SlideShare a Scribd company logo

NBFCs and IT Governance-Ensuring Future Readiness.pdf

C
ConnectAffluence

The RBI's regulations aim to ensure NBFCs uphold strong cybersecurity standards, safeguarding consumers and enhancing trust in the financial sector, particularly in light of recent incidents such as Paytm Payment ban (Jan 2024) due to significant KYC irregularities, deficiencies observed in loan sanctioning processes at JM Financials (March 2024), material supervisory concerns at IIFL Finance (March 2024), and data security concerns coupled with deficient IT infrastructure at Kotak Bank (April 2024).

Economy & Finance
1 of 8
Download to read offline
Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td I. CURRENT PROTOCOLS FOR NBFCS: Under the current system, there were dozens of directives and alerts regulating the realm of space, which were considered outdated given the evolving environment. The deficiency of the current structure is highlighted by the fact that Indian banks documented 200+ data breaches in 2022—an astounding 20 percent of the global sum. This prompted the RBI to reassess the IT governance and cybersecurity framework for the financial industry. Source - The Hindu *As of 2022, only 24 percent of businesses and organizations in India were fully equipped to handle their own cybersecurity concerns, according to the CISCO Cybersecurity Readiness Index. Meanwhile, over 30 percent were still in the formative phase of readiness  Challenges in the Financial Sector: The recent regulatory actions by the Reserve Bank of India against various banks and Non-Banking Financial Companies (NBFCs) have highlighted the critical importance of robust IT systems. Instances of IT system gaps have led to regulatory scrutiny and actions, impacting customer on-boarding and service offerings.  Regulatory Scrutiny: The RBI's actions against Kotak Mahindra Bank and other financial entities underscore the need for stringent IT governance and controls to ensure the security and resilience of IT systems within the financial sector.  Industry Incidents: This wasn’t a one off case, but the industry has seen it across various banks and NBFC coming under the RBI’s scrutiny. o HDFC BANK - Dec 2020 (Multiple glitches linked to digital banking, cards and payments) o American Express - April 2021 (Non-compliant on storage of payment system data) o Master Card - July 2021 (Non-compliance with data storage regulation)
Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td o M&M Finance - Sept 2022 ( Material supervisory concern) o Bajaj Finance - Nov 2023 ( Non- adherence with central banks digital lending guidelines) o Paytm Payment ban - Jan 2024 ( Significant KYC irregularities) o JM Financials - March 2024 (Serious deficiencies observed in its loan sanctioning process) o IIFL Finance - March 2024 ( Material supervisory concerns) o Kotak Bank – April 2024 – ( Data Security concern and deficient IT infrastructure) *India witnesses 18% surge in weekly cyber-attacks in Q1 2023 More than 1.3 million cyber-attacks were reported across India in 2022. This was a significant increase compared to 2019. The country was amongst the top five with the most number of cyber security incidents that year. Furthermore, India's ranked third in terms of internet user numbers and there by RBI had issues Master Direction on Information Technology Governance to bolster the risk management capabilities of financial institution in India. II. THE RBI'S MASTER DIRECTION ON INFORMATION TECHNOLOGY GOVERNANCE, RISK, CONTROLS, AND ASSURANCE PRACTICES, 2023 Overview: The banker’s bank has issued the Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices, 2023, which outlines the guidelines for Information Technology (IT) Governance and Controls, Business Continuity Management, and 49.46 50.36 53.12 208.46 394.5 1,158.21 1,402.81 1,391.46 0 200 400 600 800 1,000 1,200 1,400 1,600 2015 2016 2017 2018 2019 2020 2021 2022 Number of cyber attacks in thousands Incidents of cyber attacks in India 2015-2022
Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td Information Systems Audit for various financial institutions, including Non-Banking Financial Companies (NBFCs). This Master Direction aims to update and consolidate the existing instructions related to IT Governance and Controls, thereby ensuring a robust framework for managing IT-related risks and ensuring the security and resilience of IT systems within the financial sector. As per the Central banks notice, NBFCs are required to establish a comprehensive IT Governance Framework that aligns with the strategic objectives of the organization and effectively manages IT-related risks. The key focus areas of the IT Governance Framework include strategic alignment, risk management, resource management, performance management, and Business Continuity/Disaster Recovery Management. This framework is designed to specify the governance structure and processes necessary to meet the business/strategic objectives of the NBFCs, as well as to define the roles and responsibilities of the Board of Directors, Senior Management, and IT Steering Committee. Furthermore, the Master Direction emphasizes the importance of establishing an Enterprise-wide risk management policy or operational risk management policy that incorporates periodic assessment of IT-related risks, both inherent and potential risks. This policy is essential for ensuring accountability and mitigation of IT and cyber/information security risks within NBFCs. In addition to the IT Governance Framework, the Master Direction also outlines the requirements for IT Infrastructure & Services Management, IT and Information Security Risk Management, and Business Continuity and Disaster Recovery Management. These requirements include guidelines for IT Services Management, Third-Party Arrangements, Capacity Management, Project Management, Change and Patch Management, Data Migration Controls, Audit Trails, Cryptographic controls, Physical and Environmental Controls, Access Controls, Controls on Teleworking, and Metrics. 1. Elevated Responsibility and Supervision by Board and Senior Leadership One of the primary consequences is the heightened responsibility and oversight demanded from the Board of Directors and top management concerning technology strategy and cybersecurity. According to the central banks directives, the Board will be tasked with endorsing IT strategy, security protocols, cyber crisis management blueprints, and continuity strategies. This reflects a clear acknowledgment of the importance of IT systems for delivering customer service through various platforms and the increasing influence of cyber threats on business resilience.
Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td Previously, boards of financial institutions primarily concentrated on business, financial, and credit hazards. However, the extensive integration of technology in the industry signifies that boards can no longer afford to take a hands-off stance towards IT governance and security. Directors will now need to acquire expertise on technology blueprints, cyber threats, resilience investments, and routinely scrutinize reports from the IT strategy committee and the Chief Information Security Officer. Financial institutions must also form a specialized IT strategy committee consisting of a minimum of three directors. It is required that the head of this committee be an independent director with substantial expertise in managing technology projects. This guarantees that IT investments and strategies are overseen with competency as a priority. At the senior management tier, the guidelines amplify responsibility to ensure the execution of the IT strategy approved by the board and the effective reinforcement of cybersecurity protocols and measures. Additionally, the risk management function is required to closely collaborate with IT and information security teams while providing regular updates to the board. 2. Requirement for Strong IT Governance Structures A fundamental aspect of the master direction is the requirement for regulated entities to institute robust IT governance frameworks encompassing vision, strategy, risk management, resource utilization, performance evaluation, and business continuity. Distinct ownership of IT strategy and cybersecurity must be delineated across board committees, senior management, and IT leadership. The directives also dictate the establishment of an IT steering committee comprising both business and technology divisions to supervise IT risk management, project execution, architectural standards, etc., under the oversight of senior management. Presently, many financial entities in India possess makeshift IT governance structures with ambiguous responsibilities. Additionally, technology investments often fail to align with long-term business objectives. The Central banks new master direction will necessitate a significant overhaul of IT governance with a comprehensive framework. Matters such as IT-business synchronization, resource allocation, and competency enhancement will demand strategic deliberations between Chief Information Officers and business executives. 3. Amplified Emphasis on Risk Evaluations and Management
Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td The Central Banks notice signifies necessitates the IT risks to be formally identified, evaluated, and assimilated into the enterprise-wide risk management policy and framework. Cyber threats are no longer isolated but integrated into the overarching risk spectrum. Financial entities must clearly outline the IT and cyber risk landscape based on their business operations, technology adoptions, digital platforms provided to clients, and threat scenarios. Furthermore, roles and responsibilities for IT risk management at operational levels necessitate elaboration. Significantly, these risks must be monitored and regularly reported to the IT strategy committee and the board. Risk appetite declarations must also quantify tolerance for IT risks, with resource allocations made accordingly. This entails close collaboration between the IT and risk teams, spanning from risk identification to quarterly reporting. 4. Strengthening Cybersecurity Measures In the updated Central Banks guidelines, there's a heightened emphasis on enhancing cybersecurity capabilities. Regulated entities are now required to fortify their cybersecurity defenses across various fronts, as detailed below:  Recruiting or training skilled professionals for continuous security monitoring, threat detection, incident response, and digital forensics.  Establishing robust Security Operations Centers (SOCs) to manage security operations effectively.  Deploying 24/7 monitoring for network and endpoint threats, intrusion prevention, vulnerability management, and privileged access control.  Conducting regular assessments of cyber risks and controls, including vulnerability scans and penetration tests.  Implementing multi-factor authentication for critical systems, remote access, and privileged users.  Developing protocols for cyber crisis management and incident response, with clearly defined procedures.  Vigilantly tracking security events and incidents for root cause analysis and remediation.  Promptly reporting significant incidents to CERT-In and RBI in accordance with guidelines. 5. Enhancing business Resilience and Disaster Recovery Readiness
Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td The Central banker has outlined directives for financial institutions to evaluate the business impact and establish suitable recovery time and recovery point objectives for critical IT systems and applications. This directive stems from the necessity to maintain uninterrupted banking services for customers even during disruptions. For essential applications such as core banking systems, the guidelines advocate that there should be no data loss i.e. Recovery Point Objectives (RPO) and very minimal downtime Recovery Time Objectives (RTO) during disaster/disruption. Achieving this entails data mirroring across Data Centers (DC) and Data Recovery (DR) sites, along with system that can clearly switch over in case of problem. Banks are required to evaluate their current Business Continuity (BC) and Disaster Recovery (DR) arrangements against RBI guidance. Any deficiencies, such as lack of data replicas or untested failover plans, will necessitate significant investments. Moreover, the guidelines mandate biannual disaster recovery drills and testing of BC plans under various scenarios. Any issues identified during DR tests must be promptly addressed. 6. Strengthening Oversight of Third-Party Technology Risks Financial institutions increasingly rely on technology vendors, leveraging fintech, cloud service providers, and managed security service providers for rapid innovation and cost efficiencies. However, this reliance on third-party entities might introduces associated risks, as highlighted by the RBI. Regulated entities must conduct more frequent assessments of supplier risks and develop capabilities for effective vendor management. Contracts with third parties should enforce compliance with RBI guidelines on security, availability, and confidentiality. Collaborative testing to validate service levels and resilience capabilities must also be established. For critical IT services outsourced, the RBI mandates the maintenance of source code escrows to mitigate vendor lock-in risks. Additionally, change management controls and vulnerability assessments apply to third-party managed systems. 7. Ramping Up IT Audit Frequency and Coverage Due to the considerable monetary investments made in technology and the risks involved, the central banks places a much stronger emphasis on frequency and scope of IT audits. Regulated entities are advised to adopt a risk-based approach to information systems audits, covering aspects of IT governance, controls, and security. Continuous IT audits leveraging automation are recommended, particularly for core banking and critical systems.
Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td The audit committee of the board is entrusted with overseeing IT audit findings, tracking issues, and recommending corrective measures. Key focus areas should include cybersecurity, access controls, DR readiness, and vendor risks. Utilizing external audit resources is permissible in cases where in-house expertise is lacking. There by with this initiative a comprehensive assurance to the board regarding the effectiveness of technology controls and cyber resilience initiatives. Challenges:  Technology Investment  Limited talent pool network  Technology evolution outpaces implementation  Internal Team preparedness Benefits:  Data Protection and Privacy  Cyber-security no more operating as a silo, there by better integration in the system and awareness amongst the stakeholder  Digital Transaction scalability  Financial Eco-system will be strengthen leveraging tech and data Future IT implementation:  Block chain  Neo- Banking  Open- Banking III.KEY HIGHLIGHTS – RBI’S MASTER DIRECTION 2023 IT Governance Framework  Risk Management  Resource Management  Business continuity / Disaster recovery management Board Level IT strategy committee  Establish Board level IT Strategy Committee (ITSC)
Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td Role of Board of directors  The strategies and policies related to IT, Information Assets, Business Continuity, Information Security, and Cyber Security (including Incident Response and Recovery Management / Cyber Crisis Management) shall be approved by the Board of Directors. Third party Arrangement  REs shall, put in place appropriate vendor risk assessment process and controls proportionate to the assessed risk and materiality Data migration and control  REs shall have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency. IT and Information security Risk Management  Periodic review of IT related risks  Conduct of Vulnerability Assessment (VA) / Penetration Testing (PT) Business Continuity and Disaster Recovery Management  The BCP and DR policy shall adopt best practices18 to guide its actions in reducing the likelihood or impact of the disruptive incidents and maintaining business continuity. Disclaimer: This article provides general information existing at the time of preparation and we take no responsibility to update it with the subsequent changes in the law. The article is intended as a news update and Affluence Advisory neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this article. It is recommended that professional advice be taken based on specific facts and circumstances. This article does not substitute the need to refer to the original pronouncement

