SEBI Unveils Robust Cybersecurity Framework For A Secure Financial Future

Posted On - 6 September, 2024 • By - Krishnan Sreekumar

Introduction

The Securities and Exchange Board of India (SEBI) has introduced a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) to strengthen the cyber defenses of all SEBI Regulated Entities (REs).[1] The framework aims to address evolving cyber threats, align with industry standards, facilitate efficient audits, and ensure compliance among REs.

The CSCRF is built upon five core cyber resilience goals: Anticipate, Withstand, Contain, Recover, and Evolve. It categorizes REs into different tiers based on their size and complexity, providing a scalable approach to implementation. The framework also includes provisions for risk assessment, data protection, incident response, and continuous improvement. By adhering to the CSCRF guidelines, REs can significantly enhance their cybersecurity posture and protect the integrity of the Indian securities market.

What is the CSCRF?

The CSCRF is a comprehensive initiative introduced by SEBI to significantly enhance the cybersecurity posture of all SEBI REs.

Key Goals of the CSCRF

  • Enhanced Scope: The framework expands upon existing cybersecurity regulations, providing a more robust foundation for REs to build upon.
  • Uniformity and Consistency: CSCRF establishes standardized cybersecurity guidelines across all categories of REs, ensuring a consistent level of protection throughout the financial ecosystem.
  • Strengthened Risk Management: The framework empowers REs with a more robust mechanism to identify, assess, and respond to cyber threats, incidents, and risks.

Collaborative Development

The CSCRF is the result of extensive consultations and discussions with a wide range of stakeholders. These include:

  • Market Infrastructure Institutions (MIIs)
  • SEBI REs
  • Industry Associations
  • Government Organizations (CERT-In, National Critical Information Infrastructure Protection Centre, etc.)
  • Industry Standard Forum (ISF)
  • Information Security Auditors
  • Industry Experts
  • Cloud Service Providers (CSPs)

SEBI’s High Powered Steering Committee on Cybersecurity (HPSC-CS) also reviewed the framework to ensure its effectiveness.

Standardized Approach and Standards Used

The CSCRF provides a standardized approach for implementing various cybersecurity and cyber resilience methodologies. This means REs can leverage established best practices and industry standards to build their security posture.

The framework references established security standards during its development, such as:

  • ISO 27000 series
  • CIS v8
  • NIST 800-53
  • BIS Financial Stability Institute Guidelines
  • CPMI-IOSCO Guidelines

Graded Implementation

The CSCRF acknowledges the diverse nature of SEBI REs. Therefore, it employs a graded approach, classifying REs into five categories based on their size, operations, and specific thresholds such as number of clients, trade volume, and assets under management. This ensures that the framework is scalable and accommodates the needs of all RE types.

Structure of the Framework

The framework is organized into four key parts for easier comprehension and implementation:

  • Part I: Objectives and Standards: This section outlines the overall goals that security controls aim to achieve and establishes essential principles for compliance with the CSCRF.
  • Part II: Guidelines: This section offers specific recommendations for complying with the standards outlined in Part I. While some guidelines are mandatory, others offer flexible approaches tailored to specific RE categories.
  • Part III: Structured Formats for Compliance: This section provides standardized formats for REs to use for reporting on their compliance with the CSCRF.
  • Part IV: Annexures and References: This section offers supplementary information and references relevant to understanding and implementing the CSCRF.

Structure of the CSCRF

This framework is a powerful tool that combines two key approaches: cybersecurity and cyber resilience.

  • Cybersecurity focuses on various aspects like governance measures and operational controls to safeguard systems and data.
  • Cyber Resilience emphasizes achieving a proactive and adaptable stance against cyber threats. It encompasses five key goals: Anticipate, Withstand, Contain, Recover, and Evolve.

Key Components

The CSCRF outlines a series of steps that REs need to take to achieve robust cybersecurity.

  1. Anticipation: Building a Strong Foundation
  2. Governance: REs establish clear roles, responsibilities, and authorities for cybersecurity risk management. This ensures accountability and continuous improvement.
  3. Policy: A comprehensive cybersecurity and cyber resilience policy is documented and implemented, ensuring everyone within the RE understands and adheres to security protocols.
  4. Risk Management Framework (For MIIs, Qualified REs, and Mid-size REs): A framework is implemented to identify, analyze, prioritize, respond to, and continuously monitor cyber risks.
  5. Cyber Capability Index (CCI): This self-assessment tool (for Qualified REs) and third-party assessment tool (for MIIs) help REs evaluate their cyber resilience posture regularly.
  6. Third-Party Accountability: REs are solely accountable for all aspects related to third-party services, including data security and compliance with regulations.
  7. Identification: Recognizing and Classifying Critical Systems
  8. Critical Systems Identification: REs identify and categorize their critical systems based on their importance for business operations, data management, and service delivery.
  9. Risk Assessment: Regular risk assessments are conducted, including post-quantum risk assessments, to identify vulnerabilities and prioritize mitigation strategies.
  10. Protection: Implementing Robust Security Measures
  11. Access Control: Secure authentication and access policies are established along with effective log collection and retention procedures for activity monitoring.
  12. Network Segmentation: Sensitive information, critical systems, and services are restricted through network segmentation techniques to minimize the impact of potential breaches.
  13. Data Encryption: Layered data protection is implemented using Full-disk Encryption (FDE) and File-based Encryption (FE).
  14. Development Environment Segregation: Separate production and non-production environments are maintained for developing software and applications for critical systems.
  15. Security Audits: Periodic audits by CERT-In empanelled organizations ensure compliance with the CSCRF’s standards and mandatory guidelines.
  16. Vulnerability Assessment and Penetration Testing (VAPT): Regular VAPTs are conducted to detect and address vulnerabilities in critical systems, infrastructure components, and other IT systems.
  17. API Security and Endpoint Protection: Secure coding practices, rate limiting, throttling, and robust authentication/authorization mechanisms are implemented for APIs and endpoint security solutions.
  18. ISO 27001 Certification (For MIIs and Qualified REs): This mandatory certification ensures adherence to essential security standards for Information Security Management Systems (ISMS).
  19. Detection: Continuous Monitoring and Early Warning
  20. Security Operations Center (SOC): REs establish a dedicated SOC (either their own, a group SOC, a third-party SOC, or a market SOC) for continuous security event monitoring and timely detection of anomalous activities.
  21. Market SOC: BSE and NSE are mandated to set up Market SOCs, providing a centralized security monitoring platform for small-size and self-certification REs.
  22. SOC Efficacy Measurement: REs regularly measure the functional efficacy of their SOCs to ensure optimal performance.
  23. Red Teaming (For MIIs and Qualified REs): Simulated cyberattacks are conducted to assess the effectiveness of cybersecurity measures and identify potential weaknesses.
  24. Withstand & Contain: Responding to Incidents Effectively
  25. Incident Reporting: All cybersecurity incidents are promptly reported through the SEBI incident reporting portal.
  26. Incident Response Management (IRM): Comprehensive IRM plans and Standard Operating Procedures (SOPs) are established to guide effective response actions during cyber incidents.
  27. Cyber Crisis Management Plan (CCMP): Up-to-date CCMP ensures a coordinated and efficient response during a major cyber crisis.
  28. Root Cause Analysis (RCA) and Forensics: RCAs are conducted to identify the root cause of incidents, and forensic analysis is undertaken for further investigation when needed.
  29. Recover: Restoring Systems and Mitigating Damage
  30. Response and Recovery Plan: A comprehensive response and recovery plan is documented to ensure prompt restoration of systems affected by cybersecurity incidents. The CSCRF provides an indicative recovery plan.
  31. Communication and Transparency: Actions taken during the recovery process are communicated to all relevant stakeholders as required.
  32. Evolve: Adapting to Emerging Threats
  33. Adaptive Controls: REs continuously create and incorporate adaptive and evolving controls to address identified vulnerabilities and reduce attack surfaces. This ensures the framework remains effective in the face of evolving threats.

Compliance and Implementation

  • Compliance Reporting: REs are required to submit compliance reports to their respective authorities in the standardized formats mentioned in the CSCRF.
  • Glide Path: A glide path is provided for REs to comply with the CSCRF standards and mandatory guidelines, considering the introduction of new requirements.
  • Auditors’ Checklist and Guidelines: To ensure uniformity in auditing REs, an auditors’ checklist and guidelines are included in the framework.

Future-Proofing the Framework

  • Quantum Computing Threat: The CSCRF addresses the potential threat of quantum computing through continuous risk assessment and robust data protection measures.
  • Framework Evolution: SEBI plans to update the framework periodically to address emerging technologies and cybersecurity challenges, ensuring its ongoing relevance and effectiveness.

Conclusion and The Way Forward

The SEBI’s CSCRF is a comprehensive framework that equips REs with the necessary tools to combat cyber threats and protect the integrity of the Indian securities market. By addressing evolving threats, aligning with industry standards, facilitating audits, and ensuring compliance, the framework provides a robust foundation for REs to enhance their cybersecurity posture. The CSCRF’s focus on anticipation, resilience, and continuous improvement ensures that REs are well-prepared to face future cyber challenges and maintain a secure financial environment. Looking forward, SEBI should continuously evaluate the CSCRF’s effectiveness and update it to address emerging threats. Collaboration between REs, experts, and government agencies can enhance knowledge sharing and strengthen cybersecurity in the Indian securities market.

[1] https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html.

King Stubb & Kasiva,
Advocates & Attorneys

Click Here to Get in Touch

New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi
Tel: +91 11 41032969 | Email: info@ksandk.com