A few months ago, I was sitting across from the IT head of a mid-size NBFC in Mumbai. A decent-sized company. Upper-middle layer under RBI’s Scale-Based Regulation. A team that takes its work seriously.
We were reviewing their security posture when I asked a straightforward question: “Have you constituted your Board-level IT Strategy Committee?”
He looked at me, then at the compliance officer sitting next to him. “We have a technology committee at the management level,” he said. “That is the same thing, right?”
It is not. And under the RBI (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023, which came into force on April 1, 2024, the distinction matters enough to generate an inspection finding.
The Master Directions are now more than two years old. They apply to every scheduled commercial bank, every small finance bank, and every NBFC in the Top, Upper, and Middle Layers under Scale-Based Regulation. They cover six chapters of mandatory obligations, from Board governance to vendor risk management to cybersecurity incident reporting.
Most compliance conversations I have had since April 2024 suggest that the average Indian NBFC is partially compliant, at best, with three of the six chapters, and often has no structured view of the gaps in the remaining three.
This blog is a plain-language walkthrough of exactly what the Directions require, what most NBFCs are missing, and how to close the gap before the next inspection.
Who the Master Directions Apply To
Before the technical content, the applicability question needs a direct answer because confusion here is common.
- The Directions apply to:
All Scheduled Commercial Banks, including foreign banks licensed to operate in India, Small Finance Banks, and Payments Banks. All NBFCs in the Top Layer, Upper Layer, and Middle Layer under RBI’s Scale-Based Regulation. Credit Information Companies such as CIBIL. All India Financial Institutions including EXIM Bank, NABARD, NaBFID, NHB, and SIDBI.
- The Directions do NOT apply to:
Local Area Banks. NBFC-Core Investment Companies. Base Layer NBFCs.
For Upper and Middle Layer NBFCs specifically, the Directions represent a significant increase in obligations compared to what previously applied. Historically, stringent IT governance requirements were primarily framed for banks. The 2024 Directions explicitly state the intent: to ensure NBFCs maintain a governance and control framework at par with banks. That is not aspirational language. It is a compliance requirement.
The Seven Chapters, Made Plain
The full Directions run across six substantive chapters. Here is what each actually requires, stripped of legal drafting.
Chapter 1 – Preliminary
Chapter 1 is the foundation on which all six operational chapters rest. It establishes definitions that determine how every subsequent obligation is interpreted.
- Short title and commencement: The Directions are formally called the Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023. They came into effect on April 1, 2024, repealing all previous circulars on IT governance, risk controls, and business continuity that had applied to banks and NBFCs separately.
- Three definitions that every compliance team must understand precisely:
- A cyber incident under these Directions is defined by adapting the FSB Cyber Lexicon. It covers any malicious or suspicious activity that compromises, or attempts to compromise, the confidentiality, integrity, or availability of an information system or the data it holds. This is not limited to confirmed breaches. A suspected intrusion, an unusual authentication pattern, or a ransomware attempt that was contained before causing damage all qualify as reportable cyber incidents. The six-hour reporting obligation under Chapter 5 is triggered by this definition, not by confirmed data loss.
- An information asset covers any data, software, hardware, service, or other information resource that has value to the organisation. This definition determines what must be included in the organisation’s asset inventory, what must be covered by the IS audit, and what must be protected under the IT Risk Management Framework. Most NBFCs have narrower internal definitions that exclude shadow IT, vendor-hosted systems, and legacy applications. Under the Directions, if it holds or processes data that matters to the organisation or its customers, it is an information asset.
- A regulated entity is defined across the applicability list in Chapter 1, which was covered in the section above. The important compliance implication is that each regulated entity is individually responsible for compliance. A shared technology infrastructure between a bank and its NBFC subsidiary does not create a shared compliance obligation. Both entities must demonstrate independent compliance.
The comply or explain approach applies specifically to foreign banks operating in India through branch mode. For domestic banks and Indian NBFCs, full compliance is required. There is no comply or explain option.
Chapter 2 – IT Governance
This is the chapter most Indian NBFCs are weakest on, and the one RBI inspectors ask about first.
- Board-level IT Strategy Committee (ITSC) is mandatory. This is not the IT Steering Committee at management level, which most institutions already have. This is a separate committee at the Board of Directors level. It must meet at least quarterly. At least one member must have substantial IT expertise, defined as a minimum of seven years of experience managing information systems and leading technology or cybersecurity initiatives.
