The Securities and Exchange Board of India (SEBI) has announced a new Cybersecurity and Cyber Resilience Framework (CSCRF) aimed at fortifying the cybersecurity posture of regulated entities across the Indian financial markets. This new framework is set to be implemented in a phased approach starting January 2025, signaling a significant shift from the existing cybersecurity guidelines.
The CSCRF is a comprehensive set of guidelines designed to enhance both cybersecurity and cyber resilience among entities regulated by SEBI. This new framework comes at a crucial time as cyber threats continue to escalate, threatening the integrity and stability of financial systems. It represents a significant evolution from previous cybersecurity directives, integrating advanced measures to address emerging threats and vulnerabilities.
Introduction to Cybersecurity and Cyber Resilience Framework (CSCRF)
The new Cybersecurity and Cyber Resilience Framework (CSCRF) will be implemented in a structured, phased manner. Regulated entities are required to achieve compliance by January 1, 2025, or by April 1, 2025, depending on their classification. This phased approach is designed to facilitate a smooth transition and enable entities to adapt gradually to the new requirements.
A significant feature of the CSCRF is the introduction of a Cyber Capability Index (CCI), which will be used to regularly assess and monitor the cybersecurity maturity and resilience of market infrastructure institutions and qualified regulated entities. The CCI is intended to serve as a benchmark for evaluating cybersecurity effectiveness and guiding necessary improvements.
To support smaller regulated entities, SEBI has mandated the establishment of Market Security Operation Centres (SOCs) by major stock exchanges, NSE and BSE. These SOCs will provide tailored cybersecurity solutions, helping smaller entities meet the framework’s requirements and enhance their cyber resilience.
Additionally, regulated entities will be required to undergo regular cybersecurity audits under the CSCRF. These audits will cover IT services, Software as a Service (SaaS) solutions, and hosted services, and will be conducted periodically. Reports from these audits must be submitted to the relevant authorities, ensuring ongoing compliance and oversight.
Detailed Compliance Requirements
Under the new Cybersecurity and Cyber Resilience Framework (CSCRF), regulated entities are required to submit compliance reports to SEBI or other relevant authorities according to established periodic standards. These reports must include both half-yearly and annual reviews, which cover various critical aspects of cybersecurity.
This includes evaluations of Cyber Resilience, Vulnerability Assessment and Penetration Testing (VAPT), and cybersecurity training, ensuring a comprehensive approach to maintaining security practices.
Furthermore, within one year of the CSCRF’s issuance, Market Infrastructure Institutions (MIIs) and Qualified Regulated Entities are mandated to obtain ISO 27001 certification. This certification must be accompanied by evidence submitted alongside cyber audit reports to demonstrate adherence to internationally recognized standards for information security management.
Entities are also required to adhere to specific frequencies for conducting Vulnerability Assessment and Penetration Testing (VAPT) on their protected systems and other IT infrastructure. Reports from these assessments must be submitted within one month of their approval, with any identified findings addressed within three months and revalidated within five months to ensure ongoing security.
In addition, comprehensive cyber audits must be conducted to cover both critical and a sample of non-critical systems. These audits require reports to be submitted within a month of completion, with any issues identified needing resolution within three months and follow-on audits conducted within five months.
To facilitate compliance with the CSCRF, NSE and BSE will establish Market Security Operation Centres (SOCs) by January 1, 2025. These SOCs will provide crucial cybersecurity support, particularly for smaller entities. Additionally, other organizations such as NSDL and CDSL may also establish similar facilities to support the framework’s implementation.
Operational Guidelines and Standards
Entities are required to maintain an up-to-date inventory of authorized devices and utilize automated tools for effective network management. Security protocols must include robust perimeter defenses for servers involved in algorithmic trading, as well as the implementation of a zero-trust security model. Access control must adhere to a zero-trust framework, necessitating regular reviews of delegated access, the enforcement of strong password policies, and the prompt removal of unused user credentials.
In terms of log management, entities must diligently collect and monitor all pertinent logs, such as those from systems, applications, and networks. They are also required to implement a rigorous log retention policy and actively monitor for any unusual patterns to ensure comprehensive oversight. Physical security measures demand restricted access to critical systems, bolstered by stringent controls and surveillance for sensitive equipment.
For remote support and access, services must be well-governed and logged, incorporating multi-factor authentication and limiting access to whitelisted IP addresses. Data management practices must include secure data retention and disposal policies to ensure that all data and media are handled with appropriate security measures.
Endpoint and network security require the deployment of endpoint protection solutions and continuous network monitoring, with administrative rights disabled for any unnecessary functions. Security protocols for applications and mobile systems must adhere to OWASP guidelines and ensure secure storage practices.
Additionally, regular cybersecurity training is essential for employees, including updates to training materials as needed to reflect the latest security practices. Entities must also establish mechanisms for reporting fraudulent transactions and educating customers about cybersecurity risks, thereby enhancing overall customer and investor security.
Implementation and Oversight
The implementation of the CSCRF will be closely monitored by SEBI, with entities expected to adhere to the established timelines and compliance requirements. The phased implementation and structured compliance reporting are designed to ensure a smooth transition to the new framework and enhance the overall cybersecurity landscape.
The SEBI cybersecurity framework represents a significant advancement in the regulation of cybersecurity practices within India’s financial markets. By establishing clear guidelines, regular assessments, and providing support to smaller entities, SEBI aims to strengthen the resilience of the financial sector against cyber threats.
This comprehensive approach to cybersecurity and resilience underscores SEBI’s commitment to safeguarding the integrity of financial markets and protecting stakeholders from cyber risks. As the framework is rolled out, it will be crucial for all regulated entities to stay informed and compliant with the new requirements to ensure cybersecurity and resilience.