Recommended

RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
Network Intelligence India
 
PwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValuePwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital Value
Eileen Chan
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
TraintechTde
 
It Governance in time of Covid-19
It Governance in time of Covid-19It Governance in time of Covid-19
It Governance in time of Covid-19
Rudy Shoushany
 
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk AssessmentHow Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
360factors
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
Patrick Whelan, CISA
 
IT Infrastructure - Importance of IT to Business
IT Infrastructure - Importance of IT to BusinessIT Infrastructure - Importance of IT to Business
IT Infrastructure - Importance of IT to Business
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
subramanian K
 

Recommended

RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
Network Intelligence India
 
PwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValuePwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital Value
Eileen Chan
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
TraintechTde
 
It Governance in time of Covid-19
It Governance in time of Covid-19It Governance in time of Covid-19
It Governance in time of Covid-19
Rudy Shoushany
 
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk AssessmentHow Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
How Banks Can Develop an Effective Framework for IT and Cyber Risk Assessment
360factors
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
Patrick Whelan, CISA
 
IT Infrastructure - Importance of IT to Business
IT Infrastructure - Importance of IT to BusinessIT Infrastructure - Importance of IT to Business
IT Infrastructure - Importance of IT to Business
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
subramanian K
 
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxPage 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
alfred4lewis58146
 
An Introduction To ICT Continuity Based On BS 25777
An Introduction To ICT Continuity Based On BS 25777An Introduction To ICT Continuity Based On BS 25777
An Introduction To ICT Continuity Based On BS 25777
Yasmine Anino
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 
Top 10 Risk Management Trends for 2024 #riskmanagement
Top 10 Risk Management Trends for 2024 #riskmanagementTop 10 Risk Management Trends for 2024 #riskmanagement
Top 10 Risk Management Trends for 2024 #riskmanagement
360factors
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
jamiejohngianna
 
National Cyber Security Strategy 2020 DSCI submission.pdf
National Cyber Security Strategy 2020 DSCI submission.pdfNational Cyber Security Strategy 2020 DSCI submission.pdf
National Cyber Security Strategy 2020 DSCI submission.pdf
sri_ias
 
Guidelines NRB-it guidelines 2012-new
Guidelines NRB-it guidelines 2012-newGuidelines NRB-it guidelines 2012-new
Guidelines NRB-it guidelines 2012-new
deepa bhattarai
 
Nepal Rastra Bank Information Technology Guidelines
Nepal Rastra Bank Information Technology GuidelinesNepal Rastra Bank Information Technology Guidelines
Nepal Rastra Bank Information Technology Guidelines
ICT Frame Magazine Pvt. Ltd.
 
Securing Cloud Computing Through IT Governance
Securing Cloud Computing Through IT GovernanceSecuring Cloud Computing Through IT Governance
Securing Cloud Computing Through IT Governance
ITIIIndustries
 
Bullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docxBullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docx
CruzIbarra161
 
1. EmergingTechnologies_PwC_InvestIndia.pdf
1. EmergingTechnologies_PwC_InvestIndia.pdf1. EmergingTechnologies_PwC_InvestIndia.pdf
1. EmergingTechnologies_PwC_InvestIndia.pdf
TanmayPednekar3
 
Item46763
Item46763Item46763
Item46763
madunix
 
Alpha : Challenges in consulting industry
Alpha : Challenges in consulting industryAlpha : Challenges in consulting industry
Alpha : Challenges in consulting industry
Harender Singh
 
Impacts of FITARA on IT Security & IT Spending
Impacts of FITARA on IT Security & IT SpendingImpacts of FITARA on IT Security & IT Spending
Impacts of FITARA on IT Security & IT Spending
V-Project Management Consulting, LLC
 
COBIT Intor.pptx
COBIT Intor.pptxCOBIT Intor.pptx
COBIT Intor.pptx
cassimjuma08
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
Mohan M
 
IT Governances
IT GovernancesIT Governances
IT Governances
Jerald Burget
 
Navigating the Digital Landscape.pdf
Navigating the Digital Landscape.pdfNavigating the Digital Landscape.pdf
Navigating the Digital Landscape.pdf
savassociates1
 
Report on IT Auditing and Governance_Ta_Hoang_Thang
Report on IT Auditing and Governance_Ta_Hoang_ThangReport on IT Auditing and Governance_Ta_Hoang_Thang
Report on IT Auditing and Governance_Ta_Hoang_Thang
Thang Ta Hoang
 
contributed articlesm a r c h 2 0 1 0 v o l . 5 3
contributed articlesm a r c h 2 0 1 0 v o l . 5 3 contributed articlesm a r c h 2 0 1 0 v o l . 5 3
contributed articlesm a r c h 2 0 1 0 v o l . 5 3
DioneWang844
 
