SEBI’s New Cyber Resilience Framework For Regulated Entities

Posted On - 28 August, 2024 • By - Aakansha Mewar

Introduction:

In a significant move towards bolstering cybersecurity in India’s financial sector, the Securities and Exchange Board of India (SEBI) has introduced a new Cybersecurity and Cyber Resilience Framework[1] (CSCRF) for all regulated entities (REs). This comprehensive framework, effective from January 2025, aims to enhance the cyber resilience and security posture of entities under SEBI’s jurisdiction. This initiative is a proactive response to the rising cyber threats in India, which pose significant risks to the financial sector. The CSCRF is set to replace the existing cybersecurity circulars and guidelines, offering a more robust, structured approach to managing cyber risks.

Overview of the Framework:

The CSCRF, unveiled by SEBI on August 20, 2024, is designed to provide a comprehensive set of standards and guidelines aimed at enhancing the cybersecurity and resilience of regulated entities. The framework was developed following extensive consultations with various stakeholders, reflecting the need for a structured and standardized approach to cybersecurity in the rapidly evolving financial landscape. The decision to release the CSCRF was driven by the increasing frequency and sophistication of cyberattacks in India, which have highlighted vulnerabilities within the financial ecosystem.

The CSCRF is structured into four main components:

  1. Establishing the foundational goals for cybersecurity and resilience.
  2. Recommended measures for complying with the standards under the CSCRF, some of which are mandatory.
  3. Providing a systematic approach for entities to ensure adherence to the framework.
  4. Offering detailed references and additional information to support compliance.

Key Provisions:

The CSCRF introduces several critical provisions aimed at strengthening the cybersecurity posture of SEBI-regulated entities. One of the most notable aspects of the CSCRF is its focus on data protection and localization. Regulated entities are required to classify their data into two categories: ‘Regulatory Data’ and ‘IT and Cybersecurity Data’. Regulatory data must be localized within India’s boundaries, ensuring data sovereignty and minimizing risks associated with cross-border data transfers. IT and cybersecurity data, however, can be offshored, provided that adequate safeguards are in place.

The framework mandates the implementation of Security Operations Centres (SOCs) for continuous monitoring and detection of security incidents. SEBI emphasizes that entities can establish their own SOCs, use market SOCs, or leverage third-party managed SOCs for 24/7 monitoring of security events and timely detection of anomalies. Notably, stock exchanges like NSE and BSE are expected to set up market SOCs to support smaller regulated entities in meeting these requirements, ensuring a baseline level of cybersecurity resilience across all entities, regardless of size or resources.

To monitor and assess cybersecurity maturity and resilience, SEBI will introduce a Cyber Capability Index (CCI) for Market Infrastructure Institutions (MIIs) and qualified regulated entities. The CCI aims to provide a standardized metric for evaluating the cyber resilience of these entities, fostering a culture of continuous improvement in cybersecurity practices. The CSCRF outlines specific requirements for regulated entities to establish and maintain a robust cybersecurity policy. This policy must encompass the following elements:

  1. Identify: Recognizing critical IT assets and the risks associated with them.
  2. Protect: Deploying suitable controls, tools, and measures to safeguard assets.
  3. Detect: Using appropriate monitoring tools and processes to identify incidents, anomalies, and attacks.
  4. Respond: Taking immediate steps to mitigate the impact of identified incidents.
  5. Recover: Implementing recovery mechanisms and incident management strategies to restore normal operations.

Under the CSCRF, regulated entities are required to conduct comprehensive risk assessments of their IT environments on a half-yearly or yearly basis, depending on their classification. These assessments must consider various factors, including the technology stack, known vulnerabilities, dependence on third-party service providers, data storage and protection measures, and potential threats. The CSCRF introduces a structured approach to cyber risk governance and management, including the development of a Software Bill of Materials (SBOM) to mitigate supply chain risks and specific guidelines for API and mobile application security. These measures aim to address emerging threats and ensure that regulated entities are well-prepared to manage cybersecurity risks effectively.

Classification of Regulated Entities:

To ensure a tailored approach to cybersecurity, SEBI has classified regulated entities into five categories:

  1. Market Infrastructure Institutions (MIIs): These include stock exchanges, depositories, and clearing corporations, which play a critical role in the financial market infrastructure.
  2. Qualified Regulated Entities: Entities that meet specific criteria based on their size, market impact, and risk profile.
  3. Mid-size Regulated Entities: Medium-sized entities that require a more focused approach to cybersecurity.
  4. Small-size Regulated Entities: Smaller entities that may lack the resources to establish comprehensive cybersecurity measures independently.
  5. Self-certification Regulated Entities: Entities that can self-certify their compliance with the CSCRF, subject to periodic audits.

Compliance Timeline:

SEBI has outlined a phased implementation approach for the CSCRF to ensure a smooth transition and adequate preparation time for regulated entities:

  1. Phase 1: By January 1, 2025, all existing regulated entities are required to comply with the CSCRF standards and guidelines.
  2. Phase 2: By April 1, 2025, all new entities falling under the CSCRF must comply with the framework requirements.

After these deadlines, regulated entities will be subject to cybersecurity audits based on the CSCRF, with audit reports submitted to SEBI within the stipulated timelines. This phased approach allows entities to gradually align their cybersecurity practices with the new framework, minimizing disruptions to their operations.

Implications for Regulated Entities:

The introduction of the CSCRF marks a significant step forward in enhancing the cybersecurity and resilience of SEBI-regulated entities. By establishing a comprehensive framework that addresses data protection, monitoring, risk management, and governance, SEBI aims to create a more secure and resilient financial ecosystem in India. For regulated entities, the CSCRF presents both challenges and opportunities. While compliance with the new framework will require significant investment in cybersecurity infrastructure, processes, and training, it also offers an opportunity to strengthen their cybersecurity posture and build trust with stakeholders. Smaller entities, in particular, may benefit from the support provided by market SOCs, enabling them to achieve cyber resilience without the need for substantial internal resources.

Conclusion:

SEBI’s Cybersecurity and Cyber Resilience Framework represents a proactive and forward-looking approach to addressing the evolving cyber threats facing India’s financial sector. By establishing clear guidelines, standards, and compliance requirements, SEBI aims to enhance the cybersecurity resilience of its regulated entities, safeguarding the integrity and stability of the financial markets. As cyber threats continue to grow in sophistication and frequency, the CSCRF will play a crucial role in ensuring that India’s financial ecosystem remains secure, resilient, and capable of withstanding future challenges. Regulated entities must prioritize their cybersecurity efforts and align with the CSCRF to protect their assets, customers, and the broader financial market from cyber risks.

[1] https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html

King Stubb & Kasiva,
Advocates & Attorneys

Click Here to Get in Touch

New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi
Tel: +91 11 41032969 | Email: info@ksandk.com