- What the ITSC must do: Review and approve the organisation’s IT strategy. Oversee implementation of the IT Risk Framework. Review major IT investments. Assess cyber risk at the Board level. Ensure IT capabilities align with business strategy.
- Senior Management IT Steering Committee is a separate requirement. The Board’s ITSC provides oversight. The Senior Management IT Steering Committee handles operational governance and execution. These are two distinct structures.
- Head of IT Function must be formally designated with documented roles and responsibilities. This person is accountable to the Senior Management IT Steering Committee for IT service delivery, IT risk, and IT security.
The governance structure most Indian NBFCs have is: a technology team reporting to a COO or CFO, with no formal IT committee at either Board or management level. The Directions require both.
Chapter 3 – IT Infrastructure and Services Management
- IT Service Management Framework must be documented and implemented covering the organisation’s information systems and infrastructure, including DR sites. This framework defines how IT services are delivered, maintained, and recovered.
- Data migration policy must be documented, specifying a systematic process for data migration with sign-offs from business users and application owners at each stage, audit trails, and documented data integrity validation. This is frequently missed because data migration is treated as a technical project rather than a governed process.
- Application logging is required for every IT application that can access or affect critical or sensitive information. The logs must be maintained and must provide audit capability. Applications without logging capability represent both a compliance gap and a significant security gap, since an unlogged application that is compromised cannot be forensically investigated.
Chapter 4 – IT Risk Management
The Risk Management Policy of every covered entity must explicitly include IT-related risks and Cybersecurity-related risks. This is not optional language. The Risk Management Committee of the Board must review and update the policy at least annually.
- Cyber incident analysis is specifically required. When a cyber incident occurs, the organisation must analyse it for severity, impact, and root cause. Forensic analysis is required where necessary. The organisation must then take documented corrective and preventive measures to mitigate the adverse impact.
This requirement directly explains what was missing in several of the incidents we have covered on this blog. An organisation that experiences a vendor breach, reports it to CERT-In, and considers the matter closed without a documented root cause analysis and corrective action plan is not meeting the Directions’ requirement.
Chapter 5 – IT Security and Cybersecurity
This chapter contains the controls that most directly map to the specific incidents described in the Bajaj Auto, Tata Electronics, and OAuth phishing blogs published on this site.
- Cyber Crisis Management Plan (CCMP) is now mandatory for all covered entities. Previously, this was primarily required for large banks. Under the 2024 Directions, every covered NBFC must have a documented CCMP. This plan must cover crisis identification, escalation, containment, communication, and recovery.
- Vulnerability Assessment and Penetration Testing (VAPT) must be conducted by CERT-In-empanelled firms. Internet-facing systems must be tested at a minimum of half-yearly. Internal systems must be tested annually. The findings must be tracked and remediated with documented timelines.
- Incident reporting within 6 hours of detection is mandatory for significant cyber incidents. The reporting goes through the CIMS (Cyber Incident Management System) portal. Most organisations have a theoretical incident response process but have never configured CIMS access or run a test of the six-hour notification workflow.
- Network security controls including segmentation, access controls, and monitoring are required. This is the specific control layer where EasyNAC provides documented, auditable compliance evidence. A Board-level ITSC that needs to demonstrate network access governance to an RBI inspector needs a live system showing what is on the network, not a policy document describing what should be.
- Patch management policy must be documented covering identification of vulnerabilities, risk classification, patch testing, and deployment timelines. Critical patches must have defined maximum open windows before mandatory application.
Chapter 6 – Third-Party Arrangements and Vendor Risk Management
This chapter has been significantly tightened compared to previous guidance, and it directly addresses the supply chain risk pattern visible across every major incident in Indian financial services in 2025 and 2026.
- Vendor risk assessment must be proportionate to assessed risk and must cover mitigation of concentration risk, elimination of conflicts of interest, mitigation of single point of failure risk, compliance with legal and regulatory requirements for customer data protection, high availability for uninterrupted customer service, and supply chain risk management.
- Exit clauses are explicitly required in vendor contracts. The organisation must be able to transition away from a critical vendor without operational disruption if the vendor fails, is compromised, or the relationship ends.
- An annual audit of critical vendors is required. A signed contract is not sufficient. The organisation must verify vendor compliance with agreed security standards on an ongoing basis.
