Listen to this article
SEBI has released a Cyber Security and Cyber Resilience (CSCR) framework for SEBI Regulated Entities (REs) in which it has clarified that REs, which includes AIFs, collective investment schemes, clearing corporations, investment advisors, research analysts, KYC registration agencies (KRAs), MFs, AMCs, PMs, RTAs and Venture Capital Funds (VCFs) will be held responsible for breach of cyber securities norms.
It said that intermediaries are accountable for ensuring compliance with laws, regulations, circulars etc. issued by SEBI/Govt. of India. They will be held accountable for any violations.
Here is the summary of the framework:
Anticipation of cyber attacks
- REs shall establish and enforce cybersecurity risk management roles, responsibilities and authorities for accountability and improvement
- REs have to document and implement CSCR policy with the approval of the board
- Market Infrastructure Institutions (MIIs) have to conduct third-party assessment of their cyber resilience using a metric called Cyber Capability Index (CCI) on a half-yearly basis. Qualified REs have to do self-assessment of their cyber resilience on a yearly basis
- REs have sole accountability of all aspects related to third-party services including confidentiality, integrity, availability, non-repudiation, security of their data and logs
- REs have to identify and classify critical systems based on their sensitivity and criticality for business operations, services and data management
- REs have to conduct a comprehensive scenario-based risk assessment of their IT environment including both internal and external risks
- Any threat or vulnerability has to be used to understand inherent risks and for risk response prioritization
- REs should design and implement network segmentation techniques to restrict access to sensitive information, hosts and services
- REs have to use layering of Full-disk Encryption (FDE) along with File-based Encryption (FE) for data protection
- All softwares/applications used for critical and feature enhancements should be done in separate production and non-production environments
- Periodic audits will be done by CERT-In empaneled IS auditing organization to check compliance with the applicable standards and mandatory guidelines
- REs have to conduct Vulnerability Assessment and Penetration Testing (VAPT) to detect vulnerabilities in the IT environment
- REs will implement Application Programming Interface (API) security and endpoint security solutions with rate limiting, throttling and proper authentication and authorization mechanisms
- MIIs and REs must obtain ISO 27001 certification to ensure essential security standards
- REs should establish appropriate security mechanisms through Security Operations Centre (SOC) for continuous monitoring of security events and detection of anomalous activities. BSE and NSE will setup market SOC