SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) Circular

Introduction:

On August 20, 2024, SEBI introduced a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) aimed at enhancing the protection of IT infrastructure and data across SEBI-regulated entities (REs). This circular is designed to ensure uniformity in cybersecurity measures and strengthen the mechanisms to address cyber risks and incidents.

Applicability:

This circular is applicable to a wide range of SEBI-regulated entities (REs), including:

• Alternative Investment Funds (AIFs)

• Mutual Funds (MFs) / Asset Management Companies (AMCs)

• Portfolio Managers

• Stock Brokers

• Clearing Corporations

• Custodians

• Venture Capital Funds (VCFs)

• Credit Rating Agencies (CRAs)

• KYC Registration Agencies (KRAs)

• And others within SEBI’s regulatory scope.

The detailed list of entities covered can be found in the annexures to the circular.

Framework Overview:

CSCRF is based on five key cybersecurity resilience goals: Anticipate, Withstand, Contain, Recover, and Evolve. These goals guide the design and implementation of cybersecurity measures to counteract and recover from cyber incidents.

The framework is structured into four parts:

1. Objectives and Standards: Definitions, compliance metrics, and standards to be followed.

2. Guidelines: Specific actions to achieve desired outcomes in cyber resilience, with mandatory guidelines highlighted.

3. Compliance Formats: Standardized formats for reporting and submission.

4. Annexures and References: Supporting materials, audit guidelines, and tools for compliance.

Key Standards and Compliance:

The CSCRF introduces stringent cybersecurity measures:

• Cyber Resilience Goals: Focus on preemptive preparedness, response, and recovery from cyberattacks.

• Risk Management: Entities must establish a cyber risk management framework.

• Audit and Testing: Regular Vulnerability Assessment and Penetration Testing (VAPT), mandatory ISO 27001 certification for larger entities, and red teaming exercises for specific categories of REs.

• Security Operations Centers (SOC): Entities must implement security monitoring via their own SOC, group SOC, or a third-party SOC. NSE and BSE are required to set up a Market SOC to assist smaller REs.

Implementation Timeline:

To allow REs adequate time to comply with the new standards, SEBI has provided a phased implementation approach:

• For REs with existing frameworks: CSCRF compliance is expected by January 1, 2025.

• For newly regulated entities: The deadline for compliance is April 1, 2025.

How Organizations Can Prepare:

To align with the new CSCRF requirements, REs should:

1. Evaluate Current Cybersecurity Measures: Conduct a gap analysis to identify areas where existing systems fall short of the new standards.

2. Establish or Strengthen SOC: Ensure that appropriate SOC mechanisms are in place, either in-house or via third-party services.

3. Implement VAPT and Audit Processes: Schedule regular cybersecurity audits and tests to ensure compliance with CSCRF’s mandatory guidelines.

4. Train and Educate Employees: Develop awareness programs to foster cybersecurity best practices across the organization.

5. Prepare for Reporting Requirements: Set up internal systems to streamline the reporting of compliance using the standardized formats provided by SEBI.

Conclusion:

SEBI’s CSCRF is a vital step towards bolstering cybersecurity across the Indian securities market. By aligning with this framework, SEBI-regulated entities can significantly enhance their resilience against cyber threats while ensuring the safety and integrity of their operations. Organizations should prioritize implementation to meet the upcoming deadlines and protect their critical IT infrastructure.

Annexures List:

The CSCRF circular includes a detailed set of annexures designed to provide further guidance on various aspects of cybersecurity and cyber resilience. These annexures are critical for understanding the framework’s full scope and ensuring that organizations can comply effectively.

1. Annexure-A: VAPT Report Format

2. Annexure-B: Cyber Audit Report Format

3. Annexure-C: Recovery Plan Template (Reference Guide)

4. Annexure-D: Audit Guidelines

5. Annexure-E: Scenario-based Cyber Resilience Testing

6. Annexure-F: Guidelines on Outsourcing of Activities

7. Annexure-G: Application Authentication Security

8. Annexure-H: Data Security on Customer Facing Applications

9. Annexure-I: Data Transport Security

10. Annexure-J: Framework for Adoption of Cloud Services

11. Annexure-K: Cyber Capability Index (CCI)

12. Annexure-L: VAPT Scope

13. Annexure-M: Cyber-SOC Framework for MIIs

14. Annexure-N: Functional Efficacy of SOC

15. Annexure-O: Classification and Handling of Cybersecurity Incidents

16. Annexure-P: Reporting Format for Self-certification REs

These annexures provide detailed formats, templates, and guidelines that regulated entities should follow for compliance with the CSCRF.

NOTE: If you like to download the “SEBI CSRF Audit Sample Reports” you may reach out to us here.