Decoding RBI Cybersecurity Framework for Non-Bank Payment Systems

Amid the rise in cybersecurity threats, the Reserve Bank of India (RBI) issued the “Master Directions on Cyber Resilience and Digital Payment Security Controls” (Master Directions) under the Payment and Settlement Systems Act, 2007¹ (PSS Act). The Master Directions were issued on 30-7-2024, in terms of Section 10(2) of the PSS Act, 2007 read with Section 18 of the PSS Act, 2007, which permits the RBI to issue directions from time to time for proper and efficient management of the payment systems.²

The Master Directions provide for cybersecurity measures to be adopted by non-bank payment system operators (non-bank PSOs). Non-bank PSOs will include card payment networks, payment aggregators, and prepaid payment instrument (PPI) issuers. The RBI has, in the past, issued a broad framework to be adopted by banks for ensuring technology and cyber governance.

The object of the Master Directions is to ensure a robust governance mechanism by non-bank PSOs for identification, assessment, monitoring, and management of cybersecurity risks including information security risks and vulnerabilities, and specify baseline security measures for ensuring safe and secure digital payment transactions. The Master Directions will be implemented in a phased manner depending on the size of the non-bank PSOs. The key terms of the Master Directions are as follows:

1. Governance and oversight

1.1. Role of the Board of Directors

The Board of Directors of a non-bank PSO (Board) will be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, the Board can delegate primary oversight to a sub-Committee which is required to meet at least once every quarter. The Board is accountable for enforcing the information security policy and cyber resilience framework.

1.2. Appointment of a Chief Information Security Officer

The non-bank PSO is required to appoint a “Chief Information Security Officer” (CISO) or a similar Senior Executive for continuously assessing the security preparedness of the non-bank PSO.

2. Policy Framework

2.1. The Master Directions mandate implementation of the following policies and mechanism by the Board to address cyber and technology risk: (a) “organisational policy” to ensure that unregulated entities dealing with non-bank PSOs also adhere to the Master Directions; (b) “information security policy” to manage potential information security risks; (c) “cyber crisis management plan” (CCMP) to detect, contain, respond and recover from cyber threats; (d) “data leak prevention policy” for confidentiality, integrity and protection of business and customer data (both in transit and at rest); (e) policy and process to identify and implement patches to technology and software assets released by original equipment manufacturers (OEMs)/others; (f) incident response mechanism to inform the internal stakeholders concerned on cyber threats; (g) “business continuity plan” which must be reviewed at least once a year; and (h) “cloud operation policy” (as part of information security policy) pertaining to activities that can be located in cloud servers.

Each Board and senior management will have to undergo the task of putting the aforementioned policies, mechanisms, and standard operating procedures in place to ensure compliance with the Master Directions and other RBI Guidelines on allied subject-matter. The Master Directions requires the relevant guidelines from the Indian Computer Emergency Response Team (CERT-In) and National Critical Information Infrastructure Protection Centre to be referred for guidance. Appointment of a CISO ensures that cybersecurity measures are actively monitored, updated, and aligned with the Master Directions. With these Master Directions coming into effect, the non-bank PSOs will be treated at par with the regulated entities (banks and financial institutions) who have often faced RBI’s whip for slacking on cyber security compliance.

3. Asset and vendor management

3.1. Maintenance of records for all information assets, critical functions, and third-party service providers

The Master Directions require non-bank PSOs to maintain a record of all information assets, critical functions, and third-party service providers and classify them on the basis of their criticality and business value.

3.2. Compliance with RBI’s Framework for Outsourcing of Payment and Settlement-related Activities

With respect to outsourcing to vendors, non-bank PSOs are required to adhere to the RBI Circular on Framework for Outsourcing of Payment and Settlement-related Activities by Payment System Operators (dated 3-8-2021) (PSO Outsourcing Guidelines). Further, while dealing with unregulated entities, non-bank PSOs must ensure compliance with these Master Directions by such unregulated vendors/entities, subject to mutual agreement. If the critical processes (as defined under PSO Outsourcing Guidelines) and activities are outsourced, non-bank PSOs are required to obtain assurance from an independent auditor on the vendor’s cyber resilience capabilities.

Thus, in addition to the provisions/covenants/warranties mandated in the non-bank PSO Outsourcing Guidelines, the non-bank PSOs must also obtain a clear undertaking from the service providers/vendors that they shall comply with the Master Directions. One pertinent question that arises here is the extent to which these unregulated entities are required to comply with the Master Directions. While the Master Directions mandate that non-bank PSOs shall ensure compliance by unregulated entities, they also state that such compliance is subject to mutual agreement. This creates ambiguity regarding the precise scope of compliance by unregulated entities. Additionally, while undertaking an audit, the non-bank PSOs must ensure that there is actual compliance by service providers and not merely a paper agreement. It is to be noted that the PSO Outsourcing Guidelines provided that payment system operators will undertake an audit of the service provider’s system either by internal or external auditors. However, the Master Directions requires audit assurance by an independent auditor on service providers’ cyber resilience capabilities.

