RBI issues draft directions for safe and secure transactions
On Friday the Reserve Bank of India (RBI) issued a draft master directions on cyber resilience and digital payment security controls for payment system operators.
The draft guidelines cover governance mechanisms for the identification, assessment, monitoring, and management of cybersecurity risks including information security risks and vulnerabilities, and specify baseline security measures for ensuring safe and secure digital payment transactions.
The central bank has sought comments on the draft guidelines till June 30. These can be sent through email or post to the Chief General Manager, Department of Payment and Settlement Systems, Central Office, RBI in Mumbai.
On April 8, the RBI announced that it will issue directions on cyber resilience and payment security controls of payment system operators (PSOs).
“To effectively identify, monitor, control and manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities who are part of their digital payments ecosystem (like payment gateways, third-party service providers, vendors, merchants, etc.), PSOs shall ensure adherence to these Directions by such unregulated entities as well, subject to mutual agreement. An organizational policy in this respect, approved by the Board, shall be put in place,” the guidelines say.
It is the board of directors of PSOs who will be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary oversight may be delegated to a sub-committee of the board which shall meet at least once every quarter.
Also, the PSO shall formulate a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialized, they said further.
The policy is to be reviewed annually.
It shall cover the roles and responsibilities of the board or sub-committees of the board, senior management, and other key personnel; measures to identify, assess, manage, and monitor cyber security risks which shall also include various types of security controls for ensuring cyber resiliency along with processes for training and awareness of employees or stakeholders.
Also, the RBI has asked PSOs to prepare a distinct Board-approved cyber crisis management plan (CCMP) to detect, contain, respond, and recover from cyber threats and cyber-attacks.
Relevant guidelines from CERT-In or National Critical Information Infrastructure Protection Centre (NCIIPC) or IDRBT and other agencies may be referred for guidance, it said.
In addition to this, the PSO shall undertake a cyber risk assessment exercise relating to the launch of new products or services, or technologies or undertaking major changes to the infrastructure or processes of existing products or services.
[With Inputs from IANS]
PGurus is now on Telegram. Click here to join our channel and stay updated with all the latest news and views
For all the latest updates, download PGurus App.
