Securities and Exchange Board of India (SEBI) has introduced a comprehensive Consultation Paper on a Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs). SEBI’s New Framework for Regulated Entities aims to bolster the cybersecurity defenses and resilience mechanisms of these entities, ensuring a robust and secure market environment.
With the rapid adoption of information technology in the securities market, SEBI has identified the necessity for a unified and comprehensive approach to cybersecurity. Since 2015, SEBI has introduced various frameworks and advisories to address cybersecurity risks. However, the new consolidated CSCRF aims to bring uniformity and strengthen the mechanisms across all REs, providing a common structure to prevent cyber risks and incidents.
The CSCRF is designed to apply to a wide range of entities regulated by SEBI, ensuring comprehensive coverage across the securities market. These include:
Entities involved in trading and storing securities must adhere to stringent cybersecurity protocols to protect sensitive financial data and ensure the integrity of trading operations.
With significant financial assets under management, these entities are critical to the securities market and must implement robust cybersecurity measures.
Responsible for maintaining the Know Your Customer (KYC) data, these agencies must ensure the confidentiality and security of personal identifiable information (PII).
These entities handle sensitive shareholder information and must ensure secure processing and storage of data.
Managing large portfolios requires stringent cybersecurity measures to protect client information and investment strategies.
Handling diverse investment strategies and significant capital, these funds must ensure robust cybersecurity and resilience mechanisms.
The CSCRF is built upon the five key functions of cybersecurity as defined by the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover. These functions form the backbone of the framework, ensuring a holistic approach to cybersecurity.
This involves understanding and managing cybersecurity risks to systems, assets, data, and capabilities. REs are required to maintain an up-to-date inventory of all critical assets and identify vulnerabilities and cyber threats.
The focus here is on implementing safeguards to ensure the delivery of critical infrastructure services. This includes robust policies for log retention, password management, network segmentation, and data encryption.
Continuous monitoring of security events and timely detection of anomalies is crucial. REs must establish a Security Operations Centre (SOC) to keep a vigilant eye on potential threats.
In the event of a cybersecurity incident, REs must have a well-documented Cyber Crisis Management Plan (CCMP) and Incident Response procedures to mitigate the impact.
Ensuring timely recovery to normal operations post-incident is vital. The framework outlines comprehensive recovery plans and communication strategies to minimize downtime and inform stakeholders.
To ensure adherence to the CSCRF, SEBI mandates periodic audits and compliance reporting. REs must submit evidence of ISO certifications, conduct regular Vulnerability Assessment and Penetration Testing (VAPT), and perform cybersecurity audits. The framework also stipulates specific timelines for the completion and submission of these reports.
SEBI’s approach to developing the CSCRF involved extensive consultations with its High Powered Steering Committee on Cyber Security (HPSC-CS). The framework references globally recognized standards such as NIST Special Publication 800-53, COBIT 5, and CIS controls, ensuring that it aligns with international best practices.
SEBI’s consolidated CSCRF is a significant step towards fortifying the cybersecurity infrastructure of the securities market. By providing a unified framework, SEBI aims to create a resilient market environment capable of withstanding and quickly recovering from cyber threats. As technology continues to advance, the CSCRF will evolve, incorporating feedback from various REs to remain relevant and effective.
SEBI Consultation Paper on Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities https://www.sebi.gov.in/reports-and-statistics/reports/jul-2023/consultation-paper-on-consolidated-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities_73442.html
SEBI Board Approval of CSCRF – https://www.sebi.gov.in/media-and-notifications/press-releases/jun-2024/sebi-board-meeting_84448.html
Recent Comments