The Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), and Insurance Regulatory and Development Authority of India (IRDAI) have established stringent cybersecurity frameworks for regulated entities (REs) to ensure robust incident reporting and compliance. The RBI’s Master Direction on IT Governance (2023) mandates that a Chief Information Security Officer (CISO) be a senior-level employee of the RE, without a direct reporting line to the IT Head, to maintain independence. The CISO is responsible for driving cybersecurity strategy and ensuring compliance, including reporting cyber incidents via the Daksh portal, which requires the reporter to be an employee of the RE.
A virtual CISO (vCISO), typically an external consultant or third-party service provider, does not qualify as an employee of the RE. This creates a legal and operational challenge for vCISOs in directly reporting cyber incidents through the Daksh portal, as access is restricted to RE employees. RBI guidelines (RBI/2015-16/418) emphasize timely incident reporting within 2-6 hours, but do not explicitly address vCISO involvement.
SEBI’s Cybersecurity and Cyber Resilience Framework (2024) and IRDAI’s Information and Cyber Security Guidelines (2023) similarly require CISOs to oversee incident reporting, with IRDAI mandating reports within 48 hours for significant incidents. Neither explicitly permits external vCISOs to access reporting portals.
To comply, REs employing vCISOs must designate an internal employee as the official CISO for Daksh portal reporting. The vCISO can advise on strategy and incident management but cannot directly access the portal. REs should formalize internal processes to ensure seamless coordination between the vCISO and the designated employee-CISO, ensuring compliance with regulatory timelines and requirements while leveraging external expertise.