Cybersecurity Governance

ICICI Bank’s enterprise risk management framework covers cyber risks and effective cybersecurity governance. Management oversight of cybersecurity is exercised across levels, with the overall responsibility entrusted to the Board of Directors. A dedicated team for cyber/information risk management helps the Bank to manage evolving cyber risks, while its Information Security Group (ISG) provides regular updates to the Board, which ensures oversight of cybersecurity. The Bank’s Data Centre and Security Operations Centre is ISO 27001-certified (ISO 27001 is an international standard for information security management).

The Ministry of Electronics and IT (MeitY) has declared the IT resources of ICICI Bank as critical information infrastructure under Section 70 of the IT Act, 2000.

A 24x7 Security Operations Centre regularly monitors and assesses the Bank’s information technology systems. A Data Leakage and Loss Prevention system, with data protection rules for sensitive data exposure from the Bank’s endpoints, emails and web gateways, further supports the Bank’s data protection efforts.

A robust Information and Cybersecurity Governance framework aids the Bank in mitigating cybersecurity threats. The Bank’s Executive Committees, comprising members from across functions, have clear terms of reference with respect to cybersecurity. The IT Strategy Committee takes regular updates on their proceedings.

The Bank maintains a comprehensive suite of policies including the Information Security Policy, Cyber Security Policy, and Information Security Standards and Procedures which are based on global and domestic regulatory frameworks and industry standards, including: RBI Cyber Security Framework, NCIIPC Guidelines for Protection of Critical Information Infrastructure, FFIEC Cybersecurity Assessment Tool, SEBI Cyber Security and Resilience Framework, IRDA Guidelines on Information and Cyber Security, Framework for Reporting of Unusual Cyber Security Incidents, NIST Cybersecurity Framework. In jurisdictions outside India, the Bank also complies with relevant local regulatory requirements.

The Bank uses various Key Risk Indicators (KRIs) and dashboards to assess its system stability, continuity and availability, and network uptime. It also follows industry best practices, such as the National Institute of Standards and Technology (NIST) and relevant regulatory requirements of some other jurisdictions in which the Bank operates. It additionally conducts periodic internal and external audits and incorporates the inputs of these assessments into its cyber systems and processes.

Through robust governance, proactive risk management, and a culture of security awareness, the Bank aims to safeguard stakeholder interests and reinforce resilience in an increasingly digital environment.

Governance structure for IT showing board and executive committees, including IT strategy, risk, audit, cybersecurity, and business continuity.

(Best viewed on desktop)

IT infrastructure controls showing preventive, detective, and responsive measures for security and risk management.

(Best viewed on desktop)

Participation in External Cyberattack Simulations

The Bank places strong emphasis on continuous preparedness to counter evolving cyber threats. As part of this commitment, the Bank conducts and actively participates in a range of cybersecurity attack simulation exercises, including:

(Best viewed on desktop)

These exercises are integral to evaluate the Bank’s detection and response capabilities, as well as reinforcing a culture of cyber vigilance across the organisation.

To ensure operational resilience, the Bank regularly conducts Business Continuity Planning (BCP) and Disaster Recovery (DR) drills. These exercises assess the Bank’s ability to maintain critical business functions and minimise disruption to people, processes and infrastructure during unforeseen events. The effectiveness of the DR framework is periodically validated against defined Recovery Time Objectives (RTOs).

With rapid digitisation and the increasing sophistication of cyber threats, timely response to incidents is crucial. The Bank has established a dedicated Cybersecurity Incident Response Team (CSIRT) that operates in line with a well-defined Incident Response Plan (IRP).

The CSIRT is equipped to respond swiftly and effectively to security incidents, limiting potential impact and ensuring the continuity of critical services.

The Bank remains committed to safeguarding customer trust. As such, data protection is treated with the same priority as the quality of banking services delivered. Proactive awareness campaigns are regularly conducted to educate customers on secure practices when using digital channels.

There were no material incidents of security breaches or data loss during fiscal 2025.