Responsibilities of the NBFCs registered with RBI, with regard to submission ...
Responsibilities of the NBFCs registered with RBI, with regard to submission ...Responsibilities of the NBFCs registered with RBI, with regard to submission ...
Responsibilities of the NBFCs registered with RBI, with regard to submission ...
ConnectAffluence
 
Refund Process under GST across Different Categories.pdf
Refund Process under GST across Different Categories.pdfRefund Process under GST across Different Categories.pdf
Refund Process under GST across Different Categories.pdf
ConnectAffluence
 

More Related Content

Similar to NBFCs and IT Governance-Ensuring Future Readiness.pdf

Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxPage 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
alfred4lewis58146
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 
Securing Cloud Computing Through IT Governance
Securing Cloud Computing Through IT GovernanceSecuring Cloud Computing Through IT Governance
Securing Cloud Computing Through IT Governance
ITIIIndustries
 
Bullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docxBullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docx
CruzIbarra161
 
Alpha : Challenges in consulting industry
Alpha : Challenges in consulting industryAlpha : Challenges in consulting industry
Alpha : Challenges in consulting industry
Harender Singh
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
Mohan M
 
Report on IT Auditing and Governance_Ta_Hoang_Thang
Report on IT Auditing and Governance_Ta_Hoang_ThangReport on IT Auditing and Governance_Ta_Hoang_Thang
Report on IT Auditing and Governance_Ta_Hoang_Thang
Thang Ta Hoang
 
contributed articlesm a r c h 2 0 1 0 v o l . 5 3
contributed articlesm a r c h 2 0 1 0 v o l . 5 3 contributed articlesm a r c h 2 0 1 0 v o l . 5 3
contributed articlesm a r c h 2 0 1 0 v o l . 5 3
DioneWang844
 

Similar to NBFCs and IT Governance-Ensuring Future Readiness.pdf (20)

Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxPage 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
 
An Introduction To ICT Continuity Based On BS 25777
An Introduction To ICT Continuity Based On BS 25777An Introduction To ICT Continuity Based On BS 25777
An Introduction To ICT Continuity Based On BS 25777
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 
Top 10 Risk Management Trends for 2024 #riskmanagement
Top 10 Risk Management Trends for 2024 #riskmanagementTop 10 Risk Management Trends for 2024 #riskmanagement
Top 10 Risk Management Trends for 2024 #riskmanagement
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
 
National Cyber Security Strategy 2020 DSCI submission.pdf
National Cyber Security Strategy 2020 DSCI submission.pdfNational Cyber Security Strategy 2020 DSCI submission.pdf
National Cyber Security Strategy 2020 DSCI submission.pdf
 
Guidelines NRB-it guidelines 2012-new
Guidelines NRB-it guidelines 2012-newGuidelines NRB-it guidelines 2012-new
Guidelines NRB-it guidelines 2012-new
 
Nepal Rastra Bank Information Technology Guidelines
Nepal Rastra Bank Information Technology GuidelinesNepal Rastra Bank Information Technology Guidelines
Nepal Rastra Bank Information Technology Guidelines
 
Securing Cloud Computing Through IT Governance
Securing Cloud Computing Through IT GovernanceSecuring Cloud Computing Through IT Governance
Securing Cloud Computing Through IT Governance
 
Bullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docxBullzeye is a discount retailer offering a wide range of products,.docx
Bullzeye is a discount retailer offering a wide range of products,.docx
 
1. EmergingTechnologies_PwC_InvestIndia.pdf
1. EmergingTechnologies_PwC_InvestIndia.pdf1. EmergingTechnologies_PwC_InvestIndia.pdf
1. EmergingTechnologies_PwC_InvestIndia.pdf
 
Item46763
Item46763Item46763
Item46763
 
Alpha : Challenges in consulting industry
Alpha : Challenges in consulting industryAlpha : Challenges in consulting industry
Alpha : Challenges in consulting industry
 
Impacts of FITARA on IT Security & IT Spending
Impacts of FITARA on IT Security & IT SpendingImpacts of FITARA on IT Security & IT Spending
Impacts of FITARA on IT Security & IT Spending
 
COBIT Intor.pptx
COBIT Intor.pptxCOBIT Intor.pptx
COBIT Intor.pptx
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
 
IT Governances
IT GovernancesIT Governances
IT Governances
 
Navigating the Digital Landscape.pdf
Navigating the Digital Landscape.pdfNavigating the Digital Landscape.pdf
Navigating the Digital Landscape.pdf
 
Report on IT Auditing and Governance_Ta_Hoang_Thang
Report on IT Auditing and Governance_Ta_Hoang_ThangReport on IT Auditing and Governance_Ta_Hoang_Thang
Report on IT Auditing and Governance_Ta_Hoang_Thang
 
contributed articlesm a r c h 2 0 1 0 v o l . 5 3
contributed articlesm a r c h 2 0 1 0 v o l . 5 3 contributed articlesm a r c h 2 0 1 0 v o l . 5 3
contributed articlesm a r c h 2 0 1 0 v o l . 5 3
 

More from ConnectAffluence

Responsibilities of the NBFCs registered with RBI, with regard to submission ...
Responsibilities of the NBFCs registered with RBI, with regard to submission ...Responsibilities of the NBFCs registered with RBI, with regard to submission ...
Responsibilities of the NBFCs registered with RBI, with regard to submission ...
ConnectAffluence
 

More from ConnectAffluence (7)

Responsibilities of the NBFCs registered with RBI, with regard to submission ...
Responsibilities of the NBFCs registered with RBI, with regard to submission ...Responsibilities of the NBFCs registered with RBI, with regard to submission ...
Responsibilities of the NBFCs registered with RBI, with regard to submission ...
 
