India’s banking sector appears set for an impressive growth trajectory in 2024 under favourable regional and domestic conditions, As the nation continues to fortify its digital banking infrastructure, managing risk effectively, and adapting to evolving economic dynamics, it stands as a key player in the broader Asia Pacific banking landscape. Over the past decade, the Digital India initiative, with its push on digital infrastructure, has seen significant impacts such as financial transactions through the Unified Payments Interface (UPI) surpassing INR 535 trillion (about $6 trillion). With an improved sector outlook and positive operating environments, India’s banking sector is well positioned for sustained growth and stability in coming years, projected to be worth USD 35.15 billion by 2033 and anticipated to surge at a CAGR of 18.54%. Cloud computing, with its scalable and adaptable infrastructure, has been a key factor in supporting increased digitization. However, increased digitization and interconnectedness have also led threat actors to adopt newer ways to commit cyber frauds and disrupt financial services. The Reserve Bank of India (RBI) reported a fourfold surge in the Card and internet banking frauds in the year 2023-2024. As such the regulatory bodies continue to enhance or introduce regulations/guidelines to address expanding threat landscape for financial services.
Regulatory landscape for Financial Services in India
Reserve Bank of India(RBI) key regulations
The Reserve Bank of India is India's central bank and regulatory body having oversight over Indian banking system.
1. Guidance Note on Operational Risk Management and Operational Resilience (April 2024)- Provides an overarching guidance to financial institutions for improving and strengthening their operational risk management using a principles based and proportionate approach.
2. Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (November 2023) – This direction prescribes framework and controls for IT Governance, Risk, Controls, Assurance Practices and Business Continuity/Disaster Recovery Management
3. Master Direction on Outsourcing of Information Technology Services (April 2023) - The Master Direction address requirements for the outsourcing of information technology services
4. Guidelines for Managing Risk in Outsourcing of Financial Services by Cooperative Banks (2021)– Guidelines include safeguards for cooperative banks to manage outsourcing risk, including risk assessment, exit strategy, contractual provisions, confidentiality and security, business continuity and management of disaster recovery plan, and the monitoring and control of outsourced services.
5. Master Direction on Storage of Payment System Data (2018) – The Master Direction on Payment System Data which needs to be stored in a system only in India, in order for regulators to have unfettered supervisory access to stored data.
Insurance Regulatory and Development Authority (IRDAI) regulation
IRDAI, regulates the insurance sector in India, issuing guidelines on cybersecurity, data protection and governance.
1. Cybersecurity Guidelines 2023 – The new guidelines recommend a risk-based approach to “governance, implementation and monitoring of information security.”
Securities and Exchange Board (SEBI) of India regulation
SEBI is the regulatory body for securities and commodity markets in India.
1. Cybersecurity and Cyber Resilience Framework (CSCRF) standards for Regulated Entities (RE) (Jun 2024). REs are required to identify critical risks related to cloud computing and address them through appropriate controls. SEBI’s amendment to listing obligations and disclosure requirements mandates that listed entities disclose details of cybersecurity incidents, in their quarterly Corporate Governance Report (CGR). The new standards are to be adopted by applicable REs by January 1, 2025.
Key regulatory themes across RBI, IRDAI and SEBI and supporting IBM capabilities
Cyber risk governance and management
The management body of financial institutions (FIs) has the ultimate responsibility of managing and controlling the firm’s cyber risks. Covered FIs are expected to develop comprehensive IT risk management frameworks and conduct continuous risk assessments on their IT systems, document and classify risks, and mitigation measures. FIs are required to have suitable contractual agreements with third-party IT service providers, including exit strategy. FIs will also need to establish business continuity and disaster recovery plans for various cyber risk scenarios, including plan for data backup and recovery measures, system restoration processes and plans for communicating with affected clients, partners, and the authorities.
As an enterprise cloud for regulated industries, IBM Cloud’s alignment with industry standards and certifications like ISO 27001, ISO 22301, PCI DSS, provides a solid foundation for meeting regulatory requirements. IBM Cloud introduced IBM Cloud for Financial Services, to support clients in mitigating their IT risks, addressing regulations, and accelerating their cloud adoption. IBM enables FIs to mitigate their IT third-party risks, when using IBM Cloud through a rigorous Financial Services validation assessmentassuring that services meet the expected control requirements. IBM Cloud Services and third-party managed services, that are labelled as IBM Cloud for Financial Services Validated, in the IBM Cloud Catalog, leverage the industry’s highest levels of encryption certification, provide controls for financial services regulatory workloads, multi-architecture support and proactive, and automated security. Likewise IBM Cloud® Security and Compliance Center, an integrated solutions suite defines policy as code, implements controls, and assesses security and compliance posture, across hybrid multi-cloud environments enabling FIs to continuously monitor their cloud assets, identify misconfigurations, and risks across hybrid multi-cloud. IBM Cloud Security and Compliance Center Workload Protection enables vulnerability scans for critical workloads, securing containers, Kubernetes, OpenShift and hosts with runtime security and forensics. IBM Security and Compliance Center Workload Protection supports Linux for PowerVS security. IBM Cloud Data Security Broker, and IBM® Confidential computing and “Keep Your Own Key” (KYOK) encryption solutions enableFIs with technical assurance achieving total data privacy assurance, even while systems and cloud administrators continue to manage the infrastructure without having access to the data.With IBM distributed cloud capabilities, FIs can bring a secured, unifying layer of cloud services across environments, regardless of where their data resides. This is essential to help address critical data privacy and data residency requirements. IBM provides threat intelligence sharing arrangements. IBM Cloud Pak® for Securityprovides FIs a platform to quickly integrate their existing security tools to generate deeper insights into threats across hybrid, multicloud environments. IBM X-Force® Threat Intelligence Services leverages a team of world-class intelligence analysts to help FIs understand how the threat landscape is changing, the latest techniques threat actors are using, and mine insights from malware reverse engineering, dark web research, and vulnerability tracking to better secure their environments.
