RBI's cyber security framework for NBFCs sets out how Non-Banking Financial Companies in India must govern, secure, and report on their IT systems — and it is a distinct regime from the cyber security framework RBI applies to banks. Compliance rests on four pillars: a Board-approved cybersecurity policy that sits above routine IT policy, IT governance structures with a designated Chief Information Security Officer, cyber incident reporting to RBI and CERT-In within tight timelines, and periodic Information Systems audit by empanelled auditors. Requirements scale with an NBFC's size and systemic importance under RBI's layered regulatory structure, not a single one-size-fits-all rulebook.
For NBFC promoters, CTOs, and compliance heads, the practical challenge isn't knowing that RBI expects strong cybersecurity — it's translating a set of Master Directions and circulars into a working policy, a functioning audit cadence, and an incident response process that survives a real event. This guide walks through governance obligations, board-level requirements, reporting timelines, IS audit expectations, and the concrete steps an NBFC should take to get and stay compliant.
Why NBFCs Have a Separate Framework From Banks
RBI regulates NBFCs under a Scale-Based Regulation (SBR) structure introduced in 2021 and effective from October 2022, which classifies NBFCs into four layers — Base Layer, Middle Layer, Upper Layer, and a currently reserved Top Layer — based on size, activity, and perceived risk. Cybersecurity and IT governance obligations scale with this classification: NBFC-Middle Layer (broadly, non-deposit-taking NBFCs above a specified large asset-size threshold, along with deposit-taking NBFCs, HFCs, and CICs) and NBFC-Upper Layer entities carry the most detailed requirements, while smaller Base Layer NBFCs face a lighter-touch but still mandatory baseline.
This tiering is the key difference from bank-specific cyber security circulars, which apply more uniformly across scheduled commercial banks. RBI consolidated much of the earlier, separate NBFC IT framework (originally issued in 2017 for larger NBFCs) into the broader Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, 2023, which now applies across banks, NBFC-Middle Layer, NBFC-Upper Layer, Credit Information Companies, and All India Financial Institutions. Smaller NBFCs outside these categories are still expected to follow proportionate IT and cybersecurity risk management practices even where the detailed Master Direction doesn't fully apply.
The Core Pillars of RBI's Cyber Security Framework for NBFCs
RBI's approach treats cybersecurity as a governance discipline owned by the Board, not a technical function delegated entirely to IT. Four pillars recur across the framework:
| Pillar | What RBI Expects |
|---|---|
| IT and cybersecurity governance | Board oversight, an IT Strategy Committee, and a designated CISO reporting independently of IT operations |
| Board-approved cybersecurity policy | A standalone policy distinct from the general IT policy, covering risk appetite, controls, and a Cyber Crisis Management Plan |
| Controls and operations | Access control, network segmentation, encryption, patch management, vendor and outsourcing risk controls |
| Assurance and reporting | Periodic IS audit by empanelled auditors, plus cyber incident reporting to RBI and CERT-In within prescribed timelines |
IT Governance and the Board's Role
RBI requires the Board or a Board-level committee (typically an IT Strategy Committee) to own IT and cybersecurity risk, not just receive a periodic update from the IT team. This includes approving the IT and cybersecurity strategy, reviewing risk assessments, and holding management accountable for closing audit gaps. A designated CISO — organisationally independent of IT operations, so the person securing systems isn't also the person being audited on them — is expected to report cybersecurity posture directly to senior management or the Board-level committee.
The Board-Approved Cybersecurity Policy
A recurring gap in NBFC compliance is treating "IT policy" and "cybersecurity policy" as the same document. RBI's framework expects a distinct, Board-approved cybersecurity policy that sets risk appetite, defines acceptable use, mandates specific technical controls, and includes a Cyber Crisis Management Plan (CCMP) covering detection, response, containment, and recovery from a cyber incident. The policy needs periodic Board review, not a one-time sign-off that sits untouched for years while the actual IT environment changes underneath it.
