Bankpulse
BanksHomeSearchLatestCo-pilotRankingsCrosswalkHistoryWithdrawnDashboardsRBI UniverseMethodologyGlossaryCircularsAskAnswersChangelogReviewsAbout
HomeCirculars › RBI/2012-13/547

BCP, VAPT and Information Security for Banks

Live · in forceNo withdrawal recorded as of 19 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
Issued by RBI: 26 Jun 2013  ·  Decoded by BankPulse: 19 Jun 2026, 20:38 IST
⏱ ~2 min read
📄 Official RBI source ↗
Quick answerRBI mandates banks to implement robust Business Continuity Plans (BCP) and conduct periodic Vulnerability Assessment and Penetration Testing (VAPT) to secure information systems, with board-level approval and quarterly reporting.

What changed

RBI reinforced the need for banks to have consolidated BCP documents covering people, process, and technology, and to conduct regular Disaster Recovery drills and VAPT. It also requires board-level approval of information security policies and continued quarterly reporting on these activities.

What it means for you

Banks must strengthen their IT resilience by formalizing BCPs and testing them regularly to minimize operational, financial, and reputational risks from disruptions. VAPT becomes a non-negotiable periodic exercise to guard against cyber threats, with gaps needing timely closure. Board oversight and quarterly compliance reporting are now mandatory, making information security a governance priority.

What you must do

Who it affects

All Scheduled Commercial Banks (excluding RRBs), Board of Directors and senior management, IT and information security teams, Risk management and compliance departments

What is the frequency of VAPT required by RBI?

RBI mandates periodic VAPT but does not specify an exact frequency in this circular; banks should determine a schedule based on risk assessment and ensure regular testing.

Do we need board approval for information security policies?

Yes, the circular states that policies governing security of information systems should be discussed and approved at the board level and updated from time to time.

What should be included in the BCP document?

The BCP document should cover policies, standards, and procedures to ensure continuity, resumption, and recovery of critical business processes, limiting impact on people, processes, and infrastructure.

Track this rule
⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · decoded & published by BankPulse · 19 Jun 2026, 20:38 IST
Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=8061&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.