On Tuesday, the Reserve Bank of India (RBI) issued final guidelines on cyber resilience and digital payment security controls for non-bank payment system operators (PSOs). These guidelines encompass cyber resilience, fraud monitoring, and baseline security measures.

Who Are Non-Bank PSOs?

Non-bank payment system operators (PSOs) include entities such as Payment System Providers (PSPs) and Non-Banking Financial Companies (NBFCs). These PSOs are regulated by the Reserve Bank of India (RBI) and other financial sector regulators such as the Pension Fund Regulatory and Development Authority (PFRDA), the Insurance Regulatory and Development Authority of India (IRDAI), and the Securities and Exchange Board of India (SEBI).

Applicability of the Guidelines

1. a) The provisions of these Directions apply to all authorized non-bank PSOs.
2. b) To effectively identify, monitor, control, and manage cyber and technology-related risks arising from linkages of PSOs with unregulated entities that are part of their digital payments ecosystem (such as payment gateways, third-party service providers, vendors, and merchants), PSOs must ensure adherence to these Directions by such unregulated entities, subject to mutual agreement. An organizational policy in this respect, approved by the Board, must be put in place.

Content of the Guidelines

The guidelines consist of four sections, with controls detailed in Sections 2 to 4.

Section 1: Introduction

This section includes the title, commencement, applicability, and purpose of the guidelines.

Section 2: Governance Controls

• The Board of Directors of the PSO is responsible for overseeing information security risks, including cyber risk and resilience.
• They must formulate a Board-approved Information Security policy to manage potential and materialized risks.
• The policy should cover roles and responsibilities of the Board, senior management, and key personnel.
• A Cyber Crisis Management Plan (CCMP) should be prepared based on guidelines from CERT-In, NCIIPC, and IDRBT.
• The Board entrusts the responsibility for implementing the policy and assessing the overall IS posture to a senior-level executive, such as the Chief Information Security Officer.
• Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) must be defined and monitored.

Section 3: Baseline Information Security Controls

• Inventory Management
• Identity and Access Management
• Network Security
• Application Security Life Cycle
• Security Testing
• Vendor Risk Management
• Data Security
• Patch and Change Management Life Cycle
• Incident Response
• Business Continuity Plan (BCP)
• Application Programming Interfaces (APIs)
• Employee Awareness/Training
• Other Security Measures

Section 4: Digital Payment Security Measures

• Controls for mobile payment service providers, card payments, and prepaid payment instruments service providers are suggested.
• Organizations already complying with PCI-DSS need not put extra effort into complying with these guidelines.

How PSOs Can Comply with the RBI Guidelines

1. Accountability

Organizations should establish clear accountability for overseeing information security-related operations and compliance by:

• Appointing a Chief Information Security Officer (CISO): The CISO is responsible for developing and implementing the organization’s information security program.
• Designating a Compliance Officer: This officer ensures that the organization adheres to regulatory requirements.
• Forming a Security Team: A dedicated team to manage and monitor security measures, respond to incidents, and ensure continuous improvement.

2. Information Security Policy

Organizations should have a comprehensive Information Security Policy that includes:

• Intent to Comply: Clearly stating the organization’s commitment to adhering to relevant information security guidelines and regulations.
• Roles and Responsibilities: Defining the roles and responsibilities of the Board, senior management, and key personnel.
• Cyber Crisis Management Plan (CCMP): Preparing a CCMP based on guidelines from CERT-In, NCIIPC, and IDRBT.

3. Management Support

Top management should:

• Provide Support: Actively support the implementation of security guidelines.
• Allocate Resources: Ensure adequate resources are allocated for the effective implementation of the guidelines, including financial, technical, and human resources.
• Promote a Security Culture: Foster a culture of security awareness and vigilance throughout the organization.

4. Regular Audits

Organizations should conduct regular risk assessments and security audits by:

• Performing Risk Assessments: Regularly assess risks to identify vulnerabilities and threats.
• Conducting Security Audits: Periodically audit security controls to ensure they are effective and up-to-date.
• Documenting Findings: Maintain thorough documentation of risk assessments and audit findings.
• Preserving Records: Keep records of all assessments and audits to demonstrate compliance during inspections or reviews.

5. Compliance with Existing Frameworks

Organizations that already adhere to established security frameworks will find many of the guidelines consistent with best practices. To comply, they should:

• Leverage Existing Compliance: Utilize existing compliance efforts with frameworks such as ISO 27001:2022, NIST Cybersecurity Framework, and PCI-DSS.
• Align Practices: Ensure that their practices are aligned with the RBI guidelines, making necessary adjustments where required.
• Continuous Improvement: Regularly update their security practices to stay current with evolving threats and regulatory requirements.