Master Direction - Information Technology Framework for the NBFC Sector - ఆర్బిఐ - Reserve Bank of India
Master Direction - Information Technology Framework for the NBFC Sector
RBI/DNBS/2016-17/53 June 08, 2017 Master Direction - Information Technology Framework for the NBFC Sector In exercise of the powers conferred in terms of clause (b) of sub-section (1) of 45-L of the Reserve Bank of India Act, 1934 (Act 2 of 1934), the Reserve Bank of India being satisfied for the purpose of enabling it to regulate the credit system of the country to its advantage it is necessary so to do, hereby issues Master Directions - Information Technology Framework for the NBFC Sector, 2017 hereinafter specified. (Dr. Sathyan David) Enclosure: Information Technology Framework for NBFC Sector- Directions
Introduction: The NBFC (Non-Banking Finance Company) sector has grown in size and complexity over the years. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices. 2. Accordingly, directions on IT Framework for the NBFC sector that are expected to enhance safety, security, efficiency in processes leading to benefits for NBFCs and their customers are enclosed. NBFCs may have already implemented or may be implementing some of the requirements indicated in the circular. NBFCs are therefore required to conduct a formal gap analysis between their current status and stipulations as laid out in the circular and put in place a time-bound action plan to address the gap and comply with the guidelines. 3. The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The directions are categorized into two parts, those which are applicable to all NBFCs with asset size above ₹ 500 crore (Considered Systemically Important) are provided in Section-A. Directions for NBFCs with asset size below ₹ 500 crore are provided in Section-B. 4. NBFCs may place these directions before their Board, together with a gap-analysis vis-a-vis the Master Direction and the proposed action by September 30, 2017. 5. NBFCs- Systemically Important shall comply with the Master Directions by June 30, 2018 and other NBFCs (asset size below ₹ 500 crore) shall comply by September 30, 2018. 1. IT Governance IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC’s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others' expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees. The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It's a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry. 1.1 IT Strategy Committee: NBFCs are required to form an IT Strategy Committee. The chairman of the committee shall be an independent director and CIO & CTO should be a part of the committee. The IT Strategy Committee should meet at an appropriate frequency but not more than six months should elapse between two meetings. The Committee shall work in partnership with other Board committees and Senior Management to provide input to them. It will also carry out review and amend the IT strategies in line with the corporate strategies, Board Policy reviews, cyber security arrangements and any other matter related to IT Governance. Its deliberations may be placed before the Board. 1.2 Roles and Responsibilities of IT Strategy Committee: Some of the roles and responsibilities include:
2. NBFCs may formulate a Board approved IT policy, in line with the objectives of their organisation comprising the following:
INFORMATION AND CYBER SECURITY 3. Information Security Information is an asset to all NBFCs and Information Security (IS) refers to the protection of these assets in order to achieve organizational goals. The purpose of IS is to control access to sensitive information, ensuring use only by legitimate users so that data cannot be read or compromised without proper authorization. NBFCs must have a board approved IS Policy with the following basic tenets:
3.1 The IS Policy must provide for a IS framework with the following basic tenets:
3.2 Cyber Security Need for a Board approved Cyber-security Policy NBFCs should put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board. NBFCs should review the organisational arrangements so that the security concerns are appreciated, receive adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action. 3.3 Vulnerability Management A vulnerability can be defined as an inherent configuration flaw in an organization’s information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy. 3.4 Cyber security preparedness indicators The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment. 3.5 Cyber Crisis Management Plan A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. NBFCs are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc. 3.6 Sharing of information on cyber-security incidents with RBI NBFCs are required to report all types of unusual security incidents as specified in point No. 2 of Annex I which deals with Basic Information including Cyber Security Incidents as specified in CSIR Form of Annex I (both the successful as well as the attempted incidents which did not fructify) to the DNBS Central Office, Mumbai. The other particulars of the reporting have been provided in template as per Annex I. 3.7 Cyber-security awareness among stakeholders / Top Management / Board It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized. NBFCs should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of their cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing. 3.8 Digital Signatures A Digital Signature Certificate authenticates entity’s identity electronically. It also provides a high level of security for online transactions by ensuring absolute privacy of the information exchanged using a Digital Signature Certificate. NBFCs may consider use of Digital signatures to protect the authenticity and integrity of important electronic documents and also for high value fund transfer. 