If you are a bank, NBFC, market intermediary, insurer or a technology provider to any of them, cybersecurity is no longer merely good practice — it is a supervised obligation. India’s three main financial regulators have each raised their expectations, and the real challenge is less any single rule than the sheer pace at which the rules evolve and multiply. This post is a high-level orientation to help you find your footing across all three, and a practical approach to staying current without drowning in circulars.
Why the regulators tightened the rules
The financial sector runs on trust and on technology, and both are now under sustained attack. Digitisation has expanded the attack surface dramatically: mobile banking, digital lending, third-party fintech integrations and cloud adoption have all moved faster than many institutions’ controls. Regulators have responded by treating cyber risk as systemic risk — something that can threaten not just a single firm but confidence in the system as a whole. That framing explains the recurring insistence on board-level accountability and independent assurance.
Reserve Bank of India (RBI)
The RBI sets detailed expectations for banks, NBFCs and other regulated entities across IT governance, information security, risk management, and IT and information-system audit. Recent directions have pushed harder on IT governance, with the board and senior management explicitly accountable; on outsourcing and third-party risk, recognising that a firm’s exposure now includes its vendors; and on digital-lending controls, with data-protection and customer-protection safeguards. The common thread is accountability you can evidence: it is not enough that controls exist; leadership must own them, and independent IS audit on a defined cadence must confirm they work.
Securities and Exchange Board of India (SEBI)
SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) consolidates and raises the bar for regulated entities in the securities market. It introduces graded obligations scaled to the size and nature of the entity, defined timelines, and self-certification for certain categories. Its defining theme is resilience — the ability to withstand and recover from an incident, not merely to defend against one. That reflects a wider shift in regulatory thinking: breaches are treated as a matter of “when,” so the capacity to keep operating and bounce back is assessed alongside prevention.
Insurance Regulatory and Development Authority of India (IRDAI)
IRDAI’s information and cybersecurity expectations apply to insurers and intermediaries, covering governance, controls, assurance and periodic audit. As with the RBI and SEBI, independent audit and demonstrable governance are the recurring themes. Insurers hold vast quantities of sensitive personal and health data, which raises the stakes on both security and, increasingly, privacy — an area where the DPDPA and IRDAI’s expectations now reinforce each other.
Specifics change often. Circulars, thresholds and deadlines in this space are updated regularly, and obligations depend heavily on your exact entity classification. Use this as a map, not a checklist, and confirm the current requirements applicable to your entity type before you plan around them.
The common threads
Look across all three regulators and the same expectations recur, which is genuinely good news for anyone trying to plan a coherent programme rather than chasing each circular in isolation:
- Board-level ownership of cyber risk, with governance you can evidence.
- A defined information-security programme proportionate to your size and activities.
- Independent audit on a regular cadence, with findings tracked to closure rather than noted and forgotten.
- Third-party and outsourcing oversight, because your risk now includes your vendors and partners.
- Incident readiness and resilience, not just preventive controls.
Staying current without drowning in circulars
- Know your entity type. Obligations are graded, so the first task is to pin down exactly which apply to you — and to revisit that as your business grows or changes classification.
- Build once, map to many. A strong ISO 27001-based programme satisfies much of what these frameworks ask; map its controls across each regulator’s requirements rather than building separate schemes that duplicate effort and drift apart.
- Treat audit as continuous. Independent assessment and remediation on a defined cadence is expected across all three — make it a routine rhythm, not an annual fire drill.
- Keep a compliance calendar. Several requirements are time-bound; a simple, maintained calendar of obligations and deadlines prevents the unpleasant surprises that come from a missed filing.
- Assign clear ownership. Someone senior needs to be accountable for tracking regulatory change and translating it into action, so that new circulars land on a desk rather than in a void.
The takeaway
The organisations that cope best treat regulatory change as a standing process rather than a periodic scramble — with clear ownership, a control framework that maps to multiple regulators at once, and a partner who tracks the detail so leadership can focus on the business. The pace of change will not slow; the durable answer is a programme built to absorb it.