The Reserve Bank of India (RBI) on Tuesday issued guidelines for regulated entities (REs), including banks and finance companies related to Information Technology (IT), which will come into effect from April 1, 2024.
REs have to put in place a robust IT Governance Framework to cover focus areas like strategic alignment, risk and resource management performance, and Business Continuity/Disaster Recovery Management.
This framework should specify the governance structure and processes necessary to meet the RE’s business/strategic objectives, according to RBI’s final master circular.
It published a draft Master Direction on the subject in October 2022, seeking public comments.
The framework will specify the roles (including authority) and responsibilities of the Board of Directors, board-level Committee, and Senior Management. It will also address the issue of adequate oversight mechanisms to ensure accountability and mitigation of IT and cyber/information security risks.
The enterprise-wide risk management policy or operational risk management policy will incorporate periodic assessments of IT-related risks (both inherent and potential risks).
Also Read
The board of RE would approve the strategies and policies related to IT, Information Assets, Business Continuity, Information Security, and Cyber Security (including Incident Response and Recovery Management/Cyber Crisis Management). They should review such strategies and policies at least annually.
The RE will establish a Board-level IT Strategy Committee (ITSC), which will comprise a minimum of three directors. Its chairman would be an independent director and carry substantial expertise in managing/guiding information technology initiatives. The ITSC should meet at least on a quarterly basis, RBI said.