On the 24th October 2022, Regulation Asia published new requirements for regulated entities to obtain source code from vendors for critical applications or ensure a software escrow agreement is in place.
The Reserve Bank of India (RBI) said in February that it would publish the new guidelines, in response to the increasing dependence of banking customers on digital channels and the extensive use of outsourced IT services arrangements by regulated entities to gain access to newer technologies, which could expose them to “significant financial, operational and reputational risks”.
Once finalised, the new master directions will apply to all scheduled commercial banks (ex. regional rural banks); small finance banks; payments banks; NBFCs (except base layer); All India Financial Institutions; and credit information companies.
IT governance and operational resilience
The draft master directions say IT governance frameworks must clearly specify the role, authority and responsibilities of the board of directors, board level committees, and senior management, and include adequate oversight mechanisms to ensure accountability and business risk mitigation.
Regulated entities will be required to set up a board-level IT strategy committee (ITSC) with at least two directors as members, and with representation from senior managers in the IT and business functions. The ITSC meets at least quarterly to ensure an effective IT strategic planning process is in place, among other responsibilities.
Regulated entities must also establish a “robust IT service management framework” that supports their IT systems and infrastructure and ensures the operational resilience of the “entire IT environment”, including disaster recovery sites, and ensures outdated and unsupported hardware and software are not used.
Appropriate vendor risk assessment and controls should also be put in place to mitigate concentration risks, conflicts of interest, single point of failure risks, customer data protection risks, and supply chain risks.
New technologies and source code
When adopting new and emerging technologies, regulated entities shall follow a standard enterprise architecture planning methodology or framework. This should facilitate the “optimal creation, use and/or sharing of information by a business, in a way that it is secure and resilient”.
In this regard, regulated entities should maintain an enterprise-wide data dictionary that enables the sharing of data among applications and systems and promotes a common understanding of data among IT and business users.
“[Regulated entities] shall ensure that source codes for all critical applications are received from the vendors or a software escrow agreement is in place with the vendors for ensuring continuity of services in case the vendor defaults or is unable to provide services,” the RBI says.
Where the code is not owned by the regulated entity, it must obtain a certificate from application developers stating that their applications are free from known vulnerabilities, malware and “any covert channels in the code”.
New IT applications and their underlying information systems must also be subject to formal product approval and quality assurance processes which assess functionality, security, performance, and legal and regulatory compliance, the RBI says.
IT risk and information security
On IT risk management, the directions require regulated entities to define appropriate metrics for system performance, recovery and business resumption – including Recovery Point Objective (RPO) and Recovery Time Objective (RTO) – for each IT system, service and application.
The master directions also cover information security and cyber security risk, requiring regulated entities to put in place a Cyber Crisis Management Plan (CCMP) that addresses detection, response, recovery and containment.
Regulated entities will have to form a dedicated committee, led by a CISO and with representation from business and IT functions, for developing, implementing and managing information security policies, standards and procedures.
The RBI says privacy-related safeguards must be built into information management frameworks, a risk assessment must be performed on each information asset to identify threats and vulnerabilities, and security infrastructure and security policies must be reviewed at least annually.
The master directions also cover access controls, vulnerability assessments and penetration testing, incident response and recovery, business continuity, and disaster recovery, and information systems audits.
The draft directions, published here are open for comment until 20 November. The directions will come into effect six months after they are published as final by the RBI.
Secure your business-critical software source code with source code escrow
Ensure optimal IT governance and reduced business risk with source code escrow services.
How can we help?