Third-party risk management and data localisation
IBM Cloud's global network of locations provides FIs flexibility of choosing where they want to run their workloads. IBM Cloud ensures that FIs critical data and workload (as defined in the IBM Cloud Service Agreement) is stored and processed in the selected region location in accordance with IBM Cloud Data Processing Addendum and IBM Cloud Terms site. FIs can securely tap into third-party capabilities, innovations without having to compromise on their risk posture by leveraging Financial Services Validated IBM Cloud services or third-party services which have evidenced compliance to the controls of the IBM Cloud Framework for Financial Services®. Additionally, IBM ConsultingTM and IBM Software can enable FIs with services in support of third-party risk assessment, risk governance and controls for third party risk management.
Cyber incident response and reporting
FIs are required to establish systems for monitoring, managing, logging, classifying, and reporting cyber incidents. Fis must monitor and log their network activity, critical payment systems such as SWIFT (messaging system for international fund transfers), card networks facilitating card payments and domestic real-time fund transfer frameworks such as UPI. Depending on the severity of the incident, FIs may need to report incidents to regulators and affected clients and partners. IBM supports managing security incident response. For large, enterprise level issues a Customer Incident Report (CIR) is provided to FIs, including information about how services are impacted and how an issue is getting resolved. IBM Security X-Force® offers FIs with services for detection and recovery from incidents, and managed detection and response, and IBM Control Desk with Maximo® helps FIs manage and report critical assets, while IBM Cloud Security and Compliance Center Workload Protection can be used to enable FIs with runtime forensics and incident response for containers.
Backup, disaster recovery and cyber resiliency
FIs are required to have a strong offline backup and recovery plan and test its efficacy regularly to evaluate the strength of their protections and identify vulnerabilities. The results of these tests, and plans for addressing any weaknesses, needs to be reported to and validated by the relevant competent authorities. FIs must carry out basic tests, like vulnerability assessments and scenario-based testing, threat-led penetration testing.
IBM Cloud enables FIs with resilient services by design having architecture with application level resiliency, redundant deployments and fault isolation patterns, across the different IBM Cloud regions and data centers. To improve resiliency and business continuity of FI services, service data planes are designed to minimize dependencies on the control plane and continue to deliver their primary function even in cases of failures of the control plane. IBM Cloud enables FIs with high availability and disaster recovery, supports Disaster Recovery (DR) testing using DR dry-test, simulation and switch-over to a DR site and conducts regular penetration testing with partners. IBM supports FIs conducting penetration testing of their VPC or Classic Infrastructure resources on IBM Cloud. IBM Cloud® Backup, a full-featured, agent-based backup and recovery system can be managed through a web interface. IBM Cloud Power Systems Virtual Server (PowerVS) offers FIs a convenient route to extend their SAP, Oracle, and IBM i workloads to the cloud, enabling them to adopt a seamless hybrid cloud strategy. This includes backup-as-a-service, disaster recovery automation, improved cloud security and compliance, simplified migration and simplified networking. IBM Power Virtual Server has Compliance certifications and features designed specifically to help users comply with security-related regulatory requirements, including identity and access management (IAM), hardware and software encryption, communication security capabilities, and extensive logging and reporting of security events. IBM Security® Guardium® Vulnerability Assessment scans enable FIs to detect vulnerabilities and get suggested remedial actions - both on-premises and in the cloud, based on benchmarks from STIG, CIS, CVE, and other configuration standards. IBM Security X-Force® Red Penetration testing enables penetration testing for FIs applications, networks, hardware and personnel to uncover and fix vulnerabilities that expose their critical assets to attacks.
Looking ahead
Given the threat landscape across Indian FIs, it is important that financial institutions collaborate with their technology partners and third-party service providers for alignment with regulatory standards.
Authors: Sumit Yadav, Vivek Kinra and Rohit Singh
Legal disclaimers:
© Copyright IBM Corporation 2024
This blog is provided for informational purposes only.
IBM is committed to helping our clients and prospects with the knowledge to enable them to make decisions regarding their own client base needs.
The intended audience for this blog is legal and compliance experts seeking to understand India related regulatory guidelines as they migrate to the cloud.
Clients are responsible for ensuring their own compliance with various applicable laws and regulations. Clients are solely responsible for obtaining professional legal advice as to identifying and interpreting any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. IBM does not provide legal, accounting or auditing advice. IBM also does not represent or warrant that its services or products will ensure that clients are compliant with any applicable laws or regulations