On August 20, 2024, the Securities and Exchange Board of India (SEBI) unveiled a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) aimed at fortifying the cybersecurity measures across all regulated entities in the Indian securities market. This new framework, designed to replace and update previous cybersecurity guidelines, is a crucial step towards addressing the evolving landscape of cyber threats and enhancing the overall cyber resilience of the sector.
Key Objectives and Features
The primary goal of the CSCRF is to align with international industry standards and ensure that regulated entities, such as stock brokers, mutual funds, and investment advisors, have robust cybersecurity practices in place. The framework establishes guidelines for anticipating, withstanding, containing, recovering from, and evolving against cyber incidents. It adopts a structured approach to implementation and compliance, categorizing entities based on their size and operational scope.
The CSCRF introduces a graded approach, dividing regulated entities into five categories:
1. Market Infrastructure Institutions (MIIs)
2. Qualified Regulated Entities (QREs)
3. Mid-Size Regulated Entities
4. Small-Size Regulated Entities
5. Self-Certification Regulated Entities
This classification allows for tailored guidelines that match the entity's scale and complexity, making compliance more manageable and relevant.
Implementation and Compliance
The framework mandates that all regulated entities establish Security Operation Centres (SOCs) to monitor and manage security events. Entities can opt for self-managed SOCs, utilize market-provided SOCs through platforms such as NSE and BSE, or engage third-party managed SOCs. This provision is particularly beneficial for smaller entities that might struggle with the financial and technical demands of setting up their own SOCs.
The CSCRF specifies different compliance deadlines based on the type of entity:
· Entities already subject to previous cybersecurity regulations must comply by January 1, 2025.
· Entities newly covered by the CSCRF must meet the requirements by April 1, 2025.
This phased implementation schedule provides a transition period for entities to adapt to the new standards.
Structure and Content
The CSCRF is organized into four key parts:
1. Part I: Objectives and Standards - Defines compliance requirements, audit timelines, and standards.
2. Part II: Guidelines - Offers recommendations for achieving compliance and implementing standards, with some guidelines being mandatory.
3. Part III: Compliance Formats - Provides standardized formats for reporting compliance.
4. Part IV: Annexures and References - Includes additional resources like auditor guidelines and cyber resilience testing scenarios.
The framework emphasizes governance, supply chain risk management, and evolving security guidelines, such as data classification, API security, and the use of Software Bill of Materials (SBOM).
Enhancing Cyber Resilience
The CSCRF's approach includes adopting the five cyber resiliency goals from the Cyber Crisis Management Plan (CCMP) of Indian Computer Emergency Response Team (CERT-In):
Anticipate, Withstand, Contain, Recover & Evolve
These goals are linked to core cybersecurity functions: Governance, Identify, Protect, Detect, Respond, and Recover. This alignment ensures a comprehensive strategy for managing and mitigating cyber risks.
Monitoring and Reporting
To aid in monitoring and assessing cybersecurity maturity, the framework introduces the Cyber Capability Index (CCI) for MIIs and Qualified RE’s. Regular cyber audits and compliance reports will be required, submitted according to the established reporting mechanisms.
This initiative by SEBI underscores the regulator's commitment to strengthening the cybersecurity posture of India's financial markets, ensuring that all participants, regardless of size, are equipped to handle the increasing threat of cyberattacks.
Note: Regulated entities are encouraged to review the framework thoroughly to ensure they meet the new requirements
Comments