Refund Process under GST across Different Categories.pdf
Refund Process under GST across Different Categories.pdfRefund Process under GST across Different Categories.pdf
Refund Process under GST across Different Categories.pdf
 
Comprehensive guide to POSH Act, 2013.pdf
Comprehensive guide to POSH Act, 2013.pdfComprehensive guide to POSH Act, 2013.pdf
Comprehensive guide to POSH Act, 2013.pdf
 
Web Form CSR 2 - CSR & Its Compliance under Companies Act, 2013.pdf
Web Form CSR 2 - CSR & Its Compliance under Companies Act, 2013.pdfWeb Form CSR 2 - CSR & Its Compliance under Companies Act, 2013.pdf
Web Form CSR 2 - CSR & Its Compliance under Companies Act, 2013.pdf
 
RBI's Move to Regulate Investments in Alternative Investment Fund (AIFs).pdf
RBI's Move to Regulate Investments in Alternative Investment Fund (AIFs).pdfRBI's Move to Regulate Investments in Alternative Investment Fund (AIFs).pdf
RBI's Move to Regulate Investments in Alternative Investment Fund (AIFs).pdf
 
Tally Prime Keyboard Shortcuts.pdf
Tally Prime Keyboard Shortcuts.pdfTally Prime Keyboard Shortcuts.pdf
Tally Prime Keyboard Shortcuts.pdf
 
IPO Advisory Services by Affluence Advisory Pvt Ltd.pdf
IPO Advisory Services by Affluence Advisory Pvt Ltd.pdfIPO Advisory Services by Affluence Advisory Pvt Ltd.pdf
IPO Advisory Services by Affluence Advisory Pvt Ltd.pdf
 

Recently uploaded

ASSESSING HRM EFFECTIVENESS AND PERFORMANCE ENHANCEMENT MEASURES IN THE BANKI...
ASSESSING HRM EFFECTIVENESS AND PERFORMANCE ENHANCEMENT MEASURES IN THE BANKI...ASSESSING HRM EFFECTIVENESS AND PERFORMANCE ENHANCEMENT MEASURES IN THE BANKI...
ASSESSING HRM EFFECTIVENESS AND PERFORMANCE ENHANCEMENT MEASURES IN THE BANKI...
indexPub
 
一比一原版(SFU毕业证书)西蒙菲莎大学毕业证成绩单学位证书
一比一原版(SFU毕业证书)西蒙菲莎大学毕业证成绩单学位证书一比一原版(SFU毕业证书)西蒙菲莎大学毕业证成绩单学位证书
一比一原版(SFU毕业证书)西蒙菲莎大学毕业证成绩单学位证书
atedyxc
 
一比一原版(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单学位证书
一比一原版(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单学位证书一比一原版(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单学位证书
一比一原版(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单学位证书
atedyxc
 
一比一原版(Caltech毕业证书)加利福尼亚理工学院毕业证成绩单学位证书
一比一原版(Caltech毕业证书)加利福尼亚理工学院毕业证成绩单学位证书一比一原版(Caltech毕业证书)加利福尼亚理工学院毕业证成绩单学位证书
一比一原版(Caltech毕业证书)加利福尼亚理工学院毕业证成绩单学位证书
atedyxc
 
State Space Tutorial.pptxjjjjjjjjjjjjjjj
State Space Tutorial.pptxjjjjjjjjjjjjjjjState Space Tutorial.pptxjjjjjjjjjjjjjjj
State Space Tutorial.pptxjjjjjjjjjjjjjjj
joshuaclack73
 
Bahawalpur Culture.pptx pptx pptx pttx pttx
Bahawalpur Culture.pptx pptx pptx pttx pttxBahawalpur Culture.pptx pptx pptx pttx pttx
Bahawalpur Culture.pptx pptx pptx pttx pttx
AbdulNasirNichari
 
How can I withdraw my pi coins to real money in India.
How can I withdraw my pi coins to real money in India.How can I withdraw my pi coins to real money in India.
How can I withdraw my pi coins to real money in India.
DOT TECH
 
SAUDI ARABIYA | +966572737505 |Jeddah Get Cytotec pills for Abortion pills
SAUDI ARABIYA | +966572737505 |Jeddah Get Cytotec pills for Abortion pillsSAUDI ARABIYA | +966572737505 |Jeddah Get Cytotec pills for Abortion pills
SAUDI ARABIYA | +966572737505 |Jeddah Get Cytotec pills for Abortion pills
Abortion pills in Riyadh +966572737505 get cytotec
 
一比一原版(UCSB毕业证书)圣塔芭芭拉社区大学毕业证成绩单学位证书
一比一原版(UCSB毕业证书)圣塔芭芭拉社区大学毕业证成绩单学位证书一比一原版(UCSB毕业证书)圣塔芭芭拉社区大学毕业证成绩单学位证书
一比一原版(UCSB毕业证书)圣塔芭芭拉社区大学毕业证成绩单学位证书
atedyxc
 
How do I sell my Pi Network currency in 2024?
How do I sell my Pi Network currency in 2024?How do I sell my Pi Network currency in 2024?
How do I sell my Pi Network currency in 2024?
DOT TECH
 

Recently uploaded (20)

ASSESSING HRM EFFECTIVENESS AND PERFORMANCE ENHANCEMENT MEASURES IN THE BANKI...
ASSESSING HRM EFFECTIVENESS AND PERFORMANCE ENHANCEMENT MEASURES IN THE BANKI...ASSESSING HRM EFFECTIVENESS AND PERFORMANCE ENHANCEMENT MEASURES IN THE BANKI...
ASSESSING HRM EFFECTIVENESS AND PERFORMANCE ENHANCEMENT MEASURES IN THE BANKI...
 
Big developments in Lesotho Butha-Buthe.
Big developments in Lesotho Butha-Buthe.Big developments in Lesotho Butha-Buthe.
Big developments in Lesotho Butha-Buthe.
 