3.9 IT Risk Assessment NBFCs should undertake a comprehensive risk assessment of their IT systems at least on a yearly basis. The assessment should make an analysis on the threats and vulnerabilities to the information technology assets of the NBFC and its existing security controls and processes. The outcome of the exercise should be to find out the risks present and to determine the appropriate level of controls necessary for appropriate mitigation of risks. The risk assessment should be brought to the notice of the Chief Risk Officer (CRO), CIO and the Board of the NBFC and should serve as an input for Information Security auditors. 3.10 Mobile Financial Services NBFCs that are already using or intending to use Mobile Financial Services should develop a mechanism for safeguarding information assets that are used by mobile applications to provide services to customers. The technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to end encryption. 3.11 Social Media Risks NBFCs using Social Media to market their products should be well equipped in handling social media risks and threats. As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks. 3.12 Training Human link is the weakest link in the information security chain. Hence, there is a vital need for an initial and ongoing training and information security awareness programme. The programme may be periodically updated keeping in view changes in information technology system, threats/vulnerabilities and/or the information security framework. There needs to be a mechanism to track the effectiveness of training programmes through an assessment / testing process. At any point of time, NBFCs need to maintain an updated status on user training and awareness relating to information security. 4 IT Operations should support processing and storage of information, such that the required information is available in a timely, reliable, secure and resilient manner. The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance and then establish and monitor policies for risk management. 4.1 Acquisition and Development of Information Systems (New Application Software) and Change Management It has been the experience while implementing IT projects that many systems fail because of poor system design and implementation, as well as inadequate testing. NBFCs should identify system deficiencies and defects at the system design, development and testing phases. NBFCs should establish a steering committee, consisting of business owners, the development team and other stakeholders to provide oversight and monitoring of the progress of the project, including deliverables to be realized at each phase of the project and milestones to be reached according to the project timetable. 4.2 NBFCs are required to realign their IT systems on a regular basis in line with the changing needs of its customers and business. The changes need to be done in such a way that adverse incidents and disruption to services are minimized while maximizing value for the customers. For this purpose, NBFCs should develop, with the approval of their Board, a Change Management Policy that encompasses the following:
It should be the responsibility of the senior management to ensure that the Change Management policy is being followed on an ongoing basis. 4.3 IT Enabled Management Information System The IT function of an NBFC should support a robust and comprehensive Management Information System (MIS) in respect of various business functions as per the needs of the business. A good MIS should take care of information needs at all levels in the business including top management. 4.4 NBFCs may put in place MIS that assist the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals. With robust IT systems in place, NBFCs may have the following as part of an effective system generated MIS (indicative list)
4.5 MIS for Supervisory requirements - The MIS that help management in taking strategic decisions shall also assist in generating the required information/returns for the supervisor. The present structure of reporting system (to the supervisor) needs to be kept in view while designing the MIS. All regulatory/supervisory returns should be system driven; there should be seamless integration between MIS system of the NBFC and reporting under COSMOS. Further, it is essential that “”Read Only” access be provided to RBI Inspectors. 5. Policy for Information System Audit (IS Audit). The objective of the IS Audit is to provide an insight on the effectiveness of controls that are in place to ensure confidentiality, integrity and availability of the organization’s IT infrastructure. IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc. 5.1 IS Audit should form an integral part of Internal Audit system of the NBFC. While designing the IS framework, NBFCs shall refer to guidance issued by Professional bodies like ISACA, IIA, ICAI in this regard. ICAI has published “Standard on Internal Audit (SIA) 14: Internal Audit in an Information Technology Environment” on the subject. NBFCs shall adopt an IS Audit framework duly approved by their Board. Further, NBFCs shall have adequately skilled personnel in Audit Committee who can understand the results of the IS Audit. 5.2 Coverage: IS Audit should cover effectiveness of policy and oversight of IT systems, evaluating adequacy of processes and internal controls, recommend corrective action to address deficiencies and follow-up. IS Audit should also evaluate the effectiveness of business continuity planning, disaster recovery set up and ensure that BCP is effectively implemented in the organization. During the process of IS Audit, due importance shall be given to compliance of all the applicable legal and statutory requirements. 