In June 2016, the RBI issued the Cyber Security Framework for Banks RBI/2015-16/418 (4 downstream refs) — the first comprehensive document mandating that every bank in India have a Board-approved cyber security policy, a dedicated Cyber Security Operations Centre, and an incident reporting mechanism to RBI-CERT. Before this, cyber security in banking was addressed through scattered IT governance circulars, audit requirements, and technology risk management guidelines.
406 notifications in this extract touch IT governance, cyber security, business continuity, and technology infrastructure — from Core Banking Solution implementation at UCBs to vulnerability assessment mandates. Only 33 are unique to this topic; the rest overlap with entity-specific directions (every UCB, RRB, NBFC, and commercial bank direction now includes technology and cyber provisions).
See also: Digital Payments (payment security) | Co-operative Banks (UCB CBS rollout) | Regional Rural Banks (RRB technology)
For the full narrative — from the Bangladesh Bank heist to the November 2025 consolidation — see How the RBI Protects Banks From Cyber Attacks.
Key Cyber Security-Specific Notifications
Cyber Security Framework (June 2016): Cyber Security Framework for Banks RBI/2015-16/418 (4 downstream refs) — mandated cyber security policy, SOC, CISO appointment, and incident reporting for all banks.
System Audit by CISA Auditors (December 2010): UCB System Audit by CISA Auditors RBI/2010-11/340 (4 downstream refs) — required UCBs to submit system audit reports from CISA-qualified auditors.
BCP and Vulnerability Assessment for UCBs (June 2013): UCB BCP and Vulnerability Assessment RBI/2012-13/547 (2 downstream refs) — Business Continuity Planning, vulnerability assessment, and penetration testing mandates for UCBs.
CBS Implementation for UCBs (March 2013): UCB Core Banking Solution Directive RBI/2012-13/437 — the directive that pushed UCBs to implement Core Banking Solutions, connecting technology infrastructure to every other regulatory domain (KYC, deposit, lending, reporting).
System-Based Asset Classification for UCBs (August 2020): UCB System-Based Asset Classification RBI/2020-21/23 (since withdrawn) — mandated automated NPA classification through the CBS system, eliminating manual overrides that had enabled fraud (as in the PMC Bank case).
The November 2025 Integration
The November 2025 entity-specific directions embed cyber security and IT governance provisions directly into credit facilities, responsible business conduct, and governance directions for every entity type — making cyber compliance inseparable from banking compliance.
The January 2011 Working Group report on information security, electronic banking, and cyber frauds — chaired by G. Gopalakrishna — provided the foundational recommendations that shaped the 2016 Cyber Security Framework and every subsequent technology risk mandate: RBI Releases Report of Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (PR_23789).
Last updated: April 2026