The flow below shows how these pillars connect in practice, from Board approval through to incident reporting and the feedback loop back into continuous monitoring.
Incident Reporting Timelines — RBI and CERT-In
This is where many NBFCs get caught out, because there are two separate reporting obligations running in parallel, not one.
CERT-In's 6-hour rule. Under CERT-In's 2022 directions issued under Section 70B of the IT Act, every body corporate operating in India — including NBFCs — must report specified categories of cyber security incidents to CERT-In within 6 hours of noticing the incident or being brought to notice of the incident. This is a statutory obligation independent of RBI's own reporting requirements, and it applies regardless of an NBFC's SBR layer.
RBI's supervisory reporting. Separately, RBI expects regulated entities to report significant cyber incidents to their supervisory contact promptly, using RBI's prescribed formats and channels, as part of ongoing supervisory oversight. This runs alongside, not instead of, the CERT-In obligation — an NBFC that reports only to CERT-In and treats RBI notification as optional is not meeting its regulatory obligations.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanIS Audit Requirements
RBI expects NBFCs falling under the IT Governance Master Direction to conduct periodic Information Systems (IS) audits of their IT environment, using CERT-In empanelled auditors, and to place the resulting audit findings before the Board or the IT Strategy Committee for review and closure tracking. The audit is expected to cover the effectiveness of governance, access controls, network security, data protection, and business continuity arrangements — not just a superficial policy-document review.
A System Audit Report (SAR) or equivalent assurance documentation should be retained and made available to RBI on supervisory request. Alongside the formal IS audit, regular vulnerability assessment and penetration testing (VAPT) of externally-facing systems — internet banking-style customer portals, mobile apps, APIs, and payment integrations — gives NBFCs continuous evidence that controls are actually holding up between audit cycles, rather than relying solely on an annual point-in-time check.
The chart below is an illustrative breakdown of how control domains are typically weighted across an NBFC's cybersecurity compliance programme.
Practical Steps for NBFCs to Comply
Compliance is a programme, not a document you file once. A realistic rollout sequence looks like this:
- Confirm your SBR classification and applicable circulars. Check whether your NBFC falls under Base, Middle, or Upper Layer, and whether the IT Governance Master Direction applies to you directly or as a proportionate baseline.
- Separate your cybersecurity policy from your general IT policy. If your Board has only ever approved one combined document, split it and get the standalone cybersecurity policy — including the Cyber Crisis Management Plan — back in front of the Board for explicit approval.
- Formalise the CISO role and reporting line. The person accountable for cybersecurity should not report through the same manager who owns IT operations delivery targets — that reporting line dilutes independent escalation when controls and delivery pressure conflict.
- Build a dual incident reporting runbook. Document exactly who files the CERT-In report within the 6-hour window and who separately notifies RBI's supervisory contact, with named owners and backups — not "the security team" as a vague catch-all.
- Schedule IS audit and VAPT on a recurring calendar, not ad hoc. Book the annual IS audit with a CERT-In empanelled auditor and run VAPT on customer-facing systems on a regular cycle, especially after major releases or infrastructure changes.
- Track audit findings to closure at Board level. An open finding that never gets a follow-up review is functionally the same as never having found it — RBI examiners look for evidence of closure, not just evidence of testing.
Where Bachao.AI Fits
Most of the friction in NBFC cybersecurity compliance isn't disagreement about what's required — it's the operational gap between a Board-approved policy and continuous, evidenced proof that controls are working. Bachao.AI, built by Dhisattva AI Pvt Ltd, runs automated VAPT scans against internet-facing NBFC systems — customer portals, APIs, and payment flows — and produces evidence you can hand directly to your IS auditor or CISO, with formal audit engagements available with a CERT-In empanelled partner where required. If you want a current picture of where your externally-facing systems stand ahead of your next audit cycle, a free VAPT scan is a fast starting point, and teams also managing data protection obligations can review DPDP compliance requirements alongside RBI's framework. More compliance breakdowns like this one are on the Bachao.AI blog.