In February 2016, hackers used stolen SWIFT credentials to send thirty-five fraudulent transfer requests from Bangladesh Bank's account at the Federal Reserve Bank of New York. They got away with $81 million before a spelling error in one request triggered a manual review that stopped the rest. The attackers had been inside the bank's systems for weeks, had disabled the SWIFT confirmation printer, and had timed the heist for a weekend when staff were off duty.
Why did a heist in Dhaka change banking regulation in Mumbai? Because Indian banks use the same SWIFT network, run the same messaging infrastructure, and face the same threat actors. Within months, the RBI had launched the most comprehensive overhaul of cyber security regulation in Indian banking history.
What did the RBI require before 2016?
The foundation was thin. In April 2011, the RBI issued a circular implementing the Gopalakrishna Committee recommendations on information security, electronic banking, and technology risk management. That committee had examined technology risks across the banking system and recommended controls for electronic banking, IT governance, and cyber fraud prevention. Banks were told to implement the recommendations, but the circular functioned as guidance rather than enforceable mandate. There was no requirement for a dedicated cyber security policy, no mandated Chief Information Security Officer, no incident reporting timeline, and no operational security centre.
Why was this inadequate? Because banks were digitising at speed — rolling out internet banking, mobile apps, and core banking solutions — while treating security as a subset of general IT policy. The RBI issued a circular on Business Continuity Planning, Vulnerability Assessment, and Penetration Testing in June 2013, and had required system audit reports from CISA-qualified auditors for payment system operators in December 2010. But these were piecemeal — each circular amended or supplemented the prior one without consolidating into a single framework. No single document told a bank: here is your minimum cyber security baseline, here is who is responsible, and here is what you report.
What changed with the 2016 Cyber Security Framework?
On June 2, 2016, the RBI issued the Cyber Security Framework in Banks, addressed to all scheduled commercial banks. The circular opened by acknowledging what the Bangladesh Bank heist had made undeniable:
"The number, frequency and impact of cyber incidents / attacks have increased manifold in the recent past, more so in the case of financial sector including banks, underlining the urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis."
The framework imposed six structural requirements. First, every bank had to adopt a Board-approved cyber security policy — distinct from its general IT policy — by September 30, 2016. Why distinct? Because the RBI recognised that lumping cyber risk into general IT governance diluted accountability:
"The Cyber Security Policy should be distinct and separate from the broader IT policy / IS Security policy so that it can highlight the risks from cyber threats and the measures to address / mitigate these risks."
Second, every bank had to appoint a Chief Information Security Officer (CISO). Third, every bank had to establish a Cyber Security Operations Centre (C-SOC) for continuous monitoring. Fourth, banks had to implement a Cyber Crisis Management Plan addressing detection, response, recovery, and containment. Fifth, the framework mandated baseline security controls — network segmentation, access controls, vulnerability assessment, penetration testing, and data loss prevention. Sixth, it established mandatory incident reporting.
Why does incident reporting matter more than any technical control?
Because regulators cannot protect a system they cannot see. The 2016 framework required banks to report cyber incidents to the RBI's CSITE Cell and to CERT-In within two to six hours of detection, depending on severity. Before this mandate, banks had every incentive to conceal breaches — disclosure risked reputational damage, depositor panic, and regulatory scrutiny.
The RBI made the cost of concealment higher than the cost of disclosure. When Yes Bank failed to report an information security incident involving its ATMs within the prescribed timeframe, the RBI imposed a penalty of Rs 60 million in October 2017. The penalty was explicitly for "delayed reporting of information security incident involving ATMs of the bank." The RBI would treat non-reporting as seriously as the underlying breach.
What did the Bangladesh Bank heist mean for SWIFT controls specifically?
The Bangladesh heist exploited SWIFT messaging infrastructure — the system banks use to send irrevocable payment instructions across borders. Indian banks use the same system. The RBI responded with specific operational controls for SWIFT-connected banks: segregation of SWIFT terminals from the general banking network, mandatory reconciliation of SWIFT messages with core banking records, and multi-factor authentication for operators.
When Union Bank of India was found to have generated seven fraudulent SWIFT messages totalling $171 million in 2016, the examination revealed systemic deficiencies in its cyber security framework — the bank was penalised Rs 10 lakh. When SBM Bank (Mauritius) at its Indian operations failed to implement SWIFT controls, the RBI imposed a penalty of Rs 3 crore — specifically for non-compliance with "Time-bound implementation and strengthening of SWIFT-related operational controls."
How did the framework extend to cooperative banks?
The 2016 framework applied only to scheduled commercial banks. Cooperative banks — smaller, less resourced, often running older technology — were left out initially. Why? Because imposing the same controls on a UCB with ten branches and a commercial bank with ten thousand would have been impractical. But leaving cooperative banks unprotected was untenable, because attackers target the weakest node in any network.
The RBI solved this in two stages. In October 2018, it issued the Basic Cyber Security Framework for UCBs, prescribing minimum controls calibrated to smaller institutions. In December 2019, it issued the Comprehensive Cyber Security Framework for UCBs — A Graded Approach, tiering requirements by digital depth and asset size. Level I UCBs (basic digital services) had lighter obligations; Level IV UCBs (offering internet banking, mobile banking, and UPI) had to meet controls approaching the commercial bank standard.
Does the framework actually have teeth?