一比一原版(SFU毕业证书)西蒙菲莎大学毕业证成绩单学位证书
一比一原版(SFU毕业证书)西蒙菲莎大学毕业证成绩单学位证书一比一原版(SFU毕业证书)西蒙菲莎大学毕业证成绩单学位证书
一比一原版(SFU毕业证书)西蒙菲莎大学毕业证成绩单学位证书
 
Economic Risk Factor Update: May 2024 [SlideShare]
Economic Risk Factor Update: May 2024 [SlideShare]Economic Risk Factor Update: May 2024 [SlideShare]
Economic Risk Factor Update: May 2024 [SlideShare]
 
一比一原版(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单学位证书
一比一原版(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单学位证书一比一原版(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单学位证书
一比一原版(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单学位证书
 
project ratio analysis of bcom studies .
project ratio analysis of bcom studies .project ratio analysis of bcom studies .
project ratio analysis of bcom studies .
 
一比一原版(Caltech毕业证书)加利福尼亚理工学院毕业证成绩单学位证书
一比一原版(Caltech毕业证书)加利福尼亚理工学院毕业证成绩单学位证书一比一原版(Caltech毕业证书)加利福尼亚理工学院毕业证成绩单学位证书
一比一原版(Caltech毕业证书)加利福尼亚理工学院毕业证成绩单学位证书
 
Slideshare - ONS Economic Forum Slidepack - 13 May 2024.pptx
Slideshare - ONS Economic Forum Slidepack - 13 May 2024.pptxSlideshare - ONS Economic Forum Slidepack - 13 May 2024.pptx
Slideshare - ONS Economic Forum Slidepack - 13 May 2024.pptx
 
State Space Tutorial.pptxjjjjjjjjjjjjjjj
State Space Tutorial.pptxjjjjjjjjjjjjjjjState Space Tutorial.pptxjjjjjjjjjjjjjjj
State Space Tutorial.pptxjjjjjjjjjjjjjjj
 
Bahawalpur Culture.pptx pptx pptx pttx pttx
Bahawalpur Culture.pptx pptx pptx pttx pttxBahawalpur Culture.pptx pptx pptx pttx pttx
Bahawalpur Culture.pptx pptx pptx pttx pttx
 
Retail sector trends for 2024 | European Business Review
Retail sector trends for 2024 | European Business ReviewRetail sector trends for 2024 | European Business Review
Retail sector trends for 2024 | European Business Review
 
How can I withdraw my pi coins to real money in India.
How can I withdraw my pi coins to real money in India.How can I withdraw my pi coins to real money in India.
How can I withdraw my pi coins to real money in India.
 
SAUDI ARABIYA | +966572737505 |Jeddah Get Cytotec pills for Abortion pills
SAUDI ARABIYA | +966572737505 |Jeddah Get Cytotec pills for Abortion pillsSAUDI ARABIYA | +966572737505 |Jeddah Get Cytotec pills for Abortion pills
SAUDI ARABIYA | +966572737505 |Jeddah Get Cytotec pills for Abortion pills
 
20240514-Calibre-Q1-2024-Conference-Call-Presentation.pdf
20240514-Calibre-Q1-2024-Conference-Call-Presentation.pdf20240514-Calibre-Q1-2024-Conference-Call-Presentation.pdf
20240514-Calibre-Q1-2024-Conference-Call-Presentation.pdf
 
一比一原版(UCSB毕业证书)圣塔芭芭拉社区大学毕业证成绩单学位证书
一比一原版(UCSB毕业证书)圣塔芭芭拉社区大学毕业证成绩单学位证书一比一原版(UCSB毕业证书)圣塔芭芭拉社区大学毕业证成绩单学位证书
一比一原版(UCSB毕业证书)圣塔芭芭拉社区大学毕业证成绩单学位证书
 
L1 2024 Prequisite QM persion milad1371.pdf
L1 2024 Prequisite QM persion milad1371.pdfL1 2024 Prequisite QM persion milad1371.pdf
L1 2024 Prequisite QM persion milad1371.pdf
 
Understanding China(International Trade-Chinese Model of development-Export l...
Understanding China(International Trade-Chinese Model of development-Export l...Understanding China(International Trade-Chinese Model of development-Export l...
Understanding China(International Trade-Chinese Model of development-Export l...
 
Production and Cost of the firm with curves
Production and Cost of the firm with curvesProduction and Cost of the firm with curves
Production and Cost of the firm with curves
 
1. Elemental Economics - Introduction to mining
1. Elemental Economics - Introduction to mining1. Elemental Economics - Introduction to mining
1. Elemental Economics - Introduction to mining
 
How do I sell my Pi Network currency in 2024?
How do I sell my Pi Network currency in 2024?How do I sell my Pi Network currency in 2024?
How do I sell my Pi Network currency in 2024?
 

