India is known to the world as an IT hub and the leader in technology outsourcing. With this reputation at stake, it is no surprise that Indian regulators are vigilant in the promulgation and monitoring of cybersecurity and data protection standards. Perhaps less appreciated, is that in critical areas such as financial services, these disciplines are mandated throughout the entire vendor network via a rigorous set of directives.

Vulnerability Assessment and Penetration Testing (VAPT) is mandatory for vendors providing tech services to the financial services industry in India as it plays a major role in preventing cyber threats and enabling data protection which is also mandated in the regulatory framework under RBI & SEBI.

Significance of VAPT for Vendors to Financial Services Providers-

• Enhanced Security: VAPT helps in uncovering vulnerabilities in systems, networks, and applications that could be exploited by attackers. It helps financial institutions to identify vulnerabilities in their system and hence minimize risk to them while relying on third party service providers.
• Regulatory Compliance: RBI and SEBI regulate Indian financial sector with focus on data privacy and secure transaction handling. These standards require vendors to have strong cyber security including regular VAPT assessments to secure sensitive financial data to be compliant to regulations.
• Building Trust with Financial Institutions: Security operations that strengthens vendor’s security posture and keeps sensitive data from being compromised is certified through this process.
• Operational Resilience: VAPT helps in operational resilience by identifying vulnerabilities before they can be exploited. This proactive approach helps financial institutions to prevent service disruptions and business continuity which is critical in highly regulated and fast paced financial services industry.

Specific regulations and guidelines from the RBI & SEBI that necessitate VAPT for vendors includes:

1. Master Direction on Digital Payment Security Controls

• Section 8 (Risk Assessment and Mitigation): Entities involved in digital payments must conduct periodic risk assessments, including vulnerability assessments and penetration testing, to identify and mitigate risks in their digital products, services, and underlying infrastructure.
• Section 17 (Third-party Risk Management): Financial entities to ensure that third-party service providers, including technology vendors, should adhere to the same security standards as the primary entity, regular security audits and VAPT.

2. Master Direction on Information Technology Governance, Risk, Controls and Assurance Practice

• Applicability of VAPT: The scope of VAPT should include all IT assets of the institution, including networks, applications, endpoints, and databases. This encompasses both in-house and cloud-based services, ensuring comprehensive coverage across all technological touchpoints.
• Section 26- Mandates conduct of Vulnerability Assessment (VA) / Penetration Testing (PT)-Regulated entities (REs) are required to conduct Vulnerability Assessment (VA) and Penetration Testing (PT) for critical information systems, including those in the De-Militarized Zone (DMZ) with customer interfaces, every six months for VA and annually for PT.
• REs must report the summary of the VAPT findings to the RBI as part of their annual IT examination process. This summary should include information on the nature of the vulnerabilities, the risks they pose, and the actions taken to mitigate them.
• Establish a mechanism for continuous monitoring of IT assets to detect new vulnerabilities. The VAPT process should be periodically reviewed and updated to incorporate new technologies and emerging threats.\

3. SEBI Circular on Cybersecurity and Cyber Resilience Framework for Market Infrastructure Institutions (August 2023)

• This circular applies to key market infrastructure institutions, requiring them to conduct periodic VAPT to assess the cybersecurity strength of their systems and that of their vendors, to ensure compliance with SEBI’s security guidelines.

With this rigorous framework in place, financial Institutions need to be vigilant in the selection and monitoring of their service providers to ensure that cybersecurity and data protection is implemented to the highest standards.