The penalty record answers this. Corporation Bank: Rs 1 crore, July 2019, for cyber security and fraud reporting failures. Bank of Bahrain & Kuwait: Rs 2.66 crore, December 2022 — exclusively for cyber security framework violations. Dombivli Nagari Sahakari Bank: Rs 50 lakh, June 2023, for failing both basic and comprehensive UCB cyber frameworks. Bank of Maharashtra: Rs 1.27 crore, August 2024, for violations spanning loan delivery, cyber security, and KYC. As recently as July 2025, Smriti Nagrik Sahakari Bank: Rs 2.5 lakh for failing the comprehensive UCB cyber framework.
Why does this trail matter? Because a regulation without enforcement is a suggestion. The RBI has penalised commercial banks, foreign banks, and cooperative banks across multiple years — demonstrating that the enforcement machinery treats cyber security as seriously as capital adequacy or KYC.
What specific cyber controls must banks implement?
The 2016 framework did not merely announce principles — it prescribed an operational checklist. The Cyber Security Framework in Banks required banks to act on six fronts simultaneously, each with a defined timeline.
First, a Board-approved cyber security policy, distinct from general IT policy, by September 30, 2016. Second, a designated Chief Information Security Officer (CISO) responsible for articulating and enforcing the policy. Third, a Security Operations Centre (SOC) for continuous, real-time monitoring. The circular mandated:
"Testing for vulnerabilities at reasonable intervals of time is very important. The nature of cyber-attacks are such that they can occur at any time and in a manner that may not have been anticipated. Hence, it is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is also essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats."
Fourth, a Cyber Crisis Management Plan (CCMP) addressing four specific phases — detection, response, recovery, and containment. The framework listed the threat categories banks must prepare for: denial of service, DDoS, ransomware, destructive malware, business email fraud, spear phishing, whaling, vishing, drive-by downloads, and ghost administrator exploits. Fifth, comprehensive network and database security — the circular specifically noted that temporary network connections opened for business purposes often remained open due to oversight, creating attack surfaces. Sixth, customer data protection, with banks required to preserve confidentiality, integrity, and availability of customer information regardless of where it resides — in the bank's own systems, in transit, or with third-party vendors.
The framework also mandated that banks report all cyber-security incidents — including unsuccessful attempts — to the RBI and participate in collective threat intelligence through IB-CART. The CISO was required to submit a gap assessment to the RBI's CSITE Cell by July 31, 2016 — less than two months after the circular was issued.
What happens when a bank's cyber defences fail?
The penalty record demonstrates that the RBI treats cyber security failures as seriously as capital or KYC violations — and does not distinguish between large commercial banks and small cooperatives.
The Mehsana Urban Co-operative Bank provides a recent example. On July 3, 2024, the RBI imposed a penalty of Rs 5.93 crore on Mehsana UCB for multiple violations, including that the bank had:
"not implemented certain basic cyber security control measures and requirements under the Cyber Security Framework prescribed by RBI"
The penalty covered five distinct violations — director-related lending, cyber security, NPA classification, KYC, and donations to interested trusts — but the inclusion of cyber security as a standalone charge confirmed that the RBI's inspection teams now audit cyber controls as a routine part of statutory examination. Mehsana had been penalised for director-related lending before; it had not fixed its cyber posture either. The compound penalty sent a message: repeat non-compliance across multiple domains will attract cumulative consequences.
Why is IT governance a board-level responsibility?
Because a cyber breach that takes down payment systems or compromises customer data is not an IT problem — it is a solvency problem. The RBI mandates that every bank's board constitute an IT Strategy Committee at the board level and an IT Steering Committee at the management level. The board committee sets the technology vision, approves the information security policy, and monitors cyber risk. The management committee executes.
Why the two-tier structure? Because boards provide oversight and resource allocation, while management provides implementation. The Information Systems audit — conducted by CISA-qualified auditors — closes the loop by verifying that what the board approved is what management actually deployed.
What did the November 2025 consolidation change?
The November 2025 consolidation — which withdrew 9,445 circulars and superseded the earlier standalone IT frameworks with 244 entity-specific Master Directions — absorbed cyber security and IT governance provisions directly into the governance directions for every entity type. The Commercial Banks Governance Directions, 2025, for example, now include technology governance requirements alongside board composition, fit-and-proper criteria, and risk management standards. Similar governance directions were issued for Urban Cooperative Banks, Regional Rural Banks, Non-Banking Financial Companies, and Small Finance Banks.
Why does this matter? Because before November 2025, a bank could treat cyber compliance as a standalone exercise — assign it to the IT department, tick the boxes, move on. After November 2025, cyber resilience provisions sit inside the same direction that governs board composition, audit committees, and risk management. A compliance officer reviewing the governance direction cannot avoid the technology provisions.
What does the full chain look like?
The architecture runs in a clear sequence: the 2011 Gopalakrishna Committee circular established the principle. The 2016 framework converted it into enforceable mandates. SWIFT controls addressed the specific infrastructure the Bangladesh heist had exposed. The 2018-2019 UCB frameworks extended coverage to cooperative banks. Penalties from 2017 onwards proved enforcement credibility. And the November 2025 consolidation embedded cyber security into entity-specific governance directions, making it inseparable from banking regulation.
The reference timeline for the full cyber security and IT framework traces every notification in this chain. What started as a reaction to an $81 million heist in Bangladesh has become one of the most actively enforced domains in Indian banking regulation.
Last updated: April 2026