The top 10 cyber risk gaps in Indian banks in 2026 are: weak IT governance frameworks, inadequate third-party vendor risk management, delayed patch and vulnerability management, insufficient cyber incident detection and response, poor employee cyber awareness, incomplete data privacy and DPDP compliance, mobile and digital banking security control gaps, inadequate network segmentation, untested business continuity and disaster recovery plans, and immature cloud security governance. Each of these areas is subject to scrutiny under RBI’s cybersecurity framework, IT governance master directions, and the newly released draft consolidated framework for bank control functions.
TABLE OF CONTENTS
- Why Cyber Risk Is Now a Board-Level Issue in Indian Banks
- How to Use This Checklist
- Gap 1 — IT Governance and Cyber Risk Framework
- Gap 2 — Third-Party and Vendor Cyber Risk
- Gap 3 — Patch and Vulnerability Management
- Gap 4 — Cyber Incident Detection, Response and RBI Reporting
- Gap 5 — Employee Cyber Awareness and Phishing Resilience
- Gap 6 — Data Privacy, Localisation and DPDP Compliance
- Gap 7 — Mobile and Digital Banking Security Controls
- Gap 8 — Network Security and Segmentation
- Gap 9 — Business Continuity, DR and Cyber Resilience
- Gap 10 — Cloud Security and Data Governance
- Master Compliance Checklist: All 10 Gaps at a Glance
- Frequently Asked Questions
- How RMAI Can Help Your Team Close These Gaps
1. Why Cyber Risk Is Now a Board-Level Issue in Indian Banks
Indian banks are operating in the most complex cyber threat environment in their history. Digital payment volumes have crossed record highs. Core banking systems are increasingly cloud-connected. Third-party fintech integrations have multiplied. And ransomware, phishing, and insider threats are growing in sophistication and frequency.
Against this backdrop, RBI has significantly raised its supervisory expectations. The recent draft consolidated framework for bank control functions — covering Risk Management, Compliance, and Internal Audit — signals that cyber and IT risk governance is no longer a technology department issue. It is a board-level, audit-committee-level, and CRO-level accountability.
Yet across Indian banks — particularly mid-sized private banks, co-operative banks, urban co-operative banks (UCBs), regional rural banks (RRBs), and NBFCs — the same ten cyber risk gaps keep appearing during RBI IT examinations, internal audits, and risk assessments.
This article names all ten, explains what RBI expects, and gives your team a practical checklist to assess your current compliance posture.
2. How to Use This Checklist
This checklist is designed for three audiences:
- Risk and Compliance Teams — to assess current gaps against RBI expectations
- IT and CISO Teams — to identify technical control deficiencies
- Internal Auditors — to use as a structured audit framework for cyber risk reviews
For each gap, we identify the risk, the RBI expectation, and a set of checklist items your institution should be able to answer with evidence — not just policy documents.
Compliance posture scoring:
- Fully addressed with documented evidence
- Partially addressed — policy exists but implementation is incomplete
- Not addressed — significant gap requiring immediate action
3. Gap 1 — IT Governance and Cyber Risk Framework
What Is This Gap?
IT governance is the set of structures, policies, and oversight mechanisms that ensure an institution’s technology and cyber risk decisions are made at the right level, with the right accountability, and in alignment with RBI’s expectations.
Many Indian banks have cybersecurity policies on paper but lack the governance architecture to operationalise them — no board-level IT/risk committee agenda item for cyber risk, no defined risk appetite for cyber incidents, and no structured connection between IT risk findings and the Risk Management Committee.
What RBI Expects
RBI’s Master Direction on IT Governance, Risk, Controls and Assurance Practices requires banks to establish board-approved IT governance frameworks with defined roles for the Board, IT Strategy Committee, and senior management. RBI’s draft consolidated framework for control functions (2025–26) further reinforces that risk management, compliance, and internal audit must function as integrated, independent control layers — not siloed functions.
Compliance Checklist — Gap 1
- Board-approved IT risk and cybersecurity policy, reviewed in the last 12 months
- IT Strategy Committee or equivalent with defined charter and meeting frequency
- Cyber risk explicitly included in the institution’s Risk Appetite Statement (RAS)
- CRO or equivalent has direct visibility of IT and cyber risk reporting
- Cyber risk integrated into ICAAP and capital planning discussions
- Annual IT risk assessment conducted and presented to Board/Audit Committee
4. Gap 2 — Third-Party and Vendor Cyber Risk
What Is This Gap?
