India’s financial regulators — the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), and Insurance Regulatory and Development Authority of India (IRDAI) — have established stringent cybersecurity guidelines for regulated entities (REs). These frameworks emphasize strong governance and timely incident reporting.
The RBI’s Master Direction on IT Governance (2023) mandates that each RE appoint a Chief Information Security Officer (CISO) who is a senior employee and independent of the IT Head. The CISO is tasked with cybersecurity strategy, risk management, and regulatory reporting via the Daksh portal.
Importantly, Daksh access is restricted to employees, reflecting RBI’s emphasis on internal accountability. The RBI also requires that significant cyber incidents be reported within 2–6 hours, under guidelines issued through RBI/2015-16/418.
A virtual CISO (vCISO), typically an external consultant, does not meet the employee requirement, posing a compliance issue. vCISOs are not permitted direct access to regulatory portals, and RBI regulations do not explicitly accommodate their involvement.
Similarly, SEBI’s Cybersecurity and Cyber Resilience Framework (2024) and IRDAI’s Information and Cyber Security Guidelines (2023) place reporting responsibilities squarely on internal CISOs. These frameworks do not recognize external vCISOs for incident reporting roles.
To align with these regulations, REs must formally appoint an internal employee as the official CISO. The vCISO can contribute to cybersecurity strategy and operations but cannot directly interface with regulatory authorities.
Thus, while vCISOs bring specialized expertise, they must operate within structured roles to comply with Indian BFSI cybersecurity mandates without conflicting with the mandated CISO framework.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
