SEBI Framework for Adoption of Cloud Services

Introduction

The Securities and Exchange Board of India (SEBI) has released a comprehensive framework for the adoption of cloud services by SEBI-regulated entities (REs)[1]. This framework aims to provide baseline security standards, ensure compliance with legal and regulatory requirements, and manage the unique risks associated with cloud computing.

Applicability

This framework is applicable to various entities regulated by SEBI, including:

• Stock Exchanges

• Clearing Corporations

• Depositories

• Stock Brokers

• Depository Participants

• Asset Management Companies (AMCs) and Mutual Funds

• Qualified Registrars to an Issue and Share Transfer Agents

• KYC Registration Agencies

Highlights of the Framework

1. Governance, Risk, and Compliance (GRC)

• Establishes a governance model approved by the board.

• Details cloud adoption, types of services, and compliance measures.

• Emphasizes risk management and thorough risk assessments.

• Assigns clear roles and responsibilities across the organization.

• Implements a robust grievance redressal mechanism.

2. Selection of Cloud Service Providers (CSPs)

• Ensures data storage/processing within MeitY-empaneled CSPs’ data centers.

• Requires CSPs to comply with SEBI’s security controls, contractual and regulatory obligations, and business continuity plans.

3. Data Ownership and Localization

• Maintains complete ownership of data, encryption keys, and logs by REs.

• Mandates data localization within the legal boundaries of India.

• Ensures visibility and access to data by REs and SEBI at all times.

4. Responsibility of the Regulated Entity

• Holds REs accountable for all aspects related to cloud services.

• Requires explicit delineation of responsibilities between REs and CSPs.

• Ensures no “joint/shared ownership” of any function or task.

5. Due Diligence by the Regulated Entity

• Conducts thorough evaluations and risk assessments before cloud adoption.

• Ensures CSPs’ financial soundness, security capabilities, and compliance with legal and regulatory standards.

6. Security Controls

• Implements comprehensive security controls, including vulnerability management, patch management, incident management, and secure user management.

• Ensures data encryption at all lifecycle stages and secure key management.

• Monitors cloud deployments continuously to maintain compliance.

7. Contractual and Regulatory Obligations

• Establishes clear and enforceable agreements with CSPs.

• Ensures REs retain control over cloud resources and can meet legal and regulatory obligations.

• Allows SEBI and other agencies to conduct audits and inspections of CSP resources.

8. Business Continuity Planning (BCP) and Disaster Recovery

• Requires REs to have robust BCP and disaster recovery plans.

• Ensures cloud deployments are resilient and can recover from disruptions quickly.

9. Concentration Risk Management

• Manages risks associated with CSP concentration.

• Diversifies cloud service providers to mitigate potential risks.

Conclusion

The SEBI framework for cloud adoption provides a structured approach to managing cloud services, ensuring security, compliance, and risk management. It is essential for SEBI-regulated entities to adhere to this framework to leverage cloud computing benefits while safeguarding their operations and data.

Reference

https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-services-by-sebi-regulated-entities-res-_68740.html