Banks increasingly depend on third-party IT vendors, cloud providers, payment processors, fintech partners, and business correspondents (BCs) to deliver core functions. Each of these dependencies creates a cyber risk exposure that most Indian banks are not systematically assessing or monitoring.
The gap is not awareness — most banks know vendor risk exists. The gap is structured governance: documented vendor risk tiers, periodic cyber assessments of critical vendors, contractual security requirements, and exit strategies.
What RBI Expects
RBI’s outsourcing guidelines and IT governance master directions require banks to conduct due diligence before onboarding IT service providers, include security requirements in contracts, monitor vendor performance continuously, and maintain the ability to exit a vendor without operational disruption. Critical IT outsourcing arrangements require specific RBI notifications.
Compliance Checklist — Gap 2
- All IT vendors classified by risk tier (critical, important, standard)
- Cyber risk due diligence conducted before onboarding new vendors
- Contracts with critical vendors include minimum security standards and right-to-audit clauses
- Periodic security assessments conducted for critical/important vendors
- Vendor concentration risk assessed — no single vendor dependency for mission-critical functions
- Exit strategies and transition plans documented for all critical vendors
- BC ecosystem cyber risk assessed — field device security, data handling, authentication controls
5. Gap 3 — Patch and Vulnerability Management
What Is This Gap?
Unpatched software is consistently one of the most exploited attack vectors in banking cyber incidents globally — and in India. Banks run complex, multi-layered technology environments: core banking systems, internet banking platforms, mobile apps, ATM networks, and internal enterprise systems. Keeping all of these patched, current, and vulnerability-free requires a structured, tracked, and auditable process.
Many Indian banks — particularly mid-sized and smaller institutions — operate on legacy core banking systems that are difficult to patch without downtime, creating prolonged exposure windows.
What RBI Expects
RBI requires banks to have a formal patch management policy with defined timelines for critical, high, medium, and low severity patches. Critical vulnerabilities must be remediated within defined timelines. Vulnerability assessments and penetration testing (VAPT) must be conducted periodically by certified assessors.
Compliance Checklist — Gap 3
- Formal patch management policy with severity-based timelines documented
- Complete and current inventory of all hardware and software assets
- Automated vulnerability scanning running across the network regularly
- VAPT conducted by CERT-In empanelled vendors at defined frequency
- Critical patch remediation timelines being met and tracked
- Legacy system risk formally accepted by senior management with compensating controls documented
- Patch compliance rate reported to IT Committee / Risk Committee
6. Gap 4 — Cyber Incident Detection, Response and RBI Reporting
What Is This Gap?
Detecting a cyber attack quickly — and responding effectively — is what separates a contained security event from a crisis that triggers regulatory action, customer harm, and reputational damage. The gap in most Indian banks is not that they lack antivirus software. It is that they lack a 24/7 Security Operations Centre (SOC) capability, documented incident response playbooks, and a clear process for escalating and reporting cyber incidents to RBI within the required timeframe.
What RBI Expects
RBI’s cybersecurity framework requires banks to report cyber security incidents to RBI within specified timeframes — including near-misses. Banks must have documented Incident Response Plans (IRPs), conduct tabletop exercises to test them, and maintain forensic capability to investigate incidents. RBI expects banks to share cyber incident data with CERT-In and the Indian Banks’ CERT (IB-CERT) platform.
Compliance Checklist — Gap 4
- 24/7 Security Operations Centre (SOC) — in-house or managed — operational
- Incident Response Plan (IRP) documented, approved, and version-controlled
- Incident severity classification framework defined (P1 to P4 or equivalent)
- RBI cyber incident reporting process documented with timelines and responsible owners
- IB-CERT and CERT-In reporting process embedded in IRP
- Tabletop exercise or cyber drill conducted in the last 12 months
- Post-incident review process documented and lessons fed back into controls
7. Gap 5 — Employee Cyber Awareness and Phishing Resilience
What Is This Gap?
Human error and social engineering remain the leading cause of cyber incidents in Indian banking. Phishing emails, vishing calls, smishing attacks, and pretexting scams target bank employees at all levels — from tellers to senior management. The gap in most institutions is not that they have never conducted security awareness training. It is that training is infrequent, generic, and not tested through simulated phishing campaigns.
What RBI Expects
RBI requires banks to conduct periodic cyber security awareness training for all employees and ensure that training programmes are updated to reflect current threat typologies. Senior management and Board members are specifically required to receive cyber risk awareness inputs — recognising that they are often high-value phishing targets.
