Updated: 30 Apr 2026
The examination preparation meeting covers the usual ground. The IT security policy is updated and signed. The network architecture diagram reflects the current state. The MFA deployment summary shows coverage percentages across major systems. The presentation to the examination team is clean and confident.
Then the examiner asks for the logs.
Specifically: authentication logs for privileged access to the core banking system, covering the last 180 days. Individually attributed. Timestamped. Showing the factor used for each access event.
The room goes quiet in a particular way.
The MFA deployment summary showed 94% coverage. The logs show something more granular. The branch manager account that was supposed to migrate to named individual authentication in Phase 3 was not. The treasury system logs show authentication events with no second factor recorded for a two-week window in December, corresponding to a helpdesk bypass code that was never closed. The vendor access logs show 23 remote sessions from an integrator whose contract ended in September.
None of this appears in the policy document. The policy says MFA is mandatory. The logs say something else happened.
For Indian banks, whether headquartered in Mumbai, Delhi NCR, or any regional centre, RBI cybersecurity examinations have shifted decisively from policy review to evidence review. The examiner is not questioning intent. They are examining the operation.
The RBI Authentication Mechanisms Directions 2025, effective 1 April 2026, mandate two-factor authentication for all digital payment transactions. The RBI IT Governance Master Direction independently requires MFA for all employee access to critical information systems, including core banking, treasury, and internet banking back-ends. CERT-In CISG-2025-02, effective 25 July 2025, requires 180-day retention for authentication logs, stored in India, available for export during the audit window.
The seven-element MFA evidence package required for RBI examination and CERT-In audit readiness consists of:
The bypass code log is the most frequently absent document in bank MFA deployments. It is consistently among the first items a prepared examiner requests.
Cisco Duo's authentication logs provide individually attributed, timestamped records of every access event: factor used, device type, location, and outcome exportable for SIEM integration and available for RBI examination without premium tier upgrades. Cisco Duo for Indian banks satisfies RBI Authentication Directions, CERT-In log retention, and SEBI CSCRF privileged access requirements from a single platform with a Mumbai data centre confirming India data residency.
The evidence package is built from Day 1 of the deployment, not assembled in the fortnight before the examination notice. Log exports feed to a SIEM from the moment the first system goes live. The vendor access register is maintained as a living document. The bypass code log is active from the first bypass issued.
Proactive is a Cisco Preferred Security Partner that deploys Cisco Duo for Indian banks, NBFCs, and payment providers - including RBI examination evidence package preparation and CERT-In audit support across banking environments in Mumbai, Delhi NCR, and Bengaluru.
The examination conversation is easier when the evidence was built for it.
Write to a Proactive Cisco Duo specialist today at [email protected].
We'll get back to you shortly.
