The Reserve Bank of India today said the regulated entities (REs), including banks and finance companies, will follow new norms for Information Technology (IT) covering its governance, risks, and management from April 1, 2024.
REs have to put in place a robust IT Governance Framework to cover focus areas like strategic alignment, risk and resource management performance, and Business Continuity/Disaster Recovery Management. This framework should specify the governance structure and processes necessary to meet the RE’s business/strategic objectives, according to RBI’s final master circular. The Central Bank had published a draft Master Direction on the subject in October 2022, seeking public comments.
The framework will specify the roles (including authority) and responsibilities of the Board of Directors, board-level Committee, and Senior Management. It will also address the issue of adequate oversight mechanisms to ensure accountability and mitigation of IT and cyber/information security risks.
The enterprise-wide risk management policy or operational risk management policy will incorporate periodic assessment of IT-related risks (both inherent and potential risk).
The board of RE would approve the strategies and policies related to IT, Information Assets, Business Continuity, Information Security, Cyber Security (including Incident Response and Recovery Management/Cyber Crisis Management). They should review such strategies and policies at least annually.
The RE will establish a Board-level IT Strategy Committee (ITSC), which will comprise a minimum of three directors. Its chairman would be an independent director and carry substantial expertise in managing/guiding information technology initiatives. The ITSC should meet at least on a quarterly basis, RBI said.
REs shall appoint a sufficiently senior level, technically competent and experienced official in IT-related aspects as Head of IT Function. As a first line of defence, the Head of IT Function will have to ensure effective assessment, evaluation and management of IT controls and IT risk, including the implementation of robust internal controls.