SEBI develops framework for adoption of cloud services by SEBI Regulated Entities

March 10, 2023
Central, CORP, Industries, Listed, post_cats, states
1 min read

The Securities and Exchange Board of India through the “Framework for Adoption of Cloud Services by SEBI Regulated Entities” has developed a framework to provide baseline standards of security and for the legal and regulatory compliances by the Regulated Entities (REs). The framework aims to highlight key risks and mandatory control measures which REs need to put in place before adopting cloud computing.

The framework is applicable to :

  1. Stock Exchanges
  2. Clearing Corporations
  3. Depositories
  4. Stock Brokers through Exchanges
  5. Depository Participants through Depositories
  6. Asset Management Companies (AMCs)/ Mutual Funds (MFs)
  7. Qualified Registrars to an Issue and Share Transfer Agents
  8. KYC Registration Agencies (KRAs)

REs must ensure that they comply with the requirements of the framework by 6th March, 2024 and must also submit the following mile-stone based updates :

  1. By 6th April 2023 – REs shall provide details of the cloud services currently deployed by them.
  2. By 6th June 2023 – The REs shall submit a roadmap (including details of major activities, timelines, etc.) for the implementation of the framework.
  3. Between 6th June 2023 to 6th March 2024 – Quarterly progress report as per the roadmap submitted by the RE.
  4. After 6th March 2024 – Compliance with respect to the framework to be reported regularly.

The cloud framework is a principle-based framework which covers Governance, Risk and Compliance (GRC), selection of Cloud Service Providers (CSPs), data ownership and data localization, due-diligence by REs, security controls, legal and regulatory obligations, DR & BCP, and vendor lock-in risk. The principles are broadly stated guidelines to set the standards by which RE must comply with while adopting cloud services. The principles are stated below :

Principle 1: Governance,  Risk and Compliance Sub-Framework

Principle 2: Selection of Cloud Service Providers

Principle 3: Data Ownership and Data Localization

Principle 4: Responsibility of the Regulated Entity

Principle 5: Due Diligence by the Regulated Entity

Principle 6: Security Controls

Principle 7: Contractual and Regulatory Obligations

Principle 8: BCP, Disaster Recovery & Cyber Resilience

Principle 9: Vendor Lock-in and Concentration Risk Management

 

Source: Securities and Exchange Board of India

https://lexplosion.in/

Lexplosion Solutions Private Limited is a pioneering Indian Legal-Tech company that provides legal risk and compliance management solutions through cloud-based software and expert services.
Contact Us
Request for Demo