sebi

SEBI's New Cybersecurity Framework Enhances Protection for Financial Entities

Introduction

On August 20, 2024, the Securities and Exchange Board of India (SEBI) launched a new Cybersecurity and Cyber Resilience Framework (CSCRF) aimed at enhancing cybersecurity measures for all regulated entities within the Indian securities market. This updated framework replaces earlier cybersecurity guidelines and seeks to tackle the growing threat of cyber incidents while aligning with industry standards.

Overview of CSCRF

The CSCRF provides comprehensive guidelines designed to enable entities such as stock brokers, mutual funds, and investment advisors to effectively anticipate, withstand, contain, recover from, and evolve against cyber threats. The framework categorizes entities according to their size and operational scope and implements a structured methodology for compliance.

Key Features:

  • Security Operation Centres (SOC): Establishment is mandated, with options for self-managed or market-provided SOCs to facilitate compliance for smaller entities.
  • Implementation Timelines: Compliance deadlines vary, with certain entities required to comply by January 1, 2025, and others by April 1, 2025.
  • Access to Guidelines: Detailed compliance guidelines, including reporting formats, are accessible on the SEBI website in the “Legal” section.

Background

  1. In 2015, SEBI issued a Cybersecurity and Cyber Resilience framework for Market Infrastructure Institutions (MIIs), followed by additional frameworks for various regulated entities including stock brokers and mutual funds.
  2. SEBI has regularly disseminated advisories to enhance cybersecurity practices across these entities.
  3. To reinforce cybersecurity measures in the Indian securities market, the CSCRF has been formulated through extensive stakeholder consultation, supplanting existing guidelines to establish a robust cybersecurity standard.

Objective

The primary aim of the CSCRF is to:

  • Address evolving cyber threats.
  • Align with industry standards.
  • Encourage efficient audits.
  • Ensure rigorous compliance by all SEBI-regulated entities.

Approach

The framework is standards-based, focusing on five cyber resilience goals from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In):

  1. Anticipate
  2. Withstand
  3. Contain
  4. Recover
  5. Evolve

These goals connect with critical cybersecurity functions:

  • Governance
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Entity Classification and Compliance Structure

The CSCRF employs a graded approach for categorizing regulated entities (REs) into five distinct groups based on operational thresholds such as client volume and trade. These categories include:

  1. Market Infrastructure Institutions (MIIs)
  2. Qualified REs
  3. Mid-sized REs
  4. Small-sized REs
  5. Self-certified REs

The framework organizes compliance methodologies into four parts:

  • Part I: Objectives and Standards
  • Part II: Guidelines
  • Part III: Compliance Formats
  • Part IV: Annexures and References

The CSCRF also emphasizes the importance of governance and managing supply chain risks. It addresses advanced security measures, including data classification, API security, and the effectiveness of SOCs.

Applicability

The CSCRF applies to a wide range of entities, including but not limited to:

  • Alternative Investment Funds (AIFs)
  • Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs)
  • Clearing Corporations
  • Credit Rating Agencies (CRAs)
  • Mutual Funds (MFs) and Asset Management Companies (AMCs)

Implementation Timeline

A glide-path for adoption of the CSCRF provisions includes:

  • For six categories with pre-existing cybersecurity frameworks: Compliance by January 01, 2025.
  • For newly impacted REs: Compliance by April 01, 2025.

Entities must implement appropriate systems to ensure compliance with the CSCRF provisions and submit cyber audit reports according to specified timelines.

Conclusion

The CSCRF enhances cybersecurity for regulated entities within the Indian securities market, ensuring all entities, regardless of size, are equipped to handle cyber threats. This circular, effective as of August 20, 2024, is issued under the provisions of Section 11 (1) of the Securities and Exchange of India Act, 1992, aimed at protecting investor interests and fostering market development.