June 11, 2026

Most Indian banks have this wrong. And regulators are noticing.

Who owns cybersecurity risk in your bank?

Yogesh V Malvankar

1 min read

Ask the CISO – they'll say "I do."

Ask the CRO – they'll say "My ORM team tracks it."

Ask the Audit Committee – they'll say "Internal Audit covers it."

Everyone owns it. Which means – effectively – no one does.

Here's how the Three Lines of Defence should work for technology and cyber risk in an RBI/SEBI-regulated bank:

1st Line → Technology Team + CISO (Operations)

You build it. You run it. You own the risk. The CISO's SOC, vulnerability management, and incident response all sit here. This is not a governance function – it's an execution function.

2nd Line → IT GRC + ORM + Compliance

You set the guardrails. You challenge the 1st line. You report to the CRO – not the CTO. The moment IT GRC reports into Technology, you've lost your independence. RBI doesn't say this explicitly. But their IT examination findings do.

3rd Line → Internal Audit

You verify everything – independently, for the Board. Not for the CISO. Not for the CTO. For the Audit Committee. IS Audit under RBI ITGC 2023 mandates this independence. SEBI CSCRF reinforces it for regulated entities.

The structural failure I see most often:

❌ IT GRC reporting into the CTO

❌ Internal Audit raising findings directly to the CISO for closure

❌ ORM not including cyber loss events in its RCSA

❌ Compliance tracking regulatory deadlines without connecting them to control gaps

These aren't hypotheticals. These are patterns visible across Indian BFSI – and increasingly visible to RBI supervisors.

The uncomfortable truth:

The CISO's position is the most structurally ambiguous role in Indian banking today.

Operationally, the CISO sits in Line 1.

But for policy, standards, and board advisory? RBI's implicit expectation is functional independence – closer to Line 2.

Most banks haven't resolved this tension. They've just not been asked about it yet.

If your board can't clearly answer "which line owns what" for cyber risk – that's not a governance gap. That's a regulatory exposure.

Has your organisation clearly defined this? I'd like to know what works – and what doesn't.

👇 Drop your experience in the comments.

#CyberGRC #RiskGovernance #ThreeLinesOfDefence #CISO #InternalAudit #RBI #SEBI #ITGC #BFSI #CyberRisk #ITGovernance #OperationalRisk #Compliance #BankingCybersecurity #ITAudit