Compliance Checklist — Gap 5
• Annual mandatory cyber awareness training for all employees — with completion tracking
• Role-specific training for IT staff, finance teams, and senior management
• Simulated phishing campaigns conducted — at least quarterly
• Phishing click rates tracked and used to identify high-risk employee groups
• Board and senior management cyber awareness briefing conducted annually
• Training content updated to reflect current threat landscape (not generic annual refresh)
• New joiner cyber induction training before system access is granted
8. Gap 6 — Data Privacy, Localisation and DPDP Compliance
What Is This Gap?
Indian banks face dual data obligations in 2026: RBI’s longstanding data localisation requirements for payments data, and the newer Digital Personal Data Protection (DPDP) Act 2023, which creates obligations around consent management, data principal rights, purpose limitation, and breach notification for personal data. Many banks are still in the early stages of building the governance infrastructure to comply with both simultaneously.
What RBI Expects and What DPDP Requires
RBI mandates that all payments data of Indian customers must be stored only within India — with strict conditions on cross-border data sharing. The DPDP Act 2023 requires banks (as “data fiduciaries”) to obtain explicit consent for data processing, enable data principals to access and correct their data, report personal data breaches to the Data Protection Board within defined timelines, and appoint a Data Protection Officer (DPO) where required.
Compliance Checklist — Gap 6
• Data inventory/data map completed — all personal and payments data classified and located
• Payments data localisation confirmed — all payments data stored within India
• Cross-border data transfer policy documented and compliant with RBI and DPDP requirements
• DPDP consent management framework implemented for customer-facing systems
• Data Principal rights process operational (access, correction, erasure requests)
• Personal data breach response and Data Protection Board reporting process documented
• DPO appointed and empowered (if applicable under DPDP Act thresholds)
• Vendor data processing agreements updated for DPDP compliance
9. Gap 7 — Mobile and Digital Banking Security Controls
What Is This Gap?
Mobile banking and UPI have transformed how customers interact with Indian banks. But rapid digital adoption has outpaced security control implementation in many institutions. The gaps include: weak authentication on mobile apps, inadequate fraud detection for UPI transactions, insecure APIs connecting mobile front-ends to core banking systems, and insufficient monitoring of digital transaction anomalies.
What RBI Expects
RBI’s guidelines on Digital Payment Security Controls mandate specific technical security requirements for internet banking, mobile banking, and payment applications — including multi-factor authentication, transaction monitoring, device binding, and end-to-end encryption. Mobile application security testing is required before launch and after significant updates.
Compliance Checklist — Gap 7
• Multi-factor authentication (MFA) implemented for all mobile banking and internet banking access
• Mobile app security testing (VAPT) conducted before every major release
• API security controls in place between mobile front-end and core banking
• Real-time transaction monitoring with anomaly detection for UPI and mobile channels
• Device binding and SIM-swap fraud controls implemented
• Customer alert/notification for all digital transactions — real-time
• Customer cyber fraud reporting channel operational with defined response SLA
10. Gap 8 — Network Security and Segmentation
What Is This Gap?
A flat or poorly segmented network is a cyber attacker’s dream — once inside, they can move laterally across systems without significant barriers. Many Indian banks, particularly those that have grown quickly through branch expansion or digital channels, have networks where core banking systems, internet-facing systems, ATM networks, and internal office networks are not adequately separated.
What RBI Expects
RBI’s IT governance and cybersecurity framework require banks to implement network segmentation between critical and non-critical systems, deploy firewalls and intrusion detection/prevention systems (IDS/IPS) at key boundaries, and conduct periodic network security reviews. Access controls between network zones must be documented and enforced.
Compliance Checklist — Gap 8
• Network segmentation architecture documented — DMZ, core banking, internal, ATM network clearly separated
• Firewall rules reviewed and recertified in the last six months
• Intrusion Detection/Prevention System (IDS/IPS) deployed and monitored
• Wireless network security — guest and corporate networks separated
• Remote access secured via VPN with MFA — no direct RDP or unencrypted remote access
• Network access control (NAC) implemented for devices connecting to bank network
• Annual network penetration test conducted by certified third party
11. Gap 9 — Business Continuity, DR and Cyber Resilience
What Is This Gap?
Business Continuity Planning (BCP) and Disaster Recovery (DR) have historically been designed for natural disasters, power failures, and hardware failures. In 2026, the dominant threat is cyber — ransomware, DDoS attacks, and data destruction events. Most Indian banks’ BCP/DR plans have not been updated to specifically address cyber-triggered disruption scenarios, leaving them with recovery frameworks that do not work when the incident is a ransomware attack encrypting backup systems.
