RBI places norms on cyber resilience and digital payment for PSOs, seeks comments on draft till June 30
RBI has released a draft on cyber resilience and digital payment security controls for payment system operators, inviting feedback until June 30, 2023. Key directions include a board-approved Information Security policy and Cyber Crisis Management Plan among others
PremiumThe Reserve Bank of India (RBI) on Friday placed a master direction draft on cyber resilience and digital payment security controls for payment system operators, The central bank invited feedback on the draft. The due date for the comments is on or before June 30, 2023.
The comments or feedback can be sent through email, or by post to the Chief General Manager, Department of Payment and Settlement Systems, Central Office, Reserve Bank of India in Mumbai.
The draft directions cover governance mechanisms for the identification, assessment, monitoring, and management of cybersecurity risks including information security risks and vulnerabilities, and specify baseline security measures for ensuring safe and secure digital payment transactions.
On April 8, 2022, RBI announced that it will issue directions on Cyber Resilience and Payment Security Controls of Payment System Operators (PSOs).
Some of the key directions are:
Under the draft, RBI said, "to effectively identify, monitor, control and manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities who are part of their digital payments ecosystem (like payment gateways, third-party service providers, vendors, merchants, etc.), PSOs shall ensure adherence to these Directions by such unregulated entities as well, subject to mutual agreement. An organizational policy in this respect, approved by the Board, shall be put in place."
It is the board of directors of PSOs who will be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the Board which shall meet at least once every quarter.
Also, the PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised.
Read here: Coal India OFS over-subscribed by 417%, Centre to get more than ₹4,000 crore
The policy is asked to be reviewed annually. It shall cover the minimum -- (i) roles and responsibilities of Board/ sub-committees of the Board, senior management, and other key personnel; (ii) measures to identify, assess, manage, and monitor cyber security risks which shall also include various types of security controls for ensuring cyber resiliency along with processes for training and awareness of employees/stakeholders.
Also, RBI has asked PSOs to prepare a distinct Board-approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond, and recover from cyber threats and cyber-attacks. Relevant guidelines from CERT-In / National Critical Information Infrastructure Protection Centre (NCIIPC) / IDRBT and other agencies may be referred for guidance.
Further, the board will entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior-level executive. [e.g. Chief Information Security Officer (CISO)].
Read here: Auto Q4 result review: Stable demand, rural recovery drive growth; What to expect going ahead
The PSO shall define appropriate Key Risk Indicators (KRIs) to identify potential risk events and Key Performance Indicators (KPIs) to assess the effectiveness of security controls, as per the guidelines.
Moreover, the PSO shall undertake a cyber risk assessment exercise relating to the launch of new products/services/technologies or undertaking major changes to the infrastructure or processes of existing product/services. Action points emanating from such assessment shall be implemented under the oversight of the CISO or equivalent executive.
"Exciting news! Mint is now on WhatsApp Channels 🚀 Subscribe today by clicking the link and stay updated with the latest financial insights!" Click here!
