On 2 June 2023, the Reserve Bank of India issued the draft Master Directions on Cyber Resilience and Digital Security Control for Payment System Operators (Draft Directions) with the objective of effectively addressing emerging information systems and cybersecurity risks. These Draft Directions lay down the framework for installing a governance mechanism for (a) identification; (b) assessment; (c) monitoring; and (d) management of cybersecurity risks including information security risks and vulnerabilities and specify baseline security measures for ensuring safe and secure digital payment transactions. This update will briefly analyse the Draft Directions.
Applicability of the Directions:
The provisions of these Directions are applicable to all authorised non-bank Payment System Operators (PSOs) such as Gpay, Paytm, Mastercard, Visa, Rupay etc. The Draft Directions are issued in order to effectively monitor, identify, control and manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities who are part of their digital payments ecosystem.
Responsibility of Board of Directors:
The Draft Directions place the onus on the board of directors of the PSOs (Board) to formulate an Information Security Policy to manage information security risks. However, oversight of the same may be delegated to a sub-committee of the Board which shall meet at least once every quarter. Furthermore, the Board shall entrust the responsibility and accountability for implementation of the Information Security Policy and Cyberspace Resilience Framework; as well as for continuously assessing the overall information security posture of the PSO to a senior level executive e.g. Chief Information Security Officer (CISO).
The said policy shall be reviewed periodically and shall cover the minimum (a) roles of other key personnel; (b) measures to identify, assess, manage and monitor cyber security risk which also include various types of security controls for ensuring cyber resiliency along with processes for training and awareness of employees/stakeholders.
Salient Features:
The Draft Directions provide for the following information security measures:
PSOs shall prepare a distinct Board approved Cyber Crisis Management Plan to detect, contain, respond and recover from cyber threats and cyber-attacks.
The PSOs shall undertake a cyber risk assessment exercise relating to launch of new products, services, technologies or undertaking major changes to infrastructure or processes of existing product, services.
The PSOs shall maintain a record of all key roles, information assets, critical functions and processes, third-party service providers and their inter-connections and classify and document their levels of usage, criticality and business value.
The access to systems and different environments shall be based on the principle of least privilege.
The PSOs shall ensure that all its applications are subjected to rigorous security testing, such as source code review, etc through qualified agencies at adequate frequency in authenticated mode.
The PSOs shall put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information (both in transit and at rest) in respect of data available with it or at vendor managed facilities, commensurate with the criticality and sensitivity of the information held / transmitted.
The PSOs shall put in place a Board approved incident response mechanism, which shall include provisions to promptly notify its senior management, relevant employees and regulatory, supervisory and relevant public authorities, of cyber incidents.
The PSOs shall report any unusual incident including those involving cyber-attacks, outage of critical system, infrastructure, internal fraud, settlement delay etc, to the RBI in the Incident Reporting Format within 6 hours of detection. Any cyber security incident shall also be reported to CERT-In.
MHCO Comment:
The Draft Directions are a welcome step towards ensuring that the PSOs take adequate steps to protect themselves and the data available with it from emerging cyber security threats. These Draft Directions assume further significance due to the growing digital payments ecosystem in India, which is driven by a combination of government initiatives, increase in internet and smartphone usage and the rise of e-commerce.
This article was released on 12 June 2023.
The views expressed in this update are personal and should not be construed as any legal advice. Please contact us directly on +91 22 40565252 or legalupdates@mhcolaw.com for any assistance.