What RBI Expects
RBI requires banks to maintain documented BCP and DR plans with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems. Plans must be tested periodically — including through full DR drills — and updated when technology or business changes occur. Cyber resilience scenarios must be incorporated into BCP testing.
Compliance Checklist — Gap 9
• BCP and DR plans updated in the last 12 months — including cyber incident scenarios
• RTOs and RPOs defined for all critical banking systems
• Backup systems tested — including restoration testing (not just backup creation)
• Backups stored offline or in air-gapped environment — ransomware cannot reach them
• Full DR drill conducted in the last 12 months with results documented
• Cyber-specific BCP scenario (ransomware, DDoS, data loss) tested in tabletop
• Third-party dependencies mapped in BCP — vendor failure scenarios included
• BCP/DR plan shared with and approved by Board/Audit Committee
12. Gap 10 — Cloud Security and Data Governance
What Is This Gap?
Cloud adoption in Indian banking is accelerating — for data analytics, customer platforms, testing environments, and increasingly for production workloads. But cloud creates new governance challenges: shared responsibility confusion (what the bank owns vs what the cloud provider owns), data residency complexity, multi-cloud sprawl, and the absence of exit strategies. Many banks have moved to cloud faster than their governance frameworks have evolved to cover it.
What RBI Expects
RBI’s guidelines on IT outsourcing and cloud adoption require banks to conduct risk assessments before migrating to cloud, ensure data localisation requirements are met for all regulated data, maintain the right to audit cloud service providers, and have documented exit strategies for cloud arrangements. Banks must not allow cloud adoption to compromise their ability to comply with RBI examinations or data access requirements.
Compliance Checklist — Gap 10
• Cloud risk assessment conducted before every new cloud adoption
• Shared responsibility matrix documented with each cloud provider
• Data classification applied — regulated/sensitive data identified and governed separately in cloud
• Data residency confirmed — all RBI-regulated data within Indian borders or compliant with RBI conditions
• Right-to-audit clause in all cloud service agreements
• Exit/migration strategy documented for each cloud provider
• Cloud access management — privileged access governed and monitored
• Cloud security posture management (CSPM) tool or process in place
13. Master Compliance Checklist: All 10 Gaps at a Glance {#master-checklist}
| # | Cyber Risk Gap | Risk Level | RBI Framework Anchor | Quick Status |
| 1 | IT Governance & Cyber Risk Framework | 🔴 Critical | IT Governance Master Direction, Draft Control Functions Framework | ✅ ⚠️ ❌ |
| 2 | Third-Party & Vendor Cyber Risk | 🔴 Critical | Outsourcing Guidelines, IT Governance MD | ✅ ⚠️ ❌ |
| 3 | Patch & Vulnerability Management | 🔴 Critical | Cyber Security Framework, IT Governance MD | ✅ ⚠️ ❌ |
| 4 | Incident Detection, Response & Reporting | 🔴 Critical | Cyber Security Framework, CERT-In | ✅ ⚠️ ❌ |
| 5 | Employee Cyber Awareness & Phishing | 🟠 High | Cyber Security Framework | ✅ ⚠️ ❌ |
| 6 | Data Privacy, Localisation & DPDP | 🔴 Critical | RBI Data Localisation, DPDP Act 2023 | ✅ ⚠️ ❌ |
| 7 | Mobile & Digital Banking Security | 🟠 High | Digital Payment Security Controls | ✅ ⚠️ ❌ |
| 8 | Network Security & Segmentation | 🟠 High | IT Governance MD, Cyber Security Framework | ✅ ⚠️ ❌ |
| 9 | Business Continuity, DR & Cyber Resilience | 🟠 High | BCP/DR Guidelines, IT Governance MD | ✅ ⚠️ ❌ |
| 10 | Cloud Security & Data Governance | 🟡 Medium-High | IT Outsourcing Guidelines, Cloud Guidance | ✅ ⚠️ ❌ |
Legend: 🔴 Critical — direct RBI examination finding risk | 🟠 High — significant compliance gap | 🟡 Medium-High — emerging regulatory focus area
Status Key: ✅ Fully addressed | ⚠️ Partially addressed | ❌ Not addressed
14. Frequently Asked Questions
Q1: What are the most common cyber risk gaps found in Indian banks?
The most common cyber risk gaps found in Indian banks are inadequate IT governance frameworks, weak third-party vendor risk management, delayed patch and vulnerability management, insufficient cyber incident response capability, and poor employee cyber awareness. These gaps are consistently identified in RBI IT examination findings and internal audit reports across public sector banks, private banks, co-operative banks, and NBFCs.