- Concentration risk monitoring must be active. If a significant proportion of IT services are with a single vendor or cloud provider, that concentration must be identified, assessed, and managed with appropriate contingency planning.
For the NBFC whose five core technology functions, core banking, loan management, KYC, payment processing, and HR, are all with three or four vendors, concentration risk is almost certainly already a finding waiting to happen.
Chapter 7 – Information Systems Audit
- An independent IS audit function must be established. This means IS audit cannot be conducted by the same team responsible for IT operations. The audit function must assess the effectiveness of IT controls, IT risk management, and compliance with the Directions.
IS audit must be conducted annually for the core systems. For internet-facing systems, the audit cycle aligns with the VAPT requirement. Findings must be reported to the ITSC and to the Board.
The Three Changes That Matter Most
Of all the changes introduced in the 2024 Directions compared to previous frameworks, three represent the most significant operational shift for Indian NBFCs.
- Board-level IT governance is mandatory, not optional. Previously, technology governance in many NBFCs was a management-level function. The 2024 Directions explicitly require a Board-level IT Strategy Committee with documented IT expertise on the Board. This is not a semantic change. It means the Board as a whole is now accountable for IT strategy and cyber risk in a way it was not before. A Board that has not constituted this committee, does not have a member with documented IT expertise, and does not receive quarterly IT governance reports is non-compliant with a foundational requirement.
- The Cyber Crisis Management Plan is now mandatory for every covered NBFC. The CCMP requirement previously applied primarily to large banks. The 2024 Directions extend it to all covered entities. A CCMP is not a generic incident response plan. It covers the specific scenario of a cyber crisis, including escalation to senior management and the Board, external communications, regulatory notifications, customer communications, and operational continuity during active incident response.
- Third-party vendor risk management has moved from guidance to obligation. Exit clauses in contracts, annual vendor audits, and concentration risk monitoring are not best practices under the 2024 Directions. They are mandatory. An NBFC that cannot demonstrate active vendor risk assessment, exit planning, and concentration monitoring has a compliance gap in every vendor relationship it holds.
Where the RBI Directions and the DPDP Act Overlap
Most compliance teams treat RBI IT governance compliance and DPDP Act compliance as separate workstreams. They are not. There is significant overlap, and understanding where the two frameworks converge reduces the total compliance effort.
Both frameworks require vendor contractual obligations for customer data protection. The RBI Directions require compliance with applicable legal and regulatory requirements for customer data as part of vendor risk management. The DPDP Act requires binding data processing agreements with every vendor that processes personal data on your behalf.
Both frameworks require access management controls. RBI’s network security requirements and the DPDP Act’s reasonable security safeguards obligation both point to the same operational controls: who can access what data, with what authorisation, logged in what system.
Both frameworks require incident notification on defined timelines. RBI requires six-hour notification for significant cyber incidents. DPDP requires notification to the Data Protection Board within the prescribed period for personal data breaches. These are parallel obligations, not alternatives.
The practical implication is that a mid-size NBFC working toward RBI compliance can map approximately 60% of the required controls directly against DPDP obligations simultaneously, with purpose-built additions for the DPDP-specific consent and data subject rights requirements. OfficeSIA addresses the DPDP-specific employee and customer data lifecycle requirements that the RBI framework does not fully cover, while the RBI controls framework handles the institutional governance layer.
What an RBI-Ready NBFC Actually Looks Like Operationally
An NBFC that is genuinely compliant with the 2024 Directions can answer the following questions clearly, from documented evidence rather than from memory.
Has the Board constituted a formal IT Strategy Committee with quarterly meeting minutes and a member who meets the substantial IT expertise definition? Yes or no.
Is there a documented IT Risk Framework approved by the Board in the last twelve months? Yes or no.
Does a Cyber Crisis Management Plan exist, has it been tested in a tabletop exercise, and does it include a documented six-hour CERT-In notification workflow? Yes or no.
Has VAPT been conducted by a CERT-In empanelled firm in the last six months for internet-facing systems? Yes or no.
Does the organisation maintain real-time visibility of every device connected to its network, with logged access records that can support forensic investigation if required? Yes or no.
Do all critical vendor contracts include exit clauses, security obligation clauses, and a right to audit? Yes or no.
Has an annual IS audit been conducted by a function independent of IT operations? Yes or no.
