Securities and Exchange Board of India (SEBI) has introduced a comprehensive Consultation Paper on a Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs). This initiative aims to bolster the cybersecurity defenses and resilience mechanisms of these entities, ensuring a robust and secure market environment.
The Need for a Unified Framework
With the rapid adoption of information technology in the securities market, SEBI has identified the necessity for a unified and comprehensive approach to cybersecurity. Since 2015, SEBI has introduced various frameworks and advisories to address cybersecurity risks. However, the new consolidated CSCRF aims to bring uniformity and strengthen the mechanisms across all REs, providing a common structure to prevent cyber risks and incidents.
Applicability of the Framework
The CSCRF is designed to apply to a wide range of entities regulated by SEBI, ensuring comprehensive coverage across the securities market. These include:
Stock Brokers and Depository Participants
Entities involved in trading and storing securities must adhere to stringent cybersecurity protocols to protect sensitive financial data and ensure the integrity of trading operations.
Asset Management Companies (AMCs) and Mutual Funds
With significant financial assets under management, these entities are critical to the securities market and must implement robust cybersecurity measures.
KYC Registration Agencies (KRAs)
Responsible for maintaining the Know Your Customer (KYC) data, these agencies must ensure the confidentiality and security of personal identifiable information (PII).
Qualified Registrars to an Issue/Share Transfer Agents (QRTAs)
These entities handle sensitive shareholder information and must ensure secure processing and storage of data.
Portfolio Managers
Managing large portfolios requires stringent cybersecurity measures to protect client information and investment strategies.
Alternative Investment Funds (AIFs)
Handling diverse investment strategies and significant capital, these funds must ensure robust cybersecurity and resilience mechanisms.
Core Functions of the Framework
The CSCRF is built upon the five key functions of cybersecurity as defined by the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover. These functions form the backbone of the framework, ensuring a holistic approach to cybersecurity.
Identify
This involves understanding and managing cybersecurity risks to systems, assets, data, and capabilities. REs are required to maintain an up-to-date inventory of all critical assets and identify vulnerabilities and cyber threats.
Protect
The focus here is on implementing safeguards to ensure the delivery of critical infrastructure services. This includes robust policies for log retention, password management, network segmentation, and data encryption.
Detect
Continuous monitoring of security events and timely detection of anomalies is crucial. REs must establish a Security Operations Centre (SOC) to keep a vigilant eye on potential threats.
Respond
In the event of a cybersecurity incident, REs must have a well-documented Cyber Crisis Management Plan (CCMP) and Incident Response procedures to mitigate the impact.
Recover
Ensuring timely recovery to normal operations post-incident is vital. The framework outlines comprehensive recovery plans and communication strategies to minimize downtime and inform stakeholders.
Compliance and Reporting
To ensure adherence to the CSCRF, SEBI mandates periodic audits and compliance reporting. REs must submit evidence of ISO certifications, conduct regular Vulnerability Assessment and Penetration Testing (VAPT), and perform cybersecurity audits. The framework also stipulates specific timelines for the completion and submission of these reports.
A Collaborative Effort
SEBI’s approach to developing the CSCRF involved extensive consultations with its High Powered Steering Committee on Cyber Security (HPSC-CS). The framework references globally recognized standards such as NIST Special Publication 800-53, COBIT 5, and CIS controls, ensuring that it aligns with international best practices.
Conclusion
SEBI’s consolidated CSCRF is a significant step towards fortifying the cybersecurity infrastructure of the securities market. By providing a unified framework, SEBI aims to create a resilient market environment capable of withstanding and quickly recovering from cyber threats. As technology continues to advance, the CSCRF will evolve, incorporating feedback from various REs to remain relevant and effective.
References
-
SEBI Consultation Paper on Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities https://www.sebi.gov.in/reports-and-statistics/reports/jul-2023/consultation-paper-on-consolidated-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities_73442.html
-
SEBI Board Approval of CSCRF – https://www.sebi.gov.in/media-and-notifications/press-releases/jun-2024/sebi-board-meeting_84448.html
Related
Recent Posts
Copyright © 2024 Seconize Technologies Pvt Ltd. All rights reserved.
Recent Comments