NBFCs and IT Governance-Ensuring Future Readiness.pdf

  • 1. Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td I. CURRENT PROTOCOLS FOR NBFCS: Under the current system, there were dozens of directives and alerts regulating the realm of space, which were considered outdated given the evolving environment. The deficiency of the current structure is highlighted by the fact that Indian banks documented 200+ data breaches in 2022—an astounding 20 percent of the global sum. This prompted the RBI to reassess the IT governance and cybersecurity framework for the financial industry. Source - The Hindu *As of 2022, only 24 percent of businesses and organizations in India were fully equipped to handle their own cybersecurity concerns, according to the CISCO Cybersecurity Readiness Index. Meanwhile, over 30 percent were still in the formative phase of readiness  Challenges in the Financial Sector: The recent regulatory actions by the Reserve Bank of India against various banks and Non-Banking Financial Companies (NBFCs) have highlighted the critical importance of robust IT systems. Instances of IT system gaps have led to regulatory scrutiny and actions, impacting customer on-boarding and service offerings.  Regulatory Scrutiny: The RBI's actions against Kotak Mahindra Bank and other financial entities underscore the need for stringent IT governance and controls to ensure the security and resilience of IT systems within the financial sector.  Industry Incidents: This wasn’t a one off case, but the industry has seen it across various banks and NBFC coming under the RBI’s scrutiny. o HDFC BANK - Dec 2020 (Multiple glitches linked to digital banking, cards and payments) o American Express - April 2021 (Non-compliant on storage of payment system data) o Master Card - July 2021 (Non-compliance with data storage regulation)
  • 2. Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td o M&M Finance - Sept 2022 ( Material supervisory concern) o Bajaj Finance - Nov 2023 ( Non- adherence with central banks digital lending guidelines) o Paytm Payment ban - Jan 2024 ( Significant KYC irregularities) o JM Financials - March 2024 (Serious deficiencies observed in its loan sanctioning process) o IIFL Finance - March 2024 ( Material supervisory concerns) o Kotak Bank – April 2024 – ( Data Security concern and deficient IT infrastructure) *India witnesses 18% surge in weekly cyber-attacks in Q1 2023 More than 1.3 million cyber-attacks were reported across India in 2022. This was a significant increase compared to 2019. The country was amongst the top five with the most number of cyber security incidents that year. Furthermore, India's ranked third in terms of internet user numbers and there by RBI had issues Master Direction on Information Technology Governance to bolster the risk management capabilities of financial institution in India. II. THE RBI'S MASTER DIRECTION ON INFORMATION TECHNOLOGY GOVERNANCE, RISK, CONTROLS, AND ASSURANCE PRACTICES, 2023 Overview: The banker’s bank has issued the Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices, 2023, which outlines the guidelines for Information Technology (IT) Governance and Controls, Business Continuity Management, and 49.46 50.36 53.12 208.46 394.5 1,158.21 1,402.81 1,391.46 0 200 400 600 800 1,000 1,200 1,400 1,600 2015 2016 2017 2018 2019 2020 2021 2022 Number of cyber attacks in thousands Incidents of cyber attacks in India 2015-2022
  • 3. Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td Information Systems Audit for various financial institutions, including Non-Banking Financial Companies (NBFCs). This Master Direction aims to update and consolidate the existing instructions related to IT Governance and Controls, thereby ensuring a robust framework for managing IT-related risks and ensuring the security and resilience of IT systems within the financial sector. As per the Central banks notice, NBFCs are required to establish a comprehensive IT Governance Framework that aligns with the strategic objectives of the organization and effectively manages IT-related risks. The key focus areas of the IT Governance Framework include strategic alignment, risk management, resource management, performance management, and Business Continuity/Disaster Recovery Management. This framework is designed to specify the governance structure and processes necessary to meet the business/strategic objectives of the NBFCs, as well as to define the roles and responsibilities of the Board of Directors, Senior Management, and IT Steering Committee. Furthermore, the Master Direction emphasizes the importance of establishing an Enterprise-wide risk management policy or operational risk management policy that incorporates periodic assessment of IT-related risks, both inherent and potential risks. This policy is essential for ensuring accountability and mitigation of IT and cyber/information security risks within NBFCs. In addition to the IT Governance Framework, the Master Direction also outlines the requirements for IT Infrastructure & Services Management, IT and Information Security Risk Management, and Business Continuity and Disaster Recovery Management. These requirements include guidelines for IT Services Management, Third-Party Arrangements, Capacity Management, Project Management, Change and Patch Management, Data Migration Controls, Audit Trails, Cryptographic controls, Physical and Environmental Controls, Access Controls, Controls on Teleworking, and Metrics. 1. Elevated Responsibility and Supervision by Board and Senior Leadership One of the primary consequences is the heightened responsibility and oversight demanded from the Board of Directors and top management concerning technology strategy and cybersecurity. According to the central banks directives, the Board will be tasked with endorsing IT strategy, security protocols, cyber crisis management blueprints, and continuity strategies. This reflects a clear acknowledgment of the importance of IT systems for delivering customer service through various platforms and the increasing influence of cyber threats on business resilience.
  • 4. Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td Previously, boards of financial institutions primarily concentrated on business, financial, and credit hazards. However, the extensive integration of technology in the industry signifies that boards can no longer afford to take a hands-off stance towards IT governance and security. Directors will now need to acquire expertise on technology blueprints, cyber threats, resilience investments, and routinely scrutinize reports from the IT strategy committee and the Chief Information Security Officer. Financial institutions must also form a specialized IT strategy committee consisting of a minimum of three directors. It is required that the head of this committee be an independent director with substantial expertise in managing technology projects. This guarantees that IT investments and strategies are overseen with competency as a priority. At the senior management tier, the guidelines amplify responsibility to ensure the execution of the IT strategy approved by the board and the effective reinforcement of cybersecurity protocols and measures. Additionally, the risk management function is required to closely collaborate with IT and information security teams while providing regular updates to the board. 2. Requirement for Strong IT Governance Structures A fundamental aspect of the master direction is the requirement for regulated entities to institute robust IT governance frameworks encompassing vision, strategy, risk management, resource utilization, performance evaluation, and business continuity. Distinct ownership of IT strategy and cybersecurity must be delineated across board committees, senior management, and IT leadership. The directives also dictate the establishment of an IT steering committee comprising both business and technology divisions to supervise IT risk management, project execution, architectural standards, etc., under the oversight of senior management. Presently, many financial entities in India possess makeshift IT governance structures with ambiguous responsibilities. Additionally, technology investments often fail to align with long-term business objectives. The Central banks new master direction will necessitate a significant overhaul of IT governance with a comprehensive framework. Matters such as IT-business synchronization, resource allocation, and competency enhancement will demand strategic deliberations between Chief Information Officers and business executives. 3. Amplified Emphasis on Risk Evaluations and Management
