On August 20, 2024, SEBI introduced a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) aimed at enhancing the protection of IT infrastructure and data across SEBI-regulated entities (REs). This circular is designed to ensure uniformity in cybersecurity measures and strengthen the mechanisms to address cyber risks and incidents.
This circular is applicable to a wide range of SEBI-regulated entities (REs), including:
Alternative Investment Funds (AIFs)
Mutual Funds (MFs) / Asset Management Companies (AMCs)
Portfolio Managers
Stock Brokers
Clearing Corporations
Custodians
Venture Capital Funds (VCFs)
Credit Rating Agencies (CRAs)
KYC Registration Agencies (KRAs)
And others within SEBI’s regulatory scope.
The detailed list of entities covered can be found in the annexures to the circular.
Cybersecurity and Cyber Resilience Framework is based on five key cybersecurity resilience goals: Anticipate, Withstand, Contain, Recover, and Evolve. These goals guide the design and implementation of cybersecurity measures to counteract and recover from cyber incidents.
The framework is structured into four parts:
Objectives and Standards: Definitions, compliance metrics, and standards to be followed.
Guidelines: Specific actions to achieve desired outcomes in cyber resilience, with mandatory guidelines highlighted.
Compliance Formats: Standardized formats for reporting and submission.
Annexures and References: Supporting materials, audit guidelines, and tools for compliance.
The Cybersecurity and Cyber Resilience Framework introduces stringent cybersecurity measures:
Cyber Resilience Goals: Focus on preemptive preparedness, response, and recovery from cyberattacks.
Risk Management: Entities must establish a cyber risk management framework.
Audit and Testing: Regular Vulnerability Assessment and Penetration Testing (VAPT), mandatory ISO 27001 certification for larger entities, and red teaming exercises for specific categories of REs.
Security Operations Centers (SOC): Entities must implement security monitoring via their own SOC, group SOC, or a third-party SOC. NSE and BSE are required to set up a Market SOC to assist smaller REs.
To allow REs adequate time to comply with the new standards, SEBI has provided a phased implementation approach:
For REs with existing frameworks: Cybersecurity and Cyber Resilience Framework compliance is expected by January 1, 2025.
For newly regulated entities: The deadline for compliance is April 1, 2025.
To align with the new Cybersecurity and Cyber Resilience Framework requirements, REs should:
Evaluate Current Cybersecurity Measures: Conduct a gap analysis to identify areas where existing systems fall short of the new standards.
Establish or Strengthen SOC: Ensure that appropriate SOC mechanisms are in place, either in-house or via third-party services.
Implement VAPT and Audit Processes: Schedule regular cybersecurity audits and tests to ensure compliance with CSCRF’s mandatory guidelines.
Train and Educate Employees: Develop awareness programs to foster cybersecurity best practices across the organization.
Prepare for Reporting Requirements: Set up internal systems to streamline the reporting of compliance using the standardized formats provided by SEBI.
SEBI’s Cybersecurity and Cyber Resilience Framework is a vital step towards bolstering cybersecurity across the Indian securities market. By aligning with this framework, SEBI-regulated entities can significantly enhance their resilience against cyber threats while ensuring the safety and integrity of their operations. Organizations should prioritize implementation to meet the upcoming deadlines and protect their critical IT infrastructure.
The CSCRF circular includes a detailed set of annexures designed to provide further guidance on various aspects of cybersecurity and cyber resilience. These annexures are critical for understanding the framework’s full scope and ensuring that organizations can comply effectively.
Annexure-A: VAPT Report Format
Annexure-B: Cyber Audit Report Format
Annexure-C: Recovery Plan Template (Reference Guide)
Annexure-D: Audit Guidelines
Annexure-E: Scenario-based Cyber Resilience Testing
Annexure-F: Guidelines on Outsourcing of Activities
Annexure-G: Application Authentication Security
Annexure-H: Data Security on Customer Facing Applications
Annexure-I: Data Transport Security
Annexure-J: Framework for Adoption of Cloud Services
Annexure-K: Cyber Capability Index (CCI)
Annexure-L: VAPT Scope
Annexure-M: Cyber-SOC Framework for MIIs
Annexure-N: Functional Efficacy of SOC
Annexure-O: Classification and Handling of Cybersecurity Incidents
Annexure-P: Reporting Format for Self-certification REs
These annexures provide detailed formats, templates, and guidelines that regulated entities should follow for compliance with the CSCRF.
NOTE: If you like to download the “SEBI CSRF Audit Sample Reports” you may reach out to us here.
Recent Comments