Cyber Security Policy
Version 1.0.0 – March 2026
Flyhi Financial Services has created this policy documents as per mandate under the
RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices
(2024-2026).
1. Information & Cyber Security Policy (Prevention)
A. AWS Infrastructure (Loan Origination System)
Since our core system is on AWS, the policy adopts a "Shared Responsibility" model.
• Identity & Access Management (IAM): Implement Zero Trust. No user
(including developers) has standing access. Use Multi-Factor Authentication
(MFA) for all console and CLI access.
• Data Encryption: All customer PII (Personally Identiable Information) must be
encrypted at rest (using AWS KMS) and in transit (TLS 1.3).
• Micro-segmentation: Isolate your database in a private subnet with no direct
internet access. Use a Web Application Firewall (WAF) to block SQL injections
and DDoS attacks.
• API Security: Ensure that any integration with credit bureaus or payment
gateways is authenticated via rotating tokens.
B. Distribution Business (LSP & Corporate DSA)
Your lead generation through social media and email communication with bigger NBFCs
is a high-risk area for Social Engineering and Data Leakage.
• Email Security: Implement DMARC, SPF, and DKIM to prevent email spoong.
Large les containing customer data must be password-protected or shared via
secure SFTP/Portals, never as plain email attachments.
• Lead Privacy: Social media lead data must be directly synced to a secure CRM
rather than sitting in unsecured Excel sheets on employee laptops.
• LSP Compliance: As an LSP, you must ensure that your data handling aligns with
the bigger NBFC’s policy and the Digital Personal Data Protection (DPDP) Act
2023.
2. Cyber Attack Action Plan (Detection & Response)
When a "Red Alert" is triggered (e.g., unauthorized access, ransomware, or data
breach), the following Cyber Crisis Management Plan (CCMP) kicks in:
Phase
Action Steps
1. Identication
Security alerts from AWS or manual reports of "phishing" are
analysed to conrm a breach.
2. Containment
Immediate: Isolate the aected AWS instances. Revoke
compromised IAM credentials. Change passwords for all admin
accounts.
3. Eradication
Identify the root cause (e.g., a vulnerable API or a leaked email
password). Remove the malware or close the backdoor.
4. Recovery
Restore data from the most recent "clean" backup (AWS Snapshot).
Conduct a vulnerability scan before bringing systems back online.
5. Reporting
Mandatory: Notify the RBI within 6 hours of detecting a "material"
cyber security incident.
3. Roles and Responsibilities
Role
Responsibility
Board of Directors
Ultimate accountability for the Cyber Security Policy and
approving the annual IT budget.
IT Strategy
Committee
Reviews the eectiveness of security controls and ensures
alignment with business goals.
Senior Technology
Oicer
Drives the execution of the policy, manages the SOC (Security
Operations Center), and leads the response during an attack.
Cloud Ops / IT
Team
Managing AWS patches, rewall rules, and ensuring 99.9% uptime
of the Loan Origination System.
LSP Compliance
Oicer
Ensures that social media leads and email communications
comply with RBI’s Digital Lending Guidelines.
All Employees
Responsible for "Cyber Hygiene"—reporting suspicious emails
and never sharing credentials.
4. Specic Action Items for Flyhi
1. VAPT: Conduct a formal Vulnerability Assessment and Penetration Testing
(VAPT) on your AWS-hosted Loan Origination System at least once every six
months.
2. Audit Trails: Maintain logs for at least 3 years to satisfy RBI requirements for
forensic audits.
3. Third-party Risk: For your distribution business, perform a yearly security audit
of the tools you use for lead generation (CRMs, Email Marketing tools).
