New Cloud Services Framework and Enhanced Cybersecurity Framework for the Securities Sector

The Securities and Exchange Board of India (“SEBI”), India’s securities and commodities regulator, has issued an enhanced cybersecurity framework for regulated entities that include stockbrokers, clearing corporations, depositories, asset management companies, qualified registrars to an Issue and Share Transfer Agents, and know your customer (“KYC”) registration agencies (collectively referred to as the “REs”).

SEBI has issued a framework which aims specifically at the adoption of cloud services, which requires REs to introduce ‘security measures’ in connection with their ‘cloud services’. The required principles and requirements for adopting these cloud computing frameworks of SEBI are:

1. REs must implement enterprise-wide governance and risk management strategy.
2. Select a certified Cloud Service Provider (“CSP”) by the Ministry of Electronics and Information Technology (“MEitY”)
3. Proper due diligence should be done on the CSPs, who should be selected basis of their financial stability, security risk assessment, data ownership, confidentiality, data protection, adherence to existing norms and regulations, and the adequacy of security controls.
4. REs shall have full control and possession of their data and they are solely responsible for data security, logs, compliance, and privacy for all the cloud services.
5. The REs should conduct periodic disaster recovery drills, have a cyber resilience process and create a contingency plan, to effectively handle any disruption or shutdown of cloud services.
6. All the data should be processed and stored within the jurisdiction of India and original data for overseas investors should be available in India.