The Securities and Exchange Board of India’s (SEBI) effort to keep Regulated Entities (REs) and their clients safe and secure against cyber threats has been in place for over a decade now. In a recent move, superseding its earlier circulars and guidelines on cybersecurity and building on its initiatives to tackle evolving cyber incidents, SEBI has recently enacted the 2024 Cybersecurity and Cyber Resilience Framework (CSCRF)[1]. Realizing the necessity to protect the operations of REs from cyber-risks and cyber incidents against the fast pace of technological developments in securities market, the core objective of CSCRF is directed towards consolidating and strengthening the prevention, preparedness and response capabilities against cyber-risks and cyber incidents.
In 2015, SEBI had issued a Cybersecurity and Cyber Resilience framework for Market Infrastructure Institutions (MIIs). In sync with the framework for MIIs, SEBI rolled out Cybersecurity and Cyber resilience frameworks for specific REs such as Stock-brokers, Depository Participants, Mutual Funds, Asset Management Companies, KYC registration agencies, Qualified Registrar to an issue, Share Transfer Agents and Portfolios Managers. These REs are required to adopt to the 2024 CSCRF provisions by January 01, 2025. However, no regulatory action shall be taken for any non-compliance till 31st March, 2025, provided the REs are able to demonstrate meaningful steps taken/ progress made in implementation of CSCRF. An opportunity shall be given to the REs to demonstrate the same before any regulatory action is considered by SEBI.
The current 2024 Cybersecurity and Cyber Resilience Framework (CSCRF) supersedes all the existing SEBI cybersecurity circulars/ guidelines/ advisories/ letters and rolls out a revised framework for all SEBI REs with the objective of tackling evolving cyber threats, to align with the industry standards, to encourage efficient audits and to ensure compliance by SEBI REs. The CSCRF also sets out standard formats for reporting by REs. Compared to its earlier initiatives, CSCRF brings in a larger spectrum of REs such as Alternative Investment Funds (AIFs), Bankers to an Issue and Self Certified Syndicate Banks, Clearing Corporations, Collective Investment Schemes, Credit Rating Agencies, Custodians, Debenture Trustees, Depositories, Investment Advisors, Research Analysts, Merchant Bankers and Venture Capital Funds, under its ambit.
With this, all REs are required to comply with the standards and mandatory guidelines as mentioned in the CSCRF. Since new standards and controls have been added in CSCRF, a glide-path approach has been provided for adoption of CSCRF provisions:
For REs such as SBs, DPs, MFs, AMCs KRAs, Qualified Registrar to an issue, STAs and PMs where cybersecurity and cyber resilience circular already exists – by January 01, 2025.
For REs such as AIFs, Bankers to an Issue and Self Certified Syndicate Banks, Clearing Corporations, Collective Investment Schemes, Credit Rating Agencies, Custodians, Debenture Trustees, Depositories, Investment Advisors, Research Analysts, Merchant Bankers and Venture Capital Funds where CSCRF is being issued for the first time – by April 01, 2025
Cybersecurity compliance guidelines may be onerous for smaller REs due to the lack of knowledge and expertise in Cybersecurity and the cost factor involved in setting up own Security Operation Centre (SOC). Thus, CSCRF mandates NSE and BSE to set up Market SOC (M-SOC) with the objective of providing cyber security solutions to such categories of REs.
CSCRF is built on two key approaches: Cybersecurity and Cyber Resilience. It is standard based which covers the five cyber resiliency goals adopted from Cyber Crisis Management Plan of Indian Computer Emergency Response Team for countering Cyber Attacks and Cyber Terrorism including: Anticipate, Withstand, Contain, Recover and Evolve. Cyber Resiliency goals have been linked with the following cybersecurity functions Governance, Identify, Protect, Detect, Respond and Recover.
With a broad categorization of REs namely: Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, Small-size REs, Self-certification REs based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc., CSCRF ensures that cybersecurity requirements are appropriate for each entity’s operational complexity with larger institutions like MIIs facing more rigorous controls due to the critical nature of their activities.
All REs-have access to various personal data of their clients. This access, along with their use of third-party services, makes them vulnerable and increases the exposure to cyber threats and attacks. To ensure data protection, CSCRF mandates to establish appropriate security monitoring mechanisms through a Security Operations Centre (SOC). Onboarding can be done via the RE’s own or group SOC, a Market SOC, or any other third-party managed SOC, enabling continuous monitoring of security events and timely detection of anomalous activities.
As REs utilize services from third-party providers, which often include essential software solutions hosted on the providers’ own or third-party infrastructure. This dependency on service providers can increase the risk associated with business functions. Hosted services, including Software-as-a-Service (SaaS) and Cloud Service Providers (CSPs), typically store data (such as business and personal data) where the data processing occurs and often on servers outside India’s legal boundaries.
As REs have limited control over where their data is stored, it is crucial to note that their data may reside on servers beyond India’s jurisdiction. This situation can create governance challenges and complicate compliance with local data protection and cybersecurity laws.
Among many, one of the concepts of CSCRF is to safeguard the interests of investors and ensure the compliance of REs and their businesses is ‘Data Localization’.’ This mandates that all data generated (including creation and storage) within India must remain within its legal boundaries, ensuring data sovereignty and residency. This approach will enhance governance and oversight. Consequently, REs must ensure that all data processing and storage occur within India’s legal framework.
CSCRF mandates REs to put in place appropriate systems and procedures to ensure compliance with the provisions (i.e., applicable standards and guidelines) and conduct cyber audit, submission of Cyber audit reports in the structured format along with other required documents as per timelines provided in the CSCRF.
Moreover, REs to follow ‘Zero-Trust’ security model in such a way that access (from within or outside REs’ network) to their critical systems is by default denied and allowed only after proper authentication and authorization.
In a nutshell, CSCRF is a comprehensive and flexible cybersecurity framework that equips REs with the tools and guidelines necessary to protect their operations, data, and clients. It emphasizes continuous improvement, resilience, and preparedness against evolving cyber threats. With quantum computing on the horizon—potentially one of the most serious cybersecurity threats—it’s essential to implement strategies that mitigate “harvest now, decrypt later” attacks. Continuous risk assessment and robust data protection measures can serve as benchmarks for CSCRF. Coming in an era where there are swift technological advancements, protection of IT infrastructure and data has become a key concern for SEBI and its REs, CSCRF seems to be well timed. Moreover, given that a larger spectrum of REs is now covered within the ambit, this consolidated CSCRF is expected to ensure uniformity of applicability of these cybersecurity guidelines for all REs and to strengthen the mechanism to deal with cyber risks, threats, incidents, etc.
[1] SEBI | Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)
Written by: Kumar Bambam
Co-authored by: Antara Dasgupta
Disclaimer
This content is intended for informational purposes only and does not constitute a legal opinion. Despite our efforts to maintain accuracy, we do not make representations, warranties or undertakings regarding the quality, completeness or reliability of the content. Readers are encouraged to seek legal counsel prior to acting upon any of the information provided herein. This content, including the design, text, graphics, their selection and arrangement, is Copyright 2024, Lexplosion Solutions Private Limited or its licensors. ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.
For any clarifications, please reach out to us at 91-33-40618083 or inquiries@lexplosion.in. Refer to our privacy policy by clicking here.
