The Reserve Bank of India has three overlapping cyber frameworks that prescribe VAPT — at different cadences, for different assets, with different reporting overlays. If your CIO/CISO/CRO triangle is unclear which one applies, this is the map.
The three relevant RBI instruments
- Cyber Security Framework in Banks (Circular DBS.CO/CSITE/BC.11/33.01.001/2015-16, June 2016, with subsequent updates).
- Master Direction on Digital Payment Security Controls (RBI/2020-21/74, February 2021).
- Master Direction on Outsourcing of IT Services (RBI/2023-24/102, April 2023).
Who they apply to
| Entity type | CSF | Digital Payment MD | Outsourcing MD |
|---|---|---|---|
| Scheduled Commercial Banks | Yes | Yes | Yes |
| Small Finance & Payment Banks | Yes | Yes | Yes |
| NBFCs (top & middle layer) | Adapted CSF (NBFC-IT-Framework) | If issuing digital payment products | Yes |
| NBFCs (base layer) | Light-touch IT framework | — | Yes |
| Co-operative banks | Tiered framework | If applicable | Applies |
VAPT cadence by asset
- Internet banking application — annual + on significant change.
- Mobile banking application — annual + on every major release.
- UPI / IMPS / NEFT integration — annual + before go-live of any new channel.
- Card management / switch — annual.
- Internal network — annual external, semi-annual internal where feasible.
- API endpoints exposed to third parties (account aggregators, fintech partners) — annual + on every new partner integration.
Reporting requirements
The CSF and the Digital Payment MD both require a Board-level reporting cadence. The minimum artifacts:
- Executive summary suitable for the Board IT Strategy Committee.
- Findings table by severity with management response.
- Remediation timeline approved by the CISO and the IT Strategy Committee.
- Re-test report for Critical and High findings.
- VAPT vendor declaration — independence, qualifications, and methodology.
CERT-In empanelment
For bank VAPT engagements, RBI guidance strongly prefers CERT-In empanelled vendors. The empanelment list is published by CERT-In and updated annually. Empanelment is not law for every entity but is the de-facto expectation for SCBs and significant NBFCs.
Common gaps we find on first-time engagements
- VAPT done on UAT but not on production — does not satisfy the CSF.
- Internet-banking VAPT outdated by 18+ months — non-compliant.
- Mobile banking VAPT covers Android only — non-compliant if iOS is in production.
- Third-party API integrations untested — major gap under the Outsourcing MD.
- No re-test artifact for Critical findings closed in the last year — incomplete evidence.
Schedule the annual VAPT to land 60–90 days before your RBI inspection cycle. Build the remediation window into the same plan. Ask the vendor for the CSF/Digital Payment MD/Outsourcing MD mapping appendix as a deliverable, not an afterthought.
For the SEBI equivalent (brokers, depositories, AMCs), see SEBI Cybersecurity Framework. For the underlying engagement structure, see web and API services.
Need a VAPT engagement scoped against this?
Tell us the asset and the compliance overlay. We will come back with a scope, timeline, and fixed-fee quote within 24 hours. Engagements start at USD 500. Free retest included.
Book a 20-minute call →BERRY9 IT SERVICES — VAPT Practice
Hyderabad-based ISO 27001 + 9001 certified offensive-security team. Since 2015 we have run 500+ engagements for 100+ clients across pharma, BFSI, healthcare, VFX, and enterprise SaaS. Every engagement includes a free retest.