CYBERSECURITYMay 2026 · 10 min read

RBI Cybersecurity Compliance for NBFCs — CERT-In Audit, 6-Hour Incident Reporting, and ISO 27001

RBI's Master Direction on IT Governance and Cyber Security for NBFCs classifies obligations by asset size and imposes a significantly higher standard on NBFC-ML entities (assets above ₹500 crore). The 6-hour material cyber incident reporting window and mandatory CERT-In empanelled annual audit are the two requirements most NBFCs are least operationally prepared for.

The Key Cybersecurity Obligations at a Glance

ObligationStandard RequiredTimeline
IT & Cybersecurity PolicyBoard-approved; reviewed annuallyOngoing
Data ResidencyIndia-only — all servers and databasesImmediate
ISMS CertificationISO 27001:2013 (or latest version)NBFC-ML: mandatory
Record RetentionMinimum 7 yearsOngoing
Platform Uptime SLA99.5% monthly minimumOngoing
Annual Cybersecurity AuditCERT-In empanelled auditor onlyAnnual — report to Board + RBI within 3 months
Material Cyber Incident ReportingImmediate notification to RBIWithin 6 hours of detection
Disaster Recovery SiteHot standby mandatoryNBFC-ML: immediate
BCP TestingSemi-annual (H1 and H2)Twice yearly
Recovery Time Objective (RTO)4 hours maximumTested semi-annually
Recovery Point Objective (RPO)2 hours maximumTested semi-annually

The 6-Hour Window — Why Most NBFCs Cannot Currently Meet It

⚡ Critical Operational Requirement

Material cyber incidents must be reported to RBI within 6 hours of detection. This is not 6 hours from the time the incident was fully assessed — it is 6 hours from the moment the NBFC becomes aware of a potential material cyber incident.

In practice, achieving the 6-hour window requires: a 24/7 Security Operations Centre (or equivalent monitoring), a predefined classification framework for what constitutes a "material" incident, a pre-approved escalation path that reaches the designated RBI notification officer within hours, and a pre-drafted notification template that can be populated quickly with incident-specific details.

Most NBFCs currently operate incident response frameworks that assume a 24-48 hour assessment window before escalation. The RBI framework collapses this to 6 hours for initial notification, with a detailed report to follow. This requires a fundamental redesign of the SOC and escalation protocols.

What the CERT-In Empanelled Audit Actually Covers

The annual cybersecurity audit must be conducted by an auditor empanelled with CERT-In (the Indian Computer Emergency Response Team). The audit covers the full scope of the NBFC's IT infrastructure — not just the internet-facing systems. Key audit domains include:

Network security architecture and segmentation

Access control and privileged identity management

Vulnerability assessment and penetration testing results

Patch management and software lifecycle

Data encryption standards in transit and at rest

Incident detection and response capability

Business continuity and DR test results

Cloud security configuration (if applicable)

Third-party vendor security controls

The audit report must be placed before the Board within 3 months of the audit and submitted to RBI. Audit findings must be tracked to closure with timelines — unaddressed findings from prior audits are a significant RBI inspection risk.

Related Articles
DIGITAL
RBI Digital Banking Authorisation 2026 — What Every Bank Must Now Have
 SBR
RBI Scale-Based Regulation — Middle and Upper Layer NBFCs

Is your NBFC operationally ready for the 6-hour incident reporting window?

A cyber risk compliance review will assess your SOC capability, escalation protocols, CERT-In audit status, and BCP/DR test documentation against RBI standards.

Book a Cyber Risk Review Call