In a move to ensure safety and security of digital payments amid emerging cyber risks, the Reserve Bank of India (RBI) on Friday announced draft regulations for payment system operators (PSOs).
It proposed that such norms would be implemented from April 1, 2024, for large non-bank-PSOs.
For medium-sized non-bank PSOs, the deadline for implementing the regulation will be April 1, 2026, and for smaller ones, it’s April 1, 2028.
The draft directions issued by the regulator covers robust governance mechanisms for identification, assessment, monitoring, and management of cyber security risks.
“The directions will also cover baseline security measures for ensuring system resiliency as well as safe and secure digital payment transactions,” the RBI said.
“However, they shall endeavour to migrate to the latest security standards. The existing instructions on security and risk mitigation measures for payments done using cards, Prepaid Payment Instruments (PPIs) and mobile banking continue to be applicable as hitherto,” it added.
According to the draft norms, the PSO will define appropriate key risk indicators (KRIs) to identify potential risk events and key performance indicators (KPIs) to assess the effectiveness of security controls.
The board of the PSOs has been made responsible for ensuring adequate oversight over information security risk, though the primary oversight can be delegated to a sub-committee of the board, which should meet once in a quarter, the draft norms said.
The RBI said the PSO should undertake a cyber-risk assessment exercise relating to launch of new product, services, technologies or undertaking major changes to infrastructure or processes of existing product, services.
“Action points emanating from such assessment will be implemented under the oversight of the CISO or equivalent executive,” it said.
The central bank has sought feedback on the draft norms by June 30.
The draft norms said existing instructions concerning security and risk mitigation for card payments, prepaid payment instruments (PPIs) and mobile banking will remain in effect.
The PSO has been asked to formulate a board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised. The policy should be reviewed annually.
The draft norms mandated that the PSO should develop a business continuity plan (BCP) based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed. The BCP should be reviewed at least once a year and include a comprehensive cyber incident response, resumption and recovery plan, to manage cyber security events or incidents.
“The BCP shall be designed to enable rapid recovery from any adverse event and facilitate safe resumption of critical operations aligned with Recovery Time Objective (RTO) and Recovery Point Objective (RPO) while ensuring the security of processes and data. The PSO shall strive to achieve near-zero RPO,” the draft norms said, adding that a Disaster Recovery (DR) facility in a different geographical area than the Primary Data Centre (PDC).
On cyber security preparedness, the PSOs have been asked to prepare a distinct board approved cyber crisis management plan (CCMP) to detect, contain, respond, and recover from cyber threats and cyberattacks.
The responsibility and accountability for implementing the information security policy and the cyber resilience framework as well as for continuously assessing the overall IS posture of PSO should be given to a senior level executive like chief information security officer (CISO), the norms said.
The PSO should put in measures to protect its network and systems from external threats, the draft norms said.
The PSO also has to put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information (both in transit and at rest) in respect of data available with it or at vendor managed facilities, commensurate with the criticality and sensitivity of the information held / transmitted.
“Application and database security controls shall focus on secure handling, storage and protection of data, in particular, Personally Identifiable Information. Data in transit and rest shall be secured through either data or channel encryption or both,” the RBI said.
