SEBI Cyber Capability Index (CCI)

On August 20, 2024, SEBI introduced a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) aimed at enhancing the protection of IT infrastructure and data across SEBI-regulated entities (REs). This circular is designed to ensure uniformity in cybersecurity measures and strengthen the mechanisms to address cyber risks and incidents.

The Cyber Capability Index (CCI) is a framework created to assess and quantify the cybersecurity preparedness and resilience of Market Infrastructure Institutions (MIIs) and Qualified Regulated Entities (REs). Its goal is to provide a standardized measurement of cybersecurity maturity and to ensure these entities are able to withstand, contain, and recover from cyber threats effectively.

Applicability

• Market Infrastructure Institutions (MIIs) such as stock exchanges, clearing corporations, and depositories must conduct third-party assessments of their cybersecurity resilience on a half-yearly basis.

• Qualified Regulated Entities (REs) must perform self-assessments annually.

Both these entities are responsible for reporting their Cyber Capability Index (CCI) score to SEBI, the Securities and Exchange Board of India.

Data Inputs Required

The CCI is calculated using 23 parameters with each parameter assigned a specific weightage. These parameters cover various aspects of cybersecurity including:

1. Security Budget Allocation: Proportion of the organization’s total IT budget devoted to cybersecurity.

2. Vulnerability Management: Percentage of identified vulnerabilities that have been mitigated within a specific timeframe.

3. Implementation of SOC Technologies: Coverage of the organization’s IT assets with Security Operations Center (SOC) technologies.

4. Third-party Risk Management: Evaluation of the security measures employed by third-party providers.

Evidence of implementation must be submitted to SEBI when requested, and for MIIs, evidence must be verified by an auditor during third-party assessments.

Calculation Methodology

• Each of the 23 parameters (mentioned in Annexure-K) is measured and assigned a score based on the level of compliance and effectiveness. These scores are then weighted according to their importance.

• The final CCI score is calculated as the weighted average of the scores for each parameter, and entities are categorized based on their maturity:

SEBI Cyber Capability Maturity Index (CCI)

This scoring system provides a clear benchmark for organizations to understand their current level of cyber resilience and where improvements are needed.

Reporting and Submission

Entities are required to compile their CCI report in a standard format and submit it periodically. Additionally, they are encouraged to develop automated tools and dashboards for real-time monitoring and reporting of their CCI scores, particularly for cyber audits and inspections.

The SEBI CCI framework ultimately helps MIIs and Qualified REs monitor, improve, and ensure that their cybersecurity measures align with industry standards and regulatory expectations.

NOTE: If you would like to automate SEBI Cyber Capability Index (CCI) – reach out to us here