  • 5. Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td The Central Banks notice signifies necessitates the IT risks to be formally identified, evaluated, and assimilated into the enterprise-wide risk management policy and framework. Cyber threats are no longer isolated but integrated into the overarching risk spectrum. Financial entities must clearly outline the IT and cyber risk landscape based on their business operations, technology adoptions, digital platforms provided to clients, and threat scenarios. Furthermore, roles and responsibilities for IT risk management at operational levels necessitate elaboration. Significantly, these risks must be monitored and regularly reported to the IT strategy committee and the board. Risk appetite declarations must also quantify tolerance for IT risks, with resource allocations made accordingly. This entails close collaboration between the IT and risk teams, spanning from risk identification to quarterly reporting. 4. Strengthening Cybersecurity Measures In the updated Central Banks guidelines, there's a heightened emphasis on enhancing cybersecurity capabilities. Regulated entities are now required to fortify their cybersecurity defenses across various fronts, as detailed below:  Recruiting or training skilled professionals for continuous security monitoring, threat detection, incident response, and digital forensics.  Establishing robust Security Operations Centers (SOCs) to manage security operations effectively.  Deploying 24/7 monitoring for network and endpoint threats, intrusion prevention, vulnerability management, and privileged access control.  Conducting regular assessments of cyber risks and controls, including vulnerability scans and penetration tests.  Implementing multi-factor authentication for critical systems, remote access, and privileged users.  Developing protocols for cyber crisis management and incident response, with clearly defined procedures.  Vigilantly tracking security events and incidents for root cause analysis and remediation.  Promptly reporting significant incidents to CERT-In and RBI in accordance with guidelines. 5. Enhancing business Resilience and Disaster Recovery Readiness
  • 6. Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td The Central banker has outlined directives for financial institutions to evaluate the business impact and establish suitable recovery time and recovery point objectives for critical IT systems and applications. This directive stems from the necessity to maintain uninterrupted banking services for customers even during disruptions. For essential applications such as core banking systems, the guidelines advocate that there should be no data loss i.e. Recovery Point Objectives (RPO) and very minimal downtime Recovery Time Objectives (RTO) during disaster/disruption. Achieving this entails data mirroring across Data Centers (DC) and Data Recovery (DR) sites, along with system that can clearly switch over in case of problem. Banks are required to evaluate their current Business Continuity (BC) and Disaster Recovery (DR) arrangements against RBI guidance. Any deficiencies, such as lack of data replicas or untested failover plans, will necessitate significant investments. Moreover, the guidelines mandate biannual disaster recovery drills and testing of BC plans under various scenarios. Any issues identified during DR tests must be promptly addressed. 6. Strengthening Oversight of Third-Party Technology Risks Financial institutions increasingly rely on technology vendors, leveraging fintech, cloud service providers, and managed security service providers for rapid innovation and cost efficiencies. However, this reliance on third-party entities might introduces associated risks, as highlighted by the RBI. Regulated entities must conduct more frequent assessments of supplier risks and develop capabilities for effective vendor management. Contracts with third parties should enforce compliance with RBI guidelines on security, availability, and confidentiality. Collaborative testing to validate service levels and resilience capabilities must also be established. For critical IT services outsourced, the RBI mandates the maintenance of source code escrows to mitigate vendor lock-in risks. Additionally, change management controls and vulnerability assessments apply to third-party managed systems. 7. Ramping Up IT Audit Frequency and Coverage Due to the considerable monetary investments made in technology and the risks involved, the central banks places a much stronger emphasis on frequency and scope of IT audits. Regulated entities are advised to adopt a risk-based approach to information systems audits, covering aspects of IT governance, controls, and security. Continuous IT audits leveraging automation are recommended, particularly for core banking and critical systems.
  • 7. Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td The audit committee of the board is entrusted with overseeing IT audit findings, tracking issues, and recommending corrective measures. Key focus areas should include cybersecurity, access controls, DR readiness, and vendor risks. Utilizing external audit resources is permissible in cases where in-house expertise is lacking. There by with this initiative a comprehensive assurance to the board regarding the effectiveness of technology controls and cyber resilience initiatives. Challenges:  Technology Investment  Limited talent pool network  Technology evolution outpaces implementation  Internal Team preparedness Benefits:  Data Protection and Privacy  Cyber-security no more operating as a silo, there by better integration in the system and awareness amongst the stakeholder  Digital Transaction scalability  Financial Eco-system will be strengthen leveraging tech and data Future IT implementation:  Block chain  Neo- Banking  Open- Banking III.KEY HIGHLIGHTS – RBI’S MASTER DIRECTION 2023 IT Governance Framework  Risk Management  Resource Management  Business continuity / Disaster recovery management Board Level IT strategy committee  Establish Board level IT Strategy Committee (ITSC)
  • 8. Author: Ankit Baid, Research Analyst Affluence Advisory Pvt. Ltd. | Website - www.affluence.net.in |Email - connect@affluence.net.in NBFCs and IT Governance: Ensuring Future Readiness Affluence Advisory Pvt. Ltd. td Role of Board of directors  The strategies and policies related to IT, Information Assets, Business Continuity, Information Security, and Cyber Security (including Incident Response and Recovery Management / Cyber Crisis Management) shall be approved by the Board of Directors. Third party Arrangement  REs shall, put in place appropriate vendor risk assessment process and controls proportionate to the assessed risk and materiality Data migration and control  REs shall have a documented data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness and consistency. IT and Information security Risk Management  Periodic review of IT related risks  Conduct of Vulnerability Assessment (VA) / Penetration Testing (PT) Business Continuity and Disaster Recovery Management  The BCP and DR policy shall adopt best practices18 to guide its actions in reducing the likelihood or impact of the disruptive incidents and maintaining business continuity. Disclaimer: This article provides general information existing at the time of preparation and we take no responsibility to update it with the subsequent changes in the law. The article is intended as a news update and Affluence Advisory neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this article. It is recommended that professional advice be taken based on specific facts and circumstances. This article does not substitute the need to refer to the original pronouncement