RBI Cyber Resilience Guidelines and CTEM: Mapping Your Obligations

The Reserve Bank of India has been steadily tightening cybersecurity expectations for regulated entities since the initial Cyber Security Framework circular in 2016. The more recent guidelines, particularly the Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices (2023) and the ongoing emphasis on cyber resilience, have raised the bar significantly for banks, NBFCs, payment system operators, and other regulated financial institutions in India.

For security teams at these institutions, the question is no longer whether continuous monitoring is expected. It is how to implement it in a way that satisfies the RBI's evolving requirements without overwhelming teams that are already stretched thin. This guide maps the RBI's cyber resilience expectations to the CTEM framework and explains what Indian BFSI security teams need to prioritise.

What the RBI Expects

The RBI's cybersecurity requirements span several circulars and directions, but the core expectations for regulated entities can be summarised as:

Continuous risk assessment: The RBI expects regulated entities to maintain an ongoing awareness of their cyber risk posture, not rely solely on periodic assessments. The IT Governance Direction specifically requires entities to establish processes for continuous monitoring of IT risks.

Threat intelligence capability: Regulated entities are expected to have access to threat intelligence relevant to their operations, including awareness of threats targeting the financial sector. The RBI has encouraged participation in sectoral information sharing (through CERT-In and financial sector CERTs) and expects entities to incorporate threat intelligence into their risk management processes.

Vulnerability management: Regular vulnerability assessment and penetration testing are required, with the RBI specifying minimum frequencies. However, the direction of travel is clearly toward more frequent assessment, and several recent examination findings have cited insufficient monitoring frequency as a deficiency.

Third-party risk management: The RBI has placed increasing emphasis on the security posture of third-party service providers, particularly technology vendors and outsourced service providers. Entities are expected to assess and monitor the security practices of their critical vendors on an ongoing basis.

Incident response and reporting: Regulated entities must have incident response capabilities and report significant cyber incidents to CERT-In and the RBI within specified timeframes. The emphasis on detection speed, which directly supports timely reporting, aligns with continuous monitoring rather than periodic scanning.

Board-level oversight: The RBI requires that cyber risk be reported to the board regularly and that senior management maintain active oversight of the entity's cybersecurity posture.

How CTEM Maps to RBI Requirements

The CTEM framework (scoping, discovery, prioritisation, validation, mobilisation) provides a structured approach that addresses several RBI requirements simultaneously.

Scoping

RBI requirement: Identify and classify all information assets, with particular attention to internet-facing systems and systems processing sensitive customer data.

CTEM implementation: Define the scope of your external exposure monitoring to include all domains, IP ranges, cloud infrastructure, and digital assets associated with the entity. Include subsidiary and joint venture domains. Map scoping decisions to the RBI's asset classification requirements.

Discovery

RBI requirement: Maintain visibility of all internet-facing assets, including those not formally tracked in asset inventories. Identify shadow IT and unauthorised services.

CTEM implementation: Run continuous external asset discovery across all defined scopes. This directly addresses the RBI's expectation that entities know what is exposed to the internet. Discovery should also cover credential exposures on dark web sources, data leaks, and brand impersonation infrastructure.

Prioritisation

RBI requirement: Assess and prioritise risks based on potential impact to the entity and its customers. Ensure that remediation resources are directed at the highest-impact exposures.

CTEM implementation: Prioritise findings by business criticality, exploitability, and threat intelligence context rather than relying solely on CVSS scores. Map critical findings to RBI risk categories and ensure that exposures affecting customer data or payment systems receive highest priority.

Validation

RBI requirement: Conduct regular penetration testing and vulnerability assessment. Verify that remediation actions have actually addressed the identified risks.

CTEM implementation: Use validation techniques (targeted scanning, configuration verification, breach and attack simulation) to confirm that prioritised findings represent genuine risk and that remediation has been effective. This addresses the RBI's requirement for regular testing while adding continuous verification between formal assessment cycles.

Mobilisation

RBI requirement: Remediate identified risks within defined timeframes. Document remediation actions for audit and regulatory examination.

CTEM implementation: Route findings to responsible teams through integrated ticketing systems. Track remediation against defined SLAs. Generate evidence trails that document the full lifecycle from detection through remediation, which is exactly what RBI examiners look for during inspections.

Practical Implementation for Indian BFSI Teams

Phase 1: External Visibility (Month 1 to 2)

Deploy a platform that provides continuous external attack surface discovery and vulnerability scanning for all your entity's domains and IP ranges. This immediately addresses the RBI's expectations around asset visibility and vulnerability identification.

At the same time, enable dark web monitoring for your entity's email domains. Credential exposure is a top concern for the RBI given the financial sector's attractiveness as a target, and demonstrating proactive monitoring of dark web sources is a significant compliance positive.

Phase 2: Brand and Data Protection (Month 3 to 4)

Extend monitoring to include brand impersonation detection (typosquatting, phishing pages targeting your customers) and data leak monitoring (sensitive data appearing on paste sites, code repositories, or dark web forums).

For banks and payment system operators, brand impersonation is directly tied to customer protection obligations. Demonstrating that you actively monitor for and take down fraudulent domains shows regulatory maturity.

Phase 3: Vendor Risk Monitoring (Month 4 to 6)

The RBI's emphasis on third-party risk management is increasing with each new direction. Deploy continuous monitoring of your critical vendors' external security posture. This replaces or supplements annual vendor questionnaires with real-time visibility into vendor risk changes.

Configure alerts for material changes in vendor posture (new critical vulnerabilities, expired certificates, newly exposed services) and establish a process for engaging vendors when their risk profile deteriorates.

Phase 4: Compliance Evidence and Reporting (Ongoing)

Configure automated monthly reports that document all monitoring activity, findings, remediation actions, and risk trends. These reports serve dual purposes: operational reporting to management and board, and compliance evidence for RBI examinations.

The key metrics to track and report:

• External assets discovered vs. known inventory
• Credential exposures detected and time to remediation
• Brand impersonation attempts detected and takedown activity
• Vendor risk posture trends
• Vulnerability remediation rates against defined SLAs

What Scrutex Covers for RBI-Regulated Entities

Scrutex's five modules map directly to the RBI's core cybersecurity expectations:

The platform includes compliance reporting templates that generate evidence aligned with the RBI's examination expectations. Monthly reports document what was monitored, what was found, what action was taken, and how risk posture is trending, all formatted for regulatory review.

The Compliance Advantage of Moving Early

As of March 2026, none of the major international EASM or CTEM vendors have published guidance specifically mapping their capabilities to RBI requirements. This is a gap that Indian BFSI entities can exploit by implementing a CTEM programme now and documenting how it addresses each of the RBI's cyber resilience expectations.

Entities that can demonstrate a mature, continuous exposure management programme during their next RBI examination will be materially ahead of peers still relying on quarterly vulnerability scans and annual penetration tests. The direction of regulatory travel is clear: continuous monitoring is the expectation, and entities that have already adopted it will spend less time remediating examination findings and more time actually managing risk.

Frequently Asked Questions

How does RBI cyber resilience map to CTEM?

The RBI's cyber resilience requirements cover asset visibility, continuous risk assessment, threat intelligence, vendor risk management, and incident reporting. All of these map directly to the five stages of the CTEM framework. Implementing CTEM provides a structured approach that addresses multiple RBI requirements simultaneously through continuous external monitoring.

Does the RBI require dark web monitoring?

The RBI does not mandate dark web monitoring in explicit terms, but its requirements for threat intelligence capability and proactive risk identification create a strong expectation. Entities that can demonstrate they actively monitor dark web sources for credential exposures and data leaks relevant to their operations will be viewed more favourably during regulatory examinations.

What is the minimum monitoring frequency the RBI expects?

The RBI specifies minimum frequencies for certain activities (e.g., quarterly vulnerability assessments, annual penetration testing) but the direction of regulatory expectation is toward continuous monitoring. Recent examination findings have cited insufficient monitoring frequency as a deficiency, indicating that meeting the specified minimums alone may not be sufficient.

How should BFSI entities report cyber risk to their boards?

The RBI requires regular board reporting on cyber risk. Effective reporting should include metrics on external exposure (assets discovered, credential exposures, brand threats), remediation performance against SLAs, vendor risk posture, and trend data showing whether the entity's risk profile is improving or deteriorating. Monthly or quarterly reports generated by a CTEM platform provide the data needed for meaningful board-level reporting.