Q2: What does RBI require Indian banks to do for cyber security compliance?
RBI requires Indian banks to maintain board-approved cybersecurity policies, establish Security Operations Centres (SOC) for 24/7 threat monitoring, conduct periodic Vulnerability Assessment and Penetration Testing (VAPT) by CERT-In empanelled vendors, report cyber incidents within defined timeframes to RBI and CERT-In, implement specific digital payment security controls, and ensure data localisation for all payments data. These requirements are governed by RBI’s Cyber Security Framework, Master Direction on IT Governance, and Digital Payment Security Controls guidelines.
Q3: What is the DPDP Act and how does it affect Indian banks?
The Digital Personal Data Protection (DPDP) Act 2023 is India’s primary data protection law. It affects Indian banks by requiring them to obtain explicit consent before processing customer personal data, enable customers to access and correct their data, report personal data breaches to the Data Protection Board of India within defined timelines, and appoint a Data Protection Officer (DPO) if they qualify as “Significant Data Fiduciaries.” Banks must comply with both DPDP Act requirements and RBI’s data localisation mandates simultaneously.
Q4: How often should Indian banks conduct VAPT?
Indian banks should conduct Vulnerability Assessment and Penetration Testing (VAPT) at least annually for all critical systems, and additionally before the launch of new digital products or after significant technology changes. VAPT must be conducted by CERT-In empanelled security auditors. Mobile banking applications should be tested before every major release.
Q5: What is RBI’s draft consolidated framework for bank control functions?
RBI’s draft consolidated framework for bank control functions is a recent regulatory development that proposes an integrated oversight structure for a bank’s three key control functions — Risk Management, Compliance, and Internal Audit. The framework aims to ensure these functions operate independently, report to the right governance bodies, and collectively provide a robust defence against risk, compliance, and audit failures. For IT and cyber risk teams, this framework reinforces that cyber risk must be embedded within the Risk Management function’s reporting lines — not treated as a standalone IT department matter.
Q6: What is a Security Operations Centre (SOC) and does my bank need one?
A Security Operations Centre (SOC) is a team and technology infrastructure dedicated to monitoring, detecting, and responding to cyber security threats on a 24/7 basis. RBI expects banks to have SOC capability — either an in-house SOC or a managed SOC through a qualified third-party provider. Smaller banks and UCBs may opt for managed SOC services, but they must ensure the provider meets RBI’s security and data localisation requirements and that incident escalation and reporting processes are clearly defined.
Q7: How can bank employees be trained to reduce cyber risk?
Bank employees can be trained to reduce cyber risk through mandatory annual cyber security awareness programmes covering phishing, social engineering, safe internet use, and password hygiene. Supplementing classroom or e-learning training with simulated phishing campaigns — where employees receive fake phishing emails to test their response — is highly effective. Role-specific training for IT staff, finance teams, and senior management is also required. RBI expects cyber awareness training to be updated regularly to reflect current threat patterns, not remain as a generic annual exercise.
15. How RMAI Can Help Your Team Close These Gaps
Closing cyber risk gaps in Indian banks requires more than policy documents. It requires a risk team, compliance function, and IT team that genuinely understand the threat landscape, the RBI framework, and what “good” looks like in practice.
Smart Online Course — the e-learning platform of the Risk Management Association of India — offers a comprehensive suite of cyber and digital risk courses purpose-built for the Indian BFSI sector:
| Course | Who It’s For |
| Cyber Security in Banking | Risk officers, IT teams, compliance |
| Risk Management for Artificial Intelligence | CROs, IT governance teams |
| Responsible AI Risk Management using AI NIST Framework | Risk and audit professionals |
| FinTech Risk Management & Governance | Risk, compliance, digital banking teams |
| Regulatory Technology (RegTech) | Compliance and IT officers |
| Third Party & Vendor Risk | Procurement, risk, audit teams |
| Fraud Risk Management in Banking | Operations, risk, internal audit |
| KYC, AML & Customer Due Diligence | Compliance and front-line teams |
| Internal Audit in Banking | Internal audit functions |
| Operational Risk | Risk teams, branch management |
All courses are:
- Accredited by the BFSI Sector Skill Council of India (BFSI SSC) under NSDC
- Updated as RBI, SEBI, and IRDAI release new guidelines
- Delivered with AI mentor support, implementation toolkits, and MCQ assessments
- Eligible for dual certification from RMAI and Smart Online Course