It is recommended that the non-bank PSOs while dealing with vendors, and specifically unregulated entities, must carefully negotiate suitable indemnities and other non-monetary remedies depending on the criticality of the functions outsourced.

4. Application Security

4.1. Adoption of a “secure by design” approach in software development

The non-bank PSOs are required to follow a “secure by design” approach while developing software i.e. the software should be developed considering adequate security principles and audit process to ensure that there is no security weakness.

4.2. Source code of critical applications from third-party vendors

As part of the application security life cycle, non-bank PSOs are required to obtain the source code of all critical applications procured from third-party vendors. In case obtaining the source code is not possible, there shall be an escrow arrangement for the source code to ensure continuity of services.

The term “critical applications” is not defined in the Master Directions. However, reference can be made to the PSO Outsourcing Guidelines, which state that “critical process” are those, that, if disrupted, shall have the potential to significantly impact the business operations, reputation, profitability, and/or customer service. The requirement of obtaining the source code or putting it in escrow is not new. A similar requirement has been imposed on banks and other banking-regulated entities by RBI. The objective for having such a requirement is that in the event the service provider is unable to provide services for a long period, such as an instance of insolvency of the service provider, non-bank PSOs can take control of the code and ensure that its customers are not adversely impacted i.e. ensure business continuity. The requirement seems to be simple, but it has nuances regarding the practicality of access to the source code for ensuring business continuity. Providing access to the source code directly to the affected non-bank PSO is not something the service providers would prefer, especially to secure their intellectual property, given that the affected non-bank PSO will further allow access to the source code to a third party assisting such affected non-bank PSO in resolving the disruption.

Further, an escrow arrangement may result in additional cost for both the service provider and the non-bank PSO. Such escrow agreement should be carefully negotiated and specifically provide clarity on inter alia on the following aspects:

(i) Trigger events when the source code can be provided to the non-bank PSOs. Such trigger events should be extreme in nature (such as insolvency of technical service provider) and the access should be restricted once the service provider is able to resume services.

(ii) Scope of access of the source code i.e. usage only for the service to be provided to the non-bank PSO.

(iii) Access to source should not result in transfer of intellectual property.

(iv) Fees, if any for such access, to be paid to the service provider.

(v) Termination of escrow arrangement in the event of termination/expiration of principal service agreement.

It must be noted that gaining access to the source code may not suffice, as providing the actual service has its practical difficulties. The non-bank PSO should have the requisite resources, and operational and management know-how to independently continue the services. If there are issues with vendors of service providers whose application programming interface (API) are integrated into the software, non-bank PSOs may not be adequately placed to deal with such vendors and ensure continuity of services.

Further, as per the Master Directions, in the event the source code is not owned by the non-bank PSO, it is required to obtain a certificate from the developer stating that the application is free from vulnerabilities and malwares. A fresh certificate shall be obtained for any changes to the source code.

The requirement of such a certificate is to ensure that the software is risk-free and put accountability on the service provider. However, obtaining such a certificate from a service provider may be difficult. While the service providers can ensure all audits and checks and balances in the course of providing services, it would prefer that the service is on “as is where is” basis, to ensure that it is not penalised to cyber instances which are not in its control.

5. Incident response

Non-bank PSO is required to have a Board approved incident response mechanism for reporting incidents to senior management, relevant employees, and regulatory authorities. The Master Directions further require that unusual incidents like cyberattacks, outage of critical system/infrastructure, internal fraud, settlement delays, etc. are required to be reported to RBI within 6 (six) hours of detection. Any such cyber incident must be reported to CERT-In. The Master Direction provides for indicative cyber incidents to be reported, which includes malware attack, ransomware attacks, and deficiencies in the internal system of the PSO and third-party service providers.

While the intent of having a reporting requirement is appreciated, the timeline of 6 (six) hours appears not to be feasible. The incident reporting format provided under the Master Directions is a detailed one and its compliance may not be possible within such a short span of time, incidents like cyberattacks require detailed investigation to understand the scope, root cause and damage, specially sophisticated cyberattacks like ransomware which requires a detailed forensic audit. Further, if non-bank PSOs are dependent on a third-party service provider, it adds another layer of complexity as external vendors might take longer to respond, delaying the reporting process.

Concluding remarks

The Master Directions lay out comprehensive procedures, protocols, and compliances related to risk assessment and monitoring, network security, data security, business continuity, cloud security, and employee training amongst other areas. Further, it not only emphasises the identification and allocation of risks but also the development of plans to mitigate such risks and rigorous testing of such plans. The non-bank PSOs will be required to undertake a need analysis to update all their existing policies and procedures against the regulatory requirements. Collaboration with industry peers, cybersecurity experts, and RBI will be critical to navigate through the requirements of the Master Directions.