RBI Cyber Security Incident Reporting (CSIR) Template
To: cybersecuritynbfc@rbi.org.in
Subject: Cyber Security Incident Report - [Flyhi Financial Services Ltd] - [Date] -
[Initial/Update/Final]
1. Basic Information
• Name of the NBFC: Flyhi Financial Services Ltd
• Registration No. (RBI): [Insert RBI Registration Number]
• Date and Time of Detection: [DD/MM/YYYY | HH:MM]
• Reporting Status: ☐ New Incident | ☐ Update to reported incident (Ref No:
_______)
• Name & Designation of Reporting Oicer: [e.g., CISO / Head of IT]
• Contact Details: [Email ID & Mobile Number]
2. Details of the Incident
• Type of Attack: * ☐ Ransomware / Malware
o ☐ Unauthorized Access / Data Breach
o ☐ Phishing / Social Engineering (Common in Distribution Business)
o ☐ Denial of Service (DoS)
o ☐ Others: [Describe]
• Systems Aected: * ☐ AWS Loan Origination System (LOS)
o ☐ Lead Generation CRM / Social Media Accounts
o ☐ Corporate Email Systems
• Data Impact: * Has customer PII (Aadhaar, PAN, Bank details) been
compromised? [Yes/No]
o Approximate number of customers aected: [Number]
3. Impact Assessment
• Operational Impact: (e.g., Loan processing at a standstill, AWS instances
isolated)
• Financial Impact: (e.g., Potential fraudulent loan disbursements, ransom
demands)
• Regulatory Impact: (e.g., Breach of Digital Lending Guidelines/DPDP Act)
4. Technical Analysis & Root Cause (RCA)
• Source of Attack: [e.g., Malicious email attachment, Vulnerable AWS API,
Compromised Lead Portal]
• Current Status: ☐ Contained | ☐ Ongoing | ☐ Resolved
• Chronology of Events:
1. [Time]: Suspicious activity noticed in AWS GuardDuty.
2. [Time]: IT Team isolated aected instances.
3. [Time]: CISO informed; Incident Response Team (IRT) activated.
5. Remedial Action Plan
• Steps Taken: [e.g., Resetting IAM credentials, Patching OS, Restoring from AWS
Snapshot]
• Timeline for Full Recovery: [Estimated Date/Time]
• Communication Strategy: (Have aected customers or partner NBFCs been
informed?)
6. Declaration
"We hereby certify that the information provided above is true to the best of our
knowledge and the incident has been escalated to the Board-level IT Strategy
Committee."
Signature: __________________________
Date: [DD/MM/YYYY]
For Flyhi Financial Services, the sales and distribution team is your "human perimeter."
Since they handle sensitive customer leads via social media and email, they are the
primary targets for phishing and social engineering.
Under the RBI 2024-2026 IT Master Directions, NBFCs must ensure that even non-
technical sta follow "Cyber Hygiene" to prevent data leakage.
Sales Team Cyber Hygiene Checklist
1. Lead & Data Handling (The "Golden Rules")
• No Personal Storage: Never download lead lists or customer KYC documents to
personal laptops or mobile galleries. Use the company-authorized CRM/AWS
Portal only.
• The 24-Hour Rule: If you must temporarily download a le (e.g., for a bank
upload), delete it and clear your "Recycle Bin" within 24 hours.
• Secure Sharing: Never send customer PAN/Aadhaar details in the body of an
email. Always use password-protected PDFs or secure links provided by the
partner NBFC.
2. Email & Communication Vigilance
• Check the "From" Address: Scammers mimic partner NBFCs (e.g.,
updates@hdfc-loans-service.in instead of updates@hdfcbank.com). Always
hover over the sender's name to see the real email ID.
• Beware of "Urgent" Requests: Phishing often uses fake pressure (e.g., "Urgent:
Your lead portal access will be revoked in 1 hour. Click here to verify."). Verify via
a phone call before clicking.
• Link Hygiene: Do not click links in emails from unknown sources. If an email
asks you to "Login," manually type the URL into your browser instead of clicking
the link provided.
3. Device & App Security
• MFA is Mandatory: Ensure Multi-Factor Authentication (OTP or Authenticator
App) is active on your Corporate Email, CRM, and Social Media Ad accounts.
• Public Wi-Fi Ban: Never access the Loan Origination System (LOS) or lead data
from public Wi-Fi (airports, cafes). Use a mobile hotspot or company VPN.
• App Permissions: Regularly check your phone’s app permissions. Ensure no
"Flashlight" or "Calculator" app has access to your contacts or messages.
4. Social Media Ad Account Safety
• Limit Admin Roles: Only senior managers should have "Admin" access to
Facebook/LinkedIn Ad Managers. Sales executives should have "Advertiser" or
"Lead Access" roles only.
• Oicial Business Manager: Ensure all lead-generation forms are tied to a
Veried Business Manager account to prevent "Form Hijacking."
"Red Flag" Identication Guide
Train your team to spot these 3 common 2026 phishing trends:
1. The "Fake Partner" Lure: An email claiming to be from a "Bigger NBFC" asking
you to test a new "API Integration" by entering your LOS credentials.
2. The "QR Code" Scam: Receiving a QR code via WhatsApp to "Quickly upload
customer documents." Scanning unknown QR codes can grant attackers access
to your device session.
3. The "Deepfake" Voice: A call from a "Senior Director" at Flyhi (sounding exactly
like them) asking you to bypass a security check for a "VIP Loan." Always verify
via a secondary internal channel.
Monthly Compliance Task for Sales Leads
"I, [Name], conrm that I have cleared my local 'Downloads' folder of all customer
PII and have changed my portal passwords this month."
Since Flyhi Financial Services Ltd acts as an LSP/DSA for larger NBFCs, you are
handling their "Product IP" while they are handling your "Customer Leads." This
agreement ensures that your distribution partners are legally bound to the same high
security standards you've set for your AWS-hosted education loan business.
NON-DISCLOSURE & DATA SECURITY AGREEMENT (NDA)
This Agreement is entered into on this [Date] ("Eective Date"), by and between:
Flyhi Financial Services Ltd, an RBI-registered NBFC, having its registered oice at
[Address] (hereinafter referred to as the "Disclosing Party");
AND
[Partner Name/Entity], a [Company/LLP/Proprietorship], having its registered oice at
[Address] (hereinafter referred to as the "Receiving Party").
1. Denition of Condential Information
"Condential Information" includes, but is not limited to:
• Customer PII: Names, Aadhaar/PAN details, bank statements, and credit scores
of loan applicants.
• Business Intelligence: Lead generation strategies, social media marketing data,
and conversion metrics.
• Technical Data: Any access credentials to Flyhi’s Loan Origination System (LOS)
or partner portals.
2. Obligations of the Receiving Party
The Receiving Party agrees to:
• Purpose-Only Use: Use the data solely for processing loan applications through
Flyhi’s authorized channels.
• Standard of Care: Maintain security controls no less stringent than those
required by the RBI Master Direction on IT Governance (2024-26).
• No Redirection: Not divert or "side-sell" leads generated through Flyhi’s
marketing eorts to any other nancial institution.
3. Cybersecurity & Data Protection Requirements
• Encryption: All shared Customer PII must be encrypted at rest and in transit.
• Access Control: The Receiving Party shall implement Multi-Factor
Authentication (MFA) for any system where Flyhi’s data is stored.
• Data Minimization: Only employees with a "need-to-know" basis shall have
access to the lead data.
• Disposal: Upon rejection or disbursal of a loan (or termination of this
agreement), all local copies of customer documents must be securely deleted
within 30 days.
4. Breach Notication
In the event of a suspected data leak or cyber-attack, the Receiving Party must notify
Flyhi’s CISO within 3 hours of discovery to allow Flyhi to meet its 6-hour RBI reporting
mandate.
5. Audit Rights
Flyhi Financial Services reserves the right to conduct (or appoint a third party to
conduct) a security audit of the Receiving Party’s systems to ensure compliance with
this agreement.
6. Indemnity & Penalties
The Receiving Party shall indemnify Flyhi against any regulatory nes (by RBI), legal
costs, or reputational damage arising from a data breach caused by the Receiving
Party’s negligence.
For Flyhi Financial Services Ltd Authorized Signatory: ____________________
Name:
Designation:
For [Partner Entity Name] Authorized Signatory: ____________________
Name:
Designation:
