Cyber Security Guidelines for RBI & SEBI Compliance

For fintechs and market participants, cybersecurity is a business imperative. India’s major regulators—the Reserve Bank of India (RBI) and Securities and Exchange Board of India (SEBI)—have established strict cybersecurity frameworks to ensure financial stability.

RBI Cyber Security Framework

The RBI Master Direction on Cyber Security controls requires Banks and NBFCs to:

• Maintain a dedicated Board-approved Cyber Security Policy.
• Establish a 24x7 Security Operations Centre (SOC).
• Conduct regular VAPT (Vulnerability Assessment and Penetration Testing) by CERT-In auditors.
• Report cyber incidents within 6 hours to RBI and CERT-In.

SEBI Cybersecurity Circulars

For stock brokers and exchanges, SEBI mandates:

• Comprehensive audit of the entire IT infrastructure by a CERT-In empanelled organization.
• Strict data localization and privacy controls.
• Business Continuity Planning (BCP) and Disaster Recovery (DR) testing.
• Annual submission of a Cyber Audit Report to the SEBI Board.