Definition

Indian BFSI organisations are subject to four overlapping regulatory cybersecurity and data-protection frameworks: the RBI Master Direction on IT Governance (2023), SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF, 2024), IRDAI's Information and Cyber Security Guidelines (2023) and the Digital Personal Data Protection Act 2023 (DPDP Act, enforcement pending rules). Building a unified control library that satisfies all four regulators simultaneously eliminates duplicate evidence collection and reduces compliance programme costs by an estimated INR 50–150 lakh annually.

Why it matters

The pressure on Regulatory (UAE/GCC) programmes is shifting in specific, observable ways:

• SEBI CSCRF (circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2023/057) mandates a CISO appointment and 6-monthly vulnerability assessments for all SEBI-regulated entities; non-submission of the annual cyber audit certificate triggers trading licence conditions.
• RBI Master Direction on IT (2023) paragraph 76 requires a board-approved cyber crisis management plan tested annually; RBI inspections in 2024 cited absent or untested plans as critical observations in 12 of 30 inspected institutions.
• DPDP Act Section 8(5) imposes data-fiduciary obligations including breach notification to CERT-In within 6 hours (per existing CERT-In directions) and to the Data Protection Board once rules are notified — BFSI firms must align incident response to the tighter 6-hour window.
• Unified control library reduces evidence overlap: approximately 65% of RBI IT Master Direction controls map directly to ISO 27001:2022 Annex A, enabling joint ISMS and regulatory evidence collection.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Unified control library — RBI Master Direction paragraph reference, SEBI CSCRF control ID, IRDAI guideline section, DPDP Act obligation, shared ISO 27001 Annex A control, evidence artefact.
• Cyber crisis management plan (CCMP) — board approval date, test date, exercise type (tabletop/live), RBI submission reference.
• SEBI cyber audit certificate — auditor name, SEBI-empanelled status, finding summary, submission date, SEBI acknowledgement.
• CERT-In breach notification log — incident ID, detection timestamp, CERT-In notification timestamp (6-hour window), content filed, CERT-In reference number.
• Vulnerability assessment and penetration test (VAPT) reports — scope, methodology, critical/high finding count, remediation SLA compliance (SEBI CSCRF: ≤30 days for critical).
• DPDP Act data fiduciary register — processing activity, purpose, data category, consent mechanism, consent withdrawal log.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: CISO and Compliance Officer build unified control library spanning RBI, SEBI CSCRF, IRDAI and DPDP Act; map to ISO 27001:2022 Annex A; identify unique-to-regulator controls requiring standalone evidence.
• Day 31–60: Information Security Manager commissions 6-monthly VAPT covering network, application and cloud layers per SEBI CSCRF; remediates critical findings within 30 days; prepares SEBI cyber audit certificate package.
• Day 61–90: Business Continuity Manager updates cyber crisis management plan (CCMP) to include DPDP Act breach-notification workflow (6-hour CERT-In window); conducts tabletop exercise; obtains board approval.
• Day 90+: Privacy Counsel drafts DPDP Act consent notices and data-fiduciary register; configures consent management platform (OneTrust or equivalent); establishes CERT-In notification playbook.
• Ongoing: Compliance Officer submits SEBI annual cyber audit certificate; reports RBI paragraph 76 CCMP test results to board; monitors DPDP Act rules gazette and updates programme within 60 days of publication.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Unified control library coverage: 100% of RBI, SEBI CSCRF, IRDAI and DPDP Act obligations mapped within 45 days; ≥65% sharing a common evidence artefact with ISO 27001 controls.
• SEBI VAPT cadence: 6-monthly VAPT completed on time; ≥98% of critical findings remediated within 30 days.
• CERT-In breach notification SLA: 100% of reportable incidents notified within 6 hours of confirmation; zero late notifications.
• RBI CCMP test: board-approved CCMP tested annually; ≥2 tabletop or live exercises per year; findings closed within 60 days.
• SEBI cyber audit certificate: submitted by annual regulatory deadline; zero critical unresolved findings at submission.

The executive frame

For an executive sponsor, the decision behind this piece reduces to three questions: what changes in the next two quarters, what is the cost of not acting, and what is the minimum credible response?

Held against DoH-AD (ADHICS V2), DHA, MoH and CBUAE, SAMA, DFSA, FSRA-ADGM, CMA-KSA, the answer is rarely "do nothing" — but it is also rarely "rebuild the programme". The honest answer for most Regulatory (UAE/GCC) buyers is a sharply scoped uplift focused on the two indicators that move the most: supervisor satisfaction at last on-site / off-site review and time to assemble regulator evidence pack.

• What changes. The supervisory bar has moved on operating evidence, not on the control text itself.
• Cost of inaction. Findings carried into the next cycle compound; remediation in a regulator-driven timeframe costs 3–5× what proactive remediation costs.
• Minimum credible response. A 90-day uplift focused on the two indicators above, with a board-level commitment to the next review point.

Pitfalls we keep seeing

Across MAST Consulting Group's Regulatory (UAE/GCC) portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: thematic-review responses prepared in the week of the visit. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: no single source of truth across multiple supervisors. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: evidence packs that are unique to each regulator instead of harmonised. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: controls listed against the regulator but not operating consistently. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Regulatory (UAE/GCC) engagements because the integrations are cheap and the evidence is defensible:

• evidence repository with regulator tagging — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• data extracts from core systems on a fixed cadence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• a unified control framework (UCF) in a GRC tool or curated spreadsheet — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Regulatory (UAE/GCC) programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this briefing is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Regulatory (UAE/GCC) programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.