Updated: 11 May 2026
The audit report is clean. The board presentation on cybersecurity posture is confident. The MFA policy is documented. The assessor found no critical findings.
Six weeks later, a breach investigation starts.
The investigation finds something the audit was not designed to find. Not a missing policy. Not an incomplete framework. An operational gap between what the policy stated and what the access register actually showed.
This is what audits and breach investigations find differently.
A cybersecurity audit finds what the framework asks for. A breach investigation finds what was actually there.
The audit asked whether an MFA policy existed. It did. The investigation found 23 vendor accounts not covered by the policy with active access to the loan management system. The audit asked whether log retention was 180 days. The policy said yes. The investigation found that the MFA platform's default retention window covered 30 days, not 180, because nobody had configured log export to a SIEM. The audit asked whether privileged access was controlled. The documentation showed it was. The investigation found two domain administrator accounts belonging to employees who had left eight months earlier.
The most common post-breach finding in NBFC environments is not missing MFA. It is MFA deployed without the credential audit that should have preceded it: dormant vendor accounts, shared credentials, and authentication bypasses that were never logged.
RBI IT Governance Master Direction requires MFA for employee access to critical systems and documented access reviews. CERT-In CISG-2025-02 requires 180-day authentication logs stored in India, available for export during the audit window. DPDPA 2023 requires reasonable security safeguards for personal data, with penalties up to Rs 250 crore per breach instance.
All three frameworks will be consulted in a post-breach investigation. The evidence they require is the same evidence a correctly executed pre-breach deployment should have built.
In Proactive's Cisco Duo deployments across NBFC environments in Mumbai, Gurugram, and Bengaluru, the credential audit is the first deliverable. Every account, every access scope, every vendor, every last session date. Excess access is removed before the Cisco Duo configuration begins.
Authentication logs feed to a SIEM from Day 1. The bypass code register is maintained from the first bypass issued. The vendor access register is a living document, not reconstructed from memory when the investigation starts.
Cisco Duo, Cisco's identity security platform, enforces named individual MFA across loan origination platforms, collections systems, and third-party vendor access, with a Mumbai data centre confirming India data residency.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo for Indian NBFCs: credential audits, RBI and CERT-In compliant log architecture, and breach-ready evidence packages across Mumbai, Gurugram, and Bengaluru.
The audit found nothing. The breach found everything the audit was not looking for.
Talk to a Proactive Cisco Duo specialist to avoid this. Write to [email protected].
We'll get back to you shortly.
