RBI on June 02, 2023 has invited comments on draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators(PSO). Comments / Feedback, if any, may be sent by email, or by post to the Chief General Manager, Department of Payment and Settlement Systems, Central Office, Reserve Bank of India, 14th Floor, Central Office Building, Shahid Bhagat Singh Road, Mumbai – 400 001, on or before June 30, 2023.
The draft Directions cover governance mechanism for identification, assessment, monitoring and management of cybersecurity risks including information security risks and vulnerabilities, and specify baseline security measures for ensuring safe and secure digital payment transactions.
The Reserve Bank of India (RBI) plays a crucial role in ensuring the stability and security of the payment and settlement systems in India. To address the evolving risks associated with cyber threats and digital payment security, the RBI has issued the “Reserve Bank of India (Cyber Resilience and Digital Payment Security Controls for PSOs) Master Directions, 2022”. These master directions aim to establish a framework for information security preparedness, with a specific emphasis on cyber resilience, for authorized non-bank Payment System Operators (PSOs). This blog post provides an overview of some key provisions outlined in the master directions.
Governance Controls
The board of directors of PSOs holds the responsibility for ensuring effective oversight of information security risks, including cyber risk and cyber resilience. However, the primary oversight can be delegated to a sub-committee of the board. The PSO is required to formulate a board-approved Information Security (IS) policy that covers roles and responsibilities, cyber risk management, security controls, and employee training and awareness.
Cyber Security Preparedness
PSOs are mandated to develop a board-approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond, and recover from cyber threats and attacks. The plan should align with relevant guidelines from CERT-In, NCIIPC, IDRBT, and other agencies.
Risk Assessment and Monitoring
PSOs must designate a senior-level executive, such as a Chief Information Security Officer (CISO), responsible for implementing the IS policy and cyber resilience framework. The PSO should establish Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to identify potential risk events and assess the effectiveness of security controls. Additionally, a cyber risk assessment exercise should be conducted before launching new products/services or making significant changes to existing infrastructure or processes.
Baseline Information Security Measures/Controls
PSOs are required to implement several measures to enhance information security. These include maintaining an inventory of key roles and information assets, establishing identity and access management policies, ensuring network security through configuration, monitoring, and intrusion detection mechanisms, following secure application development practices, conducting rigorous security testing, managing vendor risks, and implementing data security measures, among others.
Incident Response and Business Continuity:
PSOs must have a board-approved incident response mechanism to promptly notify senior management, relevant stakeholders, and regulatory authorities in the event of cyber incidents. A comprehensive Business Continuity Plan (BCP) should be developed to manage cyber security events or incidents, enabling rapid recovery and safe resumption of critical operations. Additionally, PSOs are encouraged to adopt secure Application Programming Interfaces (APIs) and conduct employee awareness training programs.
Conclusion
The RBI’s Master Directions on Cyber Resilience and Digital Payment Security Controls for PSOs outline a comprehensive framework to strengthen the safety and security of payment systems in India. PSOs are required to implement various measures related to governance controls, cyber security preparedness, risk assessment and monitoring, baseline information security measures, incident response, and business continuity. By adhering to these directions, PSOs can enhance their cyber resilience and contribute to a more secure digital payment ecosystem in the country.
The provisions of these Directions shall apply to all authorized non-bank PSOs.