5.3 Personnel – IS Audit may be conducted by an internal team of the NBFC. In case of inadequate internal skills, NBFCs may appoint an outside agency having enough expertise in area of IT/IS audit for the purpose. There should be a right mix of skills and understanding of legal and regulatory requirements so as to assess the efficacy of the framework vis-à-vis these standards. IS Auditors should act independently of NBFCs’ Management both in attitude and appearance. In case of engagement of external professional service providers, independence and accountability issues may be properly addressed. 5.4 Periodicity - The periodicity of IS audit should ideally be based on the size and operations of the NBFC but may be conducted at least once in a year. IS Audit should be undertaken preferably prior to the statutory audit so that IS audit reports are available to the statutory auditors well in time for examination and for incorporating comments, if any, in the audit reports. 5.5 Reporting – The framework should clearly prescribe the reporting framework, whether to the Board or a Committee of the Board viz. Audit Committee of the Board (ACB) 5.6 Compliance – NBFCs’ management is responsible for deciding the appropriate action to be taken in response to reported observations and recommendations during IS Audit. Responsibilities for compliance/sustenance of compliance, reporting lines, timelines for submission of compliance, authority for accepting compliance should be clearly delineated in the framework. The framework may provide for an audit-mode access for auditors/ inspecting/ regulatory authorities. 5.7 Computer-Assisted Audit Techniques (CAATs): NBFCs shall adopt a proper mix of manual techniques and CAATs for conducting IS Audit. CAATs may be used in critical areas (such as detection of revenue leakage, treasury functions, assessing impact of control weaknesses, monitoring customer transactions under AML requirements and generally in areas where a large volume of transactions are reported) particularly for critical functions or processes having financial/regulatory/legal implications. 6. Business Continuity Planning (BCP) and Disaster Recovery BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. The BCP may have the following salient features: 6.1 Business Impact Analysis- NBFCs shall first identify critical business verticals, locations and shared resources to come up with the detailed Business Impact Analysis. The process will envisage the impact of any unforeseen natural or man-made disasters on the NBFC’s business. The entity shall clearly list the business impact areas in order of priority. 6.2 Recovery strategy/ Contingency Plan- NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster. 6.3 NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. 6.4 NBFCs shall test the BCP either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan. The test should be based on ‘worst case scenarios’. The results along with the gap analysis may be placed before the CIO and the Board. The GAP Analysis along with Board’s insight should form the basis for construction of the updated BCP. 7. Policy for IT Services Outsourcing Outsourcing of IT related business process can provide an NBFC the opportunity to realise valuable strategic and economic benefits. However, prior to commencement of any outsourcing arrangement, careful consideration of risks, threats of contractual arrangements and regulatory compliance obligations must take place. Companies usually outsource their IT related business process to a third party vendor because of higher efficiency, inadequate resources and lack of specialized knowledge. The NBFC’s decision to outsource IT Services should fit into the institution’s overall strategic plan and corporate objectives. 7.1 The terms and conditions governing the contract between the NBFC and the Outsourcing service provider should be carefully defined in written agreements and vetted by NBFC’s legal counsel on their legal effect and enforceability. The contractual agreement may have the following provisions. a) Monitoring and Oversight: Provide for continuous monitoring and assessment by the NBFC of the service provider so that any necessary corrective measure can be taken immediately. Outsourcing service provider should have adequate systems and procedures in place to ensure protection of data/application outsourced. b) Access to books and records / Audit and Inspection: This would include:
7.2 The Board and senior management are ultimately responsible for ‘outsourcing operations’ and for managing risks inherent in such outsourcing relationships. The Board of Directors of NBFCs is responsible for effective due diligence, oversight and management of outsourcing and accountability for all outsourcing decisions. The Board and IT Strategy committee have the responsibility to institute an effective governance mechanism and risk management process for all IT outsourced operations. 7.3 The Role of IT Strategy committee in respect of outsourced operations shall include
Recommendations for NBFCs with asset size below ₹ 500 crore 8. It is recommended that smaller NBFCs may start with developing basic IT systems mainly for maintaining the database. NBFCs having asset size below ₹ 500 crore shall have a Board approved Information Technology policy/Information system policy. This policy may be designed considering the undermentioned basic standards and the same shall be put in place by September 30, 2018. The IT systems shall have:
8.1 IT Systems should be progressively scaled up as the size and complexity of NBFC’s operations increases. |