Banking Governance in the Age of Cyber Risk: How India's Boards and CISOs Must Adapt

The regulatory landscape is shifting faster than most bank boardrooms have realised. Here is what effective cyber governance looks like — and where India's institutions still fall short.

Governance Is the Missing Conversation

When cyber incidents make headlines, the conversation typically focuses on the technical: which vulnerability was exploited, which data was taken, how quickly systems were restored. What receives far less attention — in India and globally — is the governance layer: who in the institution was accountable, what risk appetite had been articulated, whether the board had adequate visibility into cyber exposure, and whether the institution's response was consistent with its stated risk management framework.

This governance gap matters because it is where structural change is possible. Technology evolves too quickly for any regulatory prescription to stay current. What endures are the institutional structures — board oversight, management accountability, third-party risk frameworks, incident response protocols — that determine how well an institution responds to threats it has never encountered before.

"Cyber risk is not an IT problem that occasionally reaches the boardroom. It is a board-level strategic risk that occasionally requires IT to execute the response."

What the RBI Expects — And What It Does Not Yet Require

The RBI's cybersecurity framework, first issued in 2016 and subsequently updated, mandates a range of technical controls: multi-factor authentication, encryption standards, network security architecture, and incident reporting timelines. Banks above a certain size are required to maintain a CISO (Chief Information Security Officer) function and to conduct regular cyber audits.

What the framework does not yet prescribe in detail is board-level governance: the composition of risk committees, the cyber literacy expected of independent directors, the frequency and format of board-level reporting on cyber incidents, or the link between cyber risk assessment and capital adequacy. These are areas where India's banking governance remains, by international standards, at an early stage.

The contrast with leading jurisdictions is instructive. The US Securities and Exchange Commission's 2023 rules require listed companies to disclose material cybersecurity incidents within four business days and to describe board oversight of cyber risk in annual filings. The European Union's NIS2 Directive mandates personal liability for senior management in cases of negligent governance. India has not yet moved to comparable specificity — though the RBI's increasing operational requirements for banks suggest that direction of travel.

The CISO's Evolving Role in Indian Banking

In most Indian banks, the CISO function has evolved from a technical role — essentially a senior system administrator with a compliance mandate — toward something closer to a strategic risk officer. The best CISOs in India's banking sector today are conversant not only with ISO/IEC 27002 and CIS Controls, but with credit risk methodology, regulatory capital frameworks, and board communication.

The gap between the best and the rest, however, remains wide. Many mid-tier and smaller banks still treat cybersecurity as a cost centre to be minimised rather than a risk management function to be optimised. The CISO, where one exists, often lacks direct board access and operates with budgets calibrated to regulatory minimums rather than actual threat exposure.

This matters acutely in the context of the RBI's proposed compensation scheme. The draft places evidentiary and operational obligations on banks — faster complaint processing, clearer alert policies, burden-shifting in disputed cases — that will require sustained investment in systems, processes, and governance. Banks that have underinvested in their CISO function will find these obligations significantly more expensive to meet.

Third-Party and Supply Chain Risk: The Underappreciated Exposure

India's banking sector is heavily dependent on third-party technology providers: core banking vendors, payment network operators, cloud infrastructure providers, and a growing ecosystem of fintech partners operating under the RBI's account aggregator and co-lending frameworks. Each of these relationships creates a potential attack surface that the bank itself cannot fully control.

Global experience — from the SWIFT payment network attacks of 2016 to the 2023 MOVEit file-transfer breach — demonstrates that sophisticated adversaries increasingly target the shared infrastructure and software supply chains that multiple financial institutions rely on simultaneously. India's own experience with payment network incidents has reinforced this vulnerability.

Effective governance of third-party cyber risk requires more than due-diligence questionnaires at onboarding. It requires continuous monitoring, contractual rights to audit, clearly defined incident notification timelines, and — critically — scenario planning for the possibility that a key vendor suffers a significant breach while the bank's own systems remain unaffected. These are governance conversations that most Indian bank boards have not yet fully had.

A Framework for Action

What does effective cyber governance look like in practice for an Indian bank in 2026? Research and international best practice point toward several structural requirements.

Board and senior management must own cyber risk explicitly. This means dedicated board-level risk committee time for cyber topics, director education on threat landscapes, and clear accountability structures that connect the CISO to the board rather than exclusively to the CTO or CRO.

Risk appetite must be quantified and communicated. Boards should be able to articulate, in financial terms, the level of cyber loss they consider acceptable — and should receive regular reporting on whether actual exposure is within that tolerance.

Incident response governance should be rehearsed, not assumed. Regular tabletop exercises that simulate significant cyber incidents — including regulatory notification scenarios, customer communication protocols, and media handling — build the institutional muscle memory that determines how well a bank performs under real-world pressure.

Third-party risk must be governed at board level. The audit committee or risk committee should receive regular reporting on the bank's most material third-party dependencies and the cyber risk management practices of those providers.

The Governance Dividend

Banks that invest in cyber governance — not merely cyber compliance — are increasingly finding a commercial benefit. Institutional investors and sophisticated corporate depositors are beginning to ask questions about cyber risk management as part of broader ESG and operational due diligence. Cyber-insurance underwriters, as their Indian market matures, will increasingly price governance quality as a factor in premium determination.

More fundamentally, the institutions that govern cyber risk most effectively will be the ones best positioned to extend digital services confidently, to form partnerships with fintech innovators, and to compete for the growing segment of customers whose primary interaction with their bank is through a smartphone screen. In India's rapidly digitising economy, cyber governance is not a compliance burden — it is a strategic differentiator.