In May 2025, the Reserve Bank of India fined a major Indian bank ₹97.80 lakh, partly because the bank had failed to report a cybersecurity incident within the set timeline. This bank is not an outlier. According to the RBI’s Annual Report for FY 2024–25, the regulator imposed 353 penalties worth a total of ₹54.78 crore during the fiscal year, with cybersecurity framework non-compliance among the primary grounds for this action.
The lesson here is not that Indian financial institutions face more cyber threats than others. It is that the RBI now enforces its security expectations with real consequences, and the foundation of those expectations is one document every regulated entity must have in place: a board-approved IT and cybersecurity policy.
This guide walks you through the exact process to draft a board-approved IT and cybersecurity policy as per RBI Master Direction – what it must contain, how it must be structured and what board approval actually requires.
The six components of the policy
Understanding how to draft a board-approved IT and cybersecurity policy as per RBI Master Direction, starts with knowing what the document must contain. The following six areas are consistently required across RBI cybersecurity and IT governance regulations for regulated entities:
IT Governance structure
RBI’s IT governance framework requires regulated entities to establish board-level oversight of IT and cybersecurity risks, including clearly defined governance structures and board-approved IT risk frameworks.
Information security policy
RBI guidance requires regulated entities to identify and classify information assets based on confidentiality, integrity and availability (CIA), while implementing proper access controls, encryption and remote access safeguards.
Cybersecurity policy
This is the core section the RBI scrutinises most closely. It must define the company’s cyber risk appetite, the VAPT programme cadence, SOC establishment and 24/7 threat monitoring requirements. The RBI’s cybersecurity framework mandates that scheduled commercial banks put in place board-approved cybersecurity policies and establish Security Operations Centres for threat monitoring, detection and incident response on a 24/7 basis.
Cyber incident response and recovery management
The policy must document the incident response lifecycle, including registration on RBI’s CIMS portal and mandatory reporting timelines. Certain RBI cyber incident reporting requirements mandate an initial notification within 6 hours of detection, followed by detailed reporting and root cause analysis submissions within prescribed timelines.
Business continuity plan and disaster recovery policy
The BCP and DR policy must define RPO (Recovery Point Objective) and RTO (Recovery Time Objective) targets, document recovery procedures and confirm that recovery plans are tested on a defined schedule. Regulators look for evidence of actual testing including documented test results, remediation tracking and board-level review of recovery readiness.
Third-Party and vendor risk management
RBI’s IT governance and outsourcing requirements require regulated entities to implement vendor risk assessment processes – addressing concentration risk, supply chain risk, data protection obligations and single-point-of-failure exposure.
What board approval actually requires
Many regulated entities treat board approval as a signature on a policy document. The RBI expects much more. Board approval under the Master Direction means the board has:
- Reviewed the policy against the entity’s current risk profile and threat landscape
- Satisfied itself that the cybersecurity strategy reflects the organisation’s risk appetite
- Approved the VAPT programme scope and frequency
- Received and reviewed a report on the effectiveness of existing controls
- Committed to reviewing the policy at least annually – or following a material change, a major cyber incident or a regulatory update
RBI wants security controls to be managed as a system, not a set of tools. You can have strong EDR and SIEM, but if exception handling, vendor risk processes and evidence trails are weak, you are exposed during assurance.
The board’s role is to make sure that cybersecurity risk is governed with the same seriousness as credit risk or market risk – with defined ownership and regular reporting.
Common gaps that lead to RBI penalties
Based on publicly documented enforcement actions, the gaps that most frequently result in regulatory action are:
- Cybersecurity incidents not reported to RBI within the 6-hour initial reporting window
- SOC either absent or not operational on a 24/7 basis
- VAPT conducted infrequently or scoped too narrowly to cover critical systems
- Board not receiving regular cybersecurity posture reports – policy approved but not actively reviewed
- Vendor risk assessments absent or superficial for critical IT service providers
- Audit logs not enabled for databases and operating systems of key servers
Each of these represents a failure of implementation – organisations that have a policy on paper but have not operationalised it.
Conclusion
Drafting a board-approved IT and cybersecurity policy as per RBI Master Direction is an important operational commitment – one that the RBI audits, enforces and penalises non-compliance with. When done correctly, it becomes the governance spine of your entire cybersecurity programme, linking board accountability to technical controls and regulatory evidence.
At CyberNX, our RBI Master Direction Compliance Services support regulated entities through every stage of this process – from regulatory gap assessments and policy drafting to VAPT, SOC alignment and CIMS readiness. If you are working on how to draft a board-approved IT and cybersecurity policy as per RBI Master Direction and need expert guidance, our team is here to help. Take the first step towards full RBI compliance and connect with us today.
How to Draft a Board-Approved IT and Cybersecurity Policy as per RBI Master Direction FAQs
Who does the RBI Master Direction on IT Governance apply to?
The Master Direction, effective April 1, 2024, applies to all scheduled commercial banks (excluding regional rural banks), small finance banks, payments banks, NBFCs in the Top, Upper and Middle Layers, Credit Information Companies and All India Financial Institutions like EXIM Bank, NABARD, NHB and SIDBI. Base Layer NBFCs are exempt from certain requirements but must still maintain a basic IT security policy and incident reporting capability.
What is the difference between the IT policy and the cybersecurity policy under the RBI Master Direction?
Under the Master Direction, the Information Security Policy and the Cybersecurity Policy are different documents – though both require board approval. The Information Security Policy covers asset classification, access controls and data protection. The Cybersecurity Policy specifically addresses cyber risk appetite, the VAPT programme, SOC requirements, threat monitoring and incident response – and it is the document the RBI scrutinises most closely during audits.
How often must the board-approved cybersecurity policy be reviewed?
At minimum annually. Additionally, a review is required following any material change to the IT environment, any significant cyber incident and any regulatory update that affects the entity’s compliance obligations. The RBI expects documented evidence that the board actually reviewed and discussed the policy.
What are the VAPT requirements under the RBI Master Direction?
Regulated entities must conduct Vulnerability Assessment and Penetration Testing on critical information systems on a defined schedule. For upper and middle layer NBFCs and banks, this typically means quarterly vulnerability assessments and annual penetration testing by CERT-In empanelled vendors. Results must be reported to the board, and remediation must be tracked to closure.