For most Indian NBFCs who have been operating since before April 2024 without a structured compliance exercise, the honest answer to several of these is no. That is not a crisis. It is a starting point.
A Practical 12-Week Compliance Sprint
For an NBFC that has not yet done a systematic compliance review against the Master Directions, here is how to structure the next three months.

Weeks 1 to 2: Governance structure audit
Review whether a Board-level ITSC exists with documented terms of reference. Identify whether any Board member meets the definition of substantial IT expertise. Check whether IT risk is included in the Board-approved Risk Management Policy. If the ITSC does not exist, prepare the Board resolution and terms of reference for the next Board meeting.
Weeks 3 to 4: Policy gap assessment
Review existing IT Security Policy, Incident Response Plan, Patch Management Policy, and Business Continuity Plan against the Directions’ requirements. Identify which policies do not exist, which need material updates, and which need Board approval for the first time.
Weeks 5 to 6: Vendor risk mapping
List every critical IT vendor. For each, check whether the contract includes exit clauses, security obligation requirements, and an audit right. Identify concentration risk where one vendor handles more than 30% of critical IT services. Build a vendor security assessment schedule.
Weeks 7 to 8: Technical controls review
VAPT scheduling with a CERT-In empanelled firm for internet-facing systems. Network access control review: can the organisation produce a real-time device inventory? Application logging audit: are all critical applications generating and retaining access logs? Patch management review: is there a documented policy with defined remediation timelines?
Weeks 9 to 10: CCMP development and CIMS setup
Build the Cyber Crisis Management Plan covering escalation, regulatory notification, customer communication, and operational continuity. Configure CIMS portal access for regulatory incident reporting. Test the six-hour notification workflow in a tabletop exercise with IT, compliance, and senior management participation.
Weeks 11 to 12: Board reporting and ongoing cadence
Present a comprehensive IT governance status report to the ITSC and Board. Establish the quarterly Board IT Committee meeting cadence. Set up the monitoring dashboards and ongoing compliance tracking that makes this a continuous posture rather than a one-time exercise.
The Connection Between These Directions and the Incidents You Have Been Reading About
Every major incident in Indian financial services and manufacturing that we have covered on this blog in the past three months maps to a specific control gap that the RBI Master Directions address.
The Tata Electronics breach through a supply chain vendor with access to Apple and Tesla IP maps directly to Chapter 6 on third-party risk. Vendor security assessments. Supply chain risk management. Annual vendor audits.
The Bajaj Auto ransomware attack and the absence of effective IT/OT segmentation maps directly to Chapter 5. Network security controls. Segmentation between network domains. Cyber Crisis Management Plan activation.
The OAuth phishing case study on this blog, where an attacker bypassed MFA using a token issued through a single consent click, maps directly to Chapter 5. Application access controls. Session management. Monitoring of non-interactive authentication events.
The two banks compromised through a single shared vendor map directly to Chapter 6. Concentration risk. Single point of failure mitigation. Contractual security obligations on third parties.
The RBI did not write these Directions in response to those incidents. The incidents happened because the controls the Directions mandate were not in place.
Every line in the Master Directions exists because someone, somewhere in the Indian financial system, suffered the consequences of that line not being followed.
Final Thought
The compliance head and IT head sitting across from me at that NBFC in Mumbai were not careless. They had been running a technology function that worked, processing loans and serving customers every day, with no incident serious enough to demand a complete governance review.
The Master Directions do not wait for an incident. They require the governance structure that makes an incident less likely, and the response capability that makes one less damaging when it happens.
An RBI inspection that finds a missing Board ITSC, an absent CCMP, and undocumented vendor risk management is not finding a company that was hacked. It is finding a company that was not prepared.
Preparation is the easier problem to solve.
The twelve-week sprint above is not a theoretical exercise. It is a realistic timeline for an Upper or Middle Layer NBFC with a functioning IT team to close the most significant gaps against the Master Directions. What it requires is structure, prioritisation, and the decision to start now rather than after the inspection notice arrives.
At Skeletos IT Services, we help Indian banks and NBFCs build the operational controls that satisfy RBI IT Governance Master Direction requirements, including EasyNAC for network access visibility and control, IT security assessments, VAPT coordination, and ongoing compliance monitoring. If you want to understand where your current environment stands against the Master Directions before your next RBI inspection, we can help you find out.

