reporting point of contact.

Gap 3 — Third-party cloud or SaaS treated as out of scope. RBI's IT GRC framework is explicit: outsourced functions remain your risk. Obtain vendor security attestations (SOC 2, ISO 27001, or equivalent), include security SLAs in contracts, and review annually.

Gap 4 — MFA applied only to customer-facing systems. Administrative access to core systems, cloud consoles, and databases must also enforce MFA and PAM-controlled access. Auditors check both layers.

Gap 5 — IS Audit findings not tracked to board. Findings that live in an IT spreadsheet without board visibility are a governance failure. Implement a finding-to-closure workflow with quarterly board reporting.

How Bachao.AI Supports NBFC Compliance Readiness

Dhisattva AI Pvt Ltd has built Bachao.AI specifically for regulated entities that need a structured, evidence-generating VAPT programme without the overhead of managing a full security team. Automated VAPT assessments generate structured reports with finding severity, remediation guidance, and closure-tracking evidence — the format IS auditors and RBI reviewers expect to see. For CERT-In empanelled reporting requirements, reports are delivered in coordination with an empanelled partner. Start with a free VAPT scan to baseline your current exposure before your next IS Audit cycle.

🎯Key Takeaway

RBI's cyber resilience framework for NBFCs is not aspirational — it is a supervision checklist. The five control domains that consistently surface findings are governance structure, access controls, VAPT programme maturity, incident reporting readiness, and third-party risk management. Running an annual VAPT and documenting board-level IT governance are the two highest-leverage starting points for NBFCs in 2026.

Authoritative Sources

Frequently Asked Questions

Is the RBI IT GRC Master Direction applicable to all NBFCs or only large ones?

The Master Direction applies to all RBI-regulated entities including NBFCs, with a proportionality principle — smaller entities implement controls scaled to their risk profile. No NBFC with a digital product or payment integration is categorically exempt, and supervisory reviews do cover smaller regulated entities.

What is the required VAPT frequency under RBI guidelines for NBFCs?

RBI's framework requires VAPT for all internet-facing and critical systems at a minimum annually, and before any major system change or new product launch. Continuous vulnerability scanning is recommended between annual VAPT cycles. Findings must be tracked to closure with documented remediation timelines.

Does VAPT need to be conducted by a CERT-In empanelled organisation?

For systems falling under India's cybersecurity reporting obligations, VAPT conducted by a CERT-In empanelled organisation carries the regulatory weight that auditors and RBI reviewers expect. Non-empanelled vendors can complement the programme but should not replace empanelled assessments for regulated environments.

What is the 72-hour cyber incident reporting rule under the DPSC framework?

Regulated entities must report cyber incidents to RBI within 72 hours of first detection — not after full investigation. The initial report covers the nature of the incident, affected systems, and containment steps taken. A detailed follow-up report is required within 30 days.

What happens if an NBFC fails its IS Audit on cyber controls?

IS Audit findings are reported to the Board IT Committee and can trigger enhanced supervisory scrutiny from RBI. Persistent or serious gaps — particularly in VAPT, incident management, or governance — can lead to formal compliance directions, operational restrictions, or enhanced reporting requirements. The RBI does not publish individual NBFC audit outcomes publicly, but supervisory actions are possible.

How does DPDP Act 2023 overlap with RBI cyber resilience requirements for NBFCs?

The DPDP Act 2023 adds a data protection obligation on top of RBI's cyber resilience requirements. For NBFCs processing customer financial data, both frameworks apply simultaneously — RBI governs the operational and payment security layer, while DPDP governs personal data processing and breach notification to DPDP Board. A VAPT programme and incident response plan satisfy obligations under both. See our DPDP compliance guide for the data protection layer.

RBI Cyber Resilience Controls: What NBFCs Must Do in 2026

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.