In terms of Statement on Development and Regulatory Policy announced on 5th Dec 2019 for Baseline Cyber Security Controls for ATM Switch application service providers of RBI regulated entities, RBI has now come out with detailed guidelines in this regard wef December 31, 2019:-
A number of RBI Regulated Entities (RREs) manage their ATM Switch ecosystem through shared services of third party ATM Switch Application Service Providers (ASPs). Since these service providers also have exposure to the payment system landscape, it is felt that some cyber security controls are required to be put in place by them. In view of this, the RREs shall ensure that the contract agreement signed between them and the third party ATM Switch ASP shall necessarily mandate the third party ATM Switch ASP to comply with the cyber security controls given in the Annex on an ongoing basis and to provide access to the RBI for on-site/off-site supervision. To this effect, the contract agreements shall be amended at the earliest or at the time of renewal, in any case not later than March 31, 2020. The list of prescribed controls is indicative but not exhaustive. It may be mentioned that these controls are applicable to the ASPs limited to the IT ecosystem (such as physical infrastructure, hardware, software, reconciliation system, network interfaces, security solutions, hardware security module, middleware, associated people, processes, systems, data, information, etc.,) providing ATM switch services as well as any other type of payment system related services to the RREs.
The regulatory instructions issued from time to time in terms of circulars/advisories/alerts, as applicable to the ATM switch ecosystem shall be shared with the ASPs for necessary compliance.
Please click on the following link for full guidelines on Cyber Security Controls for Third Party ATM Switch Application Service Providers: Cyber Security controls for Third party ATM Switch Application Service Providers