If you are a SEBI Regulated Entity (“RE”),[1] – a depository, a depository participant or an asset management company (“AMC”), for example, you have less than a month left (i.e., by 06 March, 2024) to adhere to the compliance framework on adoption of cloud services, issued by SEBI[2] for your existing or new cloud onboarding projects. The framework is principle-based, and it aims to make REs aware of the cyber security risks and challenges which cloud computing brings with itself.
SEBI’s intent: “To protect the interests of investors in securities and to promote the development of, and to regulate the securities market.”[3]
What does this framework recommend?
Baseline security measures are required to be implemented (by RE and CSP), and RE may decide to add additional measures as per their business needs, technology risk assessment, risk appetite, compliance requirements arising out of applicable circulars/ guidelines/ advisories issued by SEBI from time to time, etc.
Principles of the Framework
Principle 1: Governance, Risk and Compliance Sub-Framework
Principle 2: Selection of Cloud Service Providers
Principle 3: Data Ownership and Data Localization
Principle 4: Responsibility of the Regulated Entity
Principle 5: Due Diligence by the Regulated Entity
Principle 6: Security Controls
Principle 7: Contractual and Regulatory Obligations
Principle 8: BCP, Disaster Recovery & Cyber Resilience
Principle 9: Vendor Lock-in and Concentration Risk Management
Key action points for RE’s covered under the 9 Principles:
| Principle Name | Key Action Point for RE’s |
| Principle 2: Selection of Cloud Service Providers
Principle 5: Due Diligence by the Regulated Entity |
Know your CSP and How?
Before you commence cloud deployment, check the following: 1.Choose a MeiTY empanelled CSPs’ data center 2. Check financial soundness of CSP and its ability to provide service in adverse situations. 3. Carry out security risk assessment of CSP 4. Check the CSP’s capacity to identify and segregate your data, as and when required. 5. Check the capability of the CSP to deal with your compliance and operational needs, and ensure information security, data privacy, etc. 6. Check CSP’s ability to effectively serve all your customers while ensuring confidentiality. 7. Check CSP’s ability to ensure compliance with this framework as well as all applicable rules/ regulations/ circulars issued by SEBI from time to time. 8. Conduct risk-based due diligence depending on the criticality of the data/ services /operations planned to be on boarded on cloud. |
| Principle 4: Responsibility of the Regulated Entity
Principle 9: Vendor Lock-In and Concentration Risk Management |
Accountability & responsibility of the cloud services & compliance with applicable laws
1. Be solely responsible towards confidentiality, integrity and security of data and logs and ensuring compliance with applicable laws issued by SEBI/Central or State Government. 2. Conduct risk evaluation before entering into contract with CSP and the same to be assessed on a periodic basis. 3. Take steps to implement data portability and inter-operability as part of exit/transfer strategy. |
| Principle 1: Governance, Risk and Compliance Sub-Framework
Principle 7: Contractual and Regulatory Obligations
Principle 8: BCP, Disaster Recovery & Cyber Resilience |
Cloud governance, risk management controls, BCP-DR & contractual obligations
1. Have a Board approved governance model for cloud computing, which includes details of cloud service models, deployment models, etc. 2. Undertake a comprehensive (approved) risk management approach, to identify, monitor and mitigate the anticipated risks of cloud computing. 3. Appoint a Chief Information Security Officer, who will be responsible for security of deployments in cloud. 4. Annual assessment to review the financial and operational condition of the CSP. 5. Conduct regular audits/Vulnerability Assessment & Penetration Testing (“VAPT”) which is in line with SEBI cyber security guidelines. 6. Have appropriate clauses in contract with the CSP to enforce SEBI directed security audits and VAPT requirements, along with contingency plans on BCP-DR. 7. Develop a viable and effective contingency plan to cope with situations involving disruption/ shutdown of cloud services. |
| Principle 3: Data Ownership and Data Localization | Data Ownership and Localization
1. Retain complete ownership of your data, logs, etc. residing in the cloud. 2. Ensure localization of the data within legal boundaries of India. 3. Having the ultimate responsibility of data security and have an effective mechanism to monitor the CSP. |
| Principle 6: Security Controls | Security Controls in the Cloud
1.Ensure that your CSP has a vulnerability management process and adequate security monitoring solutions in place. 2. Ensure that your CSP has incident management processes in place. 3. Have continuous monitoring in place to review technical, legal & regulatory compliance of CSP and take corrective measures/ ensure CSP takes corrective measures wherever necessary. Security Controls of the Cloud 1. Have a well-defined Vulnerability Management policy to address the vulnerability management aspects of the infrastructure /services /etc. managed by you in the cloud. 2. Have an incident management policy, procedures and processes in place. 3. Have a “Two Factor Authentication (2FA)/ Multi Factor Authentication (MFA)” to mitigate security risks. 4. Undertake Secure Software Development practices for development of cloud-ready applications. 5. Ensure data security controls in the nature of anti-virus, Data Leak Prevention (DLP) solution etc. are installed. 6. Ensure network security by adopting to the micro segmentation principle on cloud infrastructure.[4] |
In Lexplosion, we offer legal tech solutions to our clients through a Software as a Service (SaaS) model, utilizing both single and multitenant architectures, leveraging Amazon Web Services, Inc.’s cloud solutions. Amazon Web Services, Inc. is a MeiTY empanelled CSP known for providing a secure and robust cloud environment. Lexplosion is an ISO/IEC 27001 certified organisation committed to all Data Protection and Information Security measures prescribed by it, including conducting regular security audits and penetration tests, implementing BCP/DR, and continuously monitoring the systems. Additionally, Lexplosion adheres to CERT-In guidelines for Incident Reporting.
In case you want to know more about this Framework and our legal-tech solutions, do get in touch with us. You can also directly reach out to Koushik Sinha at koushik.sinha@lexplosion.in.
[1] Paragraph 3 of the SEBI Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) (SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033, dated 6th March, 2023) states the applicability of this Framework to the following Regulated Entities:
- Stock Exchanges
- Clearing Corporations
- Depositories
- Stock Brokers through Exchanges
- Depository Participants through Depositories
- Asset Management Companies (AMCs)/ Mutual Funds (MFs)
- Qualified Registrars to an Issue and Share Transfer Agents
- KYC Registration Agencies (KRAs)
[2] Para 4 of SEBI Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) (SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033, dated 6th March, 2023)
[3] Section 11(1) of the Securities and Exchange Board of India Act, 1992
[4] Para 6.2.10.11 of SEBI Framework: RE shall adopt the micro segmentation principle on cloud infrastructure. Only the essential communication channels between computing resources shall be allowed and the rest of the communication channels shall be blocked.
Written by: Baishali Chakraborty
Disclaimer
All material included in this blog is for informational purposes only and does not purport to be or constitute legal or other advice. This blog should not be used as a substitute for specific legal advice. Professional legal advice should be obtained before taking or refraining from an action as a result of the contents of this blog. We exclude any liability (including without limitation that for negligence or for any damages of any kind) for the content of this blog. The views and opinions expressed in this blog are those of the author/(s) alone and do not necessarily reflect the official position of Lexplosion Solutions. We make no representations, warranties or undertakings about any of the information, content or materials provided in this blog (including, without limitation, any as to quality, accuracy, completeness or reliability). All the contents of this blog, including the design, text, graphics, their selection and arrangement are the intellectual property of Lexplosion Solutions Private Limited and/or its licensors.
ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.
