The Reserve Bank on Friday proposed to establish robust governance mechanisms for authorised non-bank payment system operators (PSOs) to effectively address emerging cybersecurity risks. Towards this goal, the central bank has issued a ‘Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators’.
The draft directions cover governance mechanisms for the identification, assessment, monitoring and management of cybersecurity risks, including information security risks and vulnerabilities. They also specify baseline security measures to ensure safe and secure digital payment transactions. The central bank said existing instructions concerning security and risk mitigation for card payments, prepaid payment instruments (PPIs) and mobile banking will remain in effect.
”To effectively identify, monitor, control and manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities, who are part of their digital payments ecosystem, PSOs shall ensure adherence to these Directions by such unregulated entities as well, subject to a mutual agreement,” the draft directions said. The RBI has invited stakeholders to provide comments and feedback on the draft by June 30.
”The Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience,” the draft said.
Additionally, as per the draft, PSOs will be required to develop an approved Cyber Crisis Management Plan (CCMP) to detect, contain, respond to, and recover from cyber threats and attacks. It further highlights the importance of inventory management, where PSOs should maintain records of key roles, information assets, critical functions, processes, third-party service providers, and their interconnections, and document their levels of usage, criticality and business value. It also covers network security, application security life cycle (ASLC), security testing, vendor risk management, business continuity plans and other key issues.
Regarding data security, the draft stipulates that PSOs must implement a comprehensive data leak prevention policy to ensure the confidentiality, integrity, availability and protection of business and customer information, both within the PSO’s control and at vendor-managed facilities.