Updated: 11 May 2026
The loan origination platform processed 4,200 applications today. Each contains income data, identity documents, bank statement analysis, and credit bureau pulls. By midnight, that data sits in a system twelve people can access: three who joined in the last six months, two on notice period, and one vendor onboarded for an integration project that completed in March.
Nobody has reviewed the access list since Q3 last year.
Fast-growing NBFCs across Mumbai, Gurugram, and Bengaluru share this pattern. The product scaled. The compliance team scaled. The access governance did not.
NBFCs in India are subject to RBI IT Governance Master Direction requirements for MFA on critical information systems: loan origination platforms, collections systems, and customer data repositories.
Under the DPDPA 2023, NBFCs processing personal financial data must implement reasonable security safeguards. In 2026, that standard includes MFA for every system with access to customer data. The penalty for failing that standard after a breach is up to Rs 250 crore per instance.
CERT-In CISG-2025-02 requires annual cybersecurity audits with MFA for all remote access and 180-day authentication logs stored in India.
Three frameworks. All asking the same question: who accessed that loan data, and can you prove it was authorised?
Fast-growing NBFCs build their authentication architecture for the size they were, not the size they became. The collections team lead has system admin rights from when everyone wore every hat. The third-party analytics vendor has read access to the full customer database from an integration never scoped down after go-live.
In Proactive's Cisco Duo deployments across NBFC environments in Mumbai, Gurugram, and Bengaluru, the credential audit consistently finds access rights that outlasted their purpose and personal data exposure that a DPDPA investigation would surface immediately.
Cisco Duo, Cisco's identity security platform, enforces named individual MFA across loan origination platforms, core lending systems, collections applications, and third-party vendor access. Without requiring those systems to be rebuilt. Authentication logs are individually attributed, timestamped, and exportable: satisfying RBI, CERT-In, and DPDPA requirements from a single platform with a Mumbai data centre confirming India data residency. The access list is reviewed in the credential audit. Excess access is removed. The MFA deployment covers what remains.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo for Indian NBFC cybersecurity compliance: loan origination platforms, collections systems, third-party vendor access, and RBI-ready authentication logs across Mumbai, Gurugram, and Bengaluru.
Thousands of customers. Their data is in your system tonight.
Who has access to it?
Talk to a Proactive Cisco Duo specialist. Write to [email protected].
We'll get back to you shortly.
