The problem is execution, and the gap between what organizations think they are doing and what the regulator actually expects is wider than most realise.

Two Master Directions are currently in force. Deadlines have passed for some. Others are active right now. This blog will give you a clear breakdown of what applies to whom and what getting it right actually involves.

The Two RBI Directions Governing VAPT Compliance for Banks, NBFCs and Fintechs

  1. Master Direction on IT Governance, Risk, Controls and Assurance Practices

Effective from 1 April 2024, this Direction covers:

A. Regulated entities:

  1. Scheduled commercial banks
  2. Small finance banks
  3. Payments banks
  4. NBFCs (Non-Banking Financial Companies)
  5. Credit information companies

B. All India Financial Institutions including:

  1. EXIM Bank
  2. NABARD
  3. SIDBI

VAPT is a formal obligation under Section 3.8 of this Direction. It was issued under Section 35A of the Banking Regulation Act not as guidance, but as a binding direction.

Source: Official RBI Document: Master Direction on IT Governance

2. Master Directions on Cyber Resilience and Digital Payment Security Controls for Non-Bank PSOs

Released on 30 July 2024, this Direction applies to:

a. Non-bank PSOs (Payment System Operators)

b. Payment aggregators

c. PPI (Prepaid Payment Instrument) issuers

d. Cross-border money transfer operators.

Unlike the IT Governance Direction, this one introduces event-driven VAPT as a hard requirement. Periodic testing alone is not enough. Compliance under this Direction is phased by entity size:

  • For Large Non-Bank PSOs: Compliance Deadline was 1st of April 2025 which has already passed.
  • For Medium Non-Bank PSOs: Compliance Deadline was 1st of April 2026 which is active right now.
  • For Small Non-Bank PSOs: Compliance Deadline is 1st of April 2028.

Medium PSOs that do not have an operational VAPT programme today are non-compliant. Not behind schedule. Non-compliant.

Source: Official RBI Document: Master Direction on Cyber Resilience for PSOs

How Frequently Does RBI Require VAPT Testing for Critical Systems

For critical information systems the RBI requires Vulnerability Assessment (VA) every six (06) months and Penetration Testing (PT) at least once a year. Two separate activities. VA is semi-annual. PT is annual at minimum, and additionally required whenever significant system changes are made.

For PSOs it becomes more complex. A new service going live or an existing service being redeployed triggers a mandatory VAPT cycle on its own, completely independent of the scheduled periodic assessment. So if a payment product launches in Q2 and the last scheduled VAPT was completed in Q1, a fresh VAPT is still required before that product goes live. These are not the same obligation. One does not substitute for the other. Organizations that budget for a single annual VAPT are systematically underestimating their actual obligations.

Why VAPT Scope Is Narrower Than It Should Be at Most Organizations

The 2024 PSO Direction is explicit: VAPT scope must cover customer-facing applications and APIs (Application Programming Interfaces), core banking or payment infrastructure, cloud-hosted systems, and third-party vendors handling critical processes like payment gateways, KYC (Know Your Customer) providers, AML (Anti-Money Laundering) platforms.

There is also a vendor accountability clause. PSOs are required to ensure that unregulated entities within their payment ecosystem which are gateways, third-party service providers, technology vendors adhere to these obligations too, under mutual agreement. "Our vendor manages that" is not a compliant answer. Documented independent assessment of critical vendors is what inspectors look for. And this is precisely where audit gaps are found most often.

What RBI Inspectors Actually Examine During a Cybersecurity Audit

Inspectors check whether the work was genuine manual penetration testing or purely automated scanning, scanner-only reports do not meet the PT requirement.

They look for remediation evidence like what was found, when it was fixed, and whether a re-test was conducted. The vendor matters — CERT-In (Indian Computer Emergency Response Team) empanelment is the standard that gives a VAPT report credibility with regulators. Reports must use CVSS (Common Vulnerability Scoring System) based scoring. And documentation must be available immediately on request, not assembled after an inspection notice arrives.

Three recurring gaps in recent BFSI (Banking, Financial Services and Insurance) audits:

  1. Third-party systems excluded from scope
  2. Automated tools standing in for manual testing
  3. Patching timelines that exist nowhere in writing

On patching, SEBI's CSCRF (Securities and Exchange Board of India's Cybersecurity and Cyber Resilience Framework) mandates remediation of critical vulnerabilities within 24 hours in certain scenarios. RBI-regulated entities face comparable expectations. Logging a vulnerability in a report is not the same as fixing it.

Board-Level Governance Is a Regulatory Obligation, not a Best Practice

The RBI is specific here. The CISO (Chief Information Security Officer) must be independent of the IT function and report to risk leadership not to the CTO (Chief Technology Officer) or Head of IT. The Board or a designated sub-committee is responsible for information security risk oversight, with quarterly review meetings expected.

IS (Information Security) policies must be board-approved and reviewed every year. The CCMP (Cyber Crisis Management Plan) covering how the organisation detects, contains, responds to, and recovers from cyber incidents) also falls under board accountability. Where the CISO reports into IT today, that structure is out of alignment with current RBI expectations. That misalignment surfaces clearly during supervisory reviews.

Cybersecurity Threat Data That Explains Why These Rules Exist

India recorded over 265 million malware detections in 2025–2026. Attacks on the BFSI sector are growing at roughly 25% year on year. Estimated losses from cyber incidents in the sector reach Rs 50,000 crore annually. The World Economic Forum's Global Risk Report 2026 places cybersecurity as India's top national risk ahead of economic downturns and climate events.

Globally, the average cost of a data breach is $4.45 million. The AIIMS breach disrupted critical hospital operations for weeks. The BharatPe compromise exposed sensitive financial data of thousands of merchants. These were not small organizations with weak security teams. The damage came from gaps that a proper VAPT programme would have surfaced.

UPI (Unified Payments Interface) is projected to cross 130 billion transactions in 2025. That is an enormous volume of financial activity sitting on infrastructure that is only as secure as the components that have actually been tested.

What Full RBI VAPT Compliance Requires

Pulling it all together, the minimum a regulated entity needs to demonstrate under current RBI rules covers these areas:

  1. A board-approved IS policy reviewed annually
  2. A CISO operating independently of IT
  3. VA every six months for critical systems
  4. PT at least annually
  5. A pre-deployment VAPT before any new service or redeployment goes live
  6. CVSS-scored reports from a CERT-In empaneled vendor
  7. Documented remediation timelines backed by re-test evidence
  8. DR (Disaster Recovery) drills conducted twice a year

For banks and NBFCs, this has been in force since April 2024. For medium PSOs, the deadline is now. For small PSOs working toward April 2028, eighteen months is not as comfortable as it sounds. Getting vendor empanelment verified, building scope to include third parties, establishing event-driven VAPT triggers alongside periodic assessments, and making documentation inspection-ready all take longer in practice than on paper.

The RBI has written the requirements clearly across both Directions. What separates compliant organizations from non-compliant ones is not access to information. It is whether the programme is actually running.

As RBI cybersecurity expectations continue to evolve, organizations need continuous visibility into vulnerabilities, cyber risks, and compliance readiness beyond periodic VAPT assessments.

C9Lab helps banks, NBFCs, Fintechs, and payment operators with RBI-aligned VAPT services, cybersecurity assessments, and proactive threat monitoring solutions.

  • Request an RBI-compliant VAPT consultation: Link
  • Schedule a cybersecurity assessment or demo: Link

You can also check your organisation's cybersecurity exposure through the free Business Risk Score Assessment by C9Lab.

Originally published at https://c9lab.com on May 18, 2026.