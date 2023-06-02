Reserve Bank of India

The Reserve Bank of India (RBI) on June 2 released draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators (PSOs).

The Central Bank has invited feedback from the stakeholders.

The draft directions from the RBI cover governance mechanism for identification, assessment, monitoring and management of cybersecurity risks including information security risks and vulnerabilities, and specify baseline security measures for ensuring safe and secure digital payment transactions.

These directions aim to improve safety and security of the payment systems operated by PSOs by providing a framework for overall information security preparedness with an emphasis on cyber resilience, the release said.

The central bank on April 8 during the monetary policy meeting had said it will issue these directions.

As per the directions, the Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience.

However, primary oversight may be delegated to a sub-committee of the Board which shall meet at least once every quarter.

The PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised, release added.

The PSO shall prepare a distinct Board approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond and recover from cyber threats and cyber attacks.

Further, the PSO shall, undertake a cyber risk assessment exercise relating to launch of new product / services / technologies or undertaking major changes to infrastructure or processes of existing product / services.

The guideline also added that it shall ensure that all its applications are subjected to rigorous security testing, such as source code review, VA, PT, etc., through qualified agencies at adequate frequency in authenticated mode.

They also shall put in place a Board approved incident response mechanism, which shall include provisions to promptly notify its senior management, relevant employees and regulatory, supervisory and relevant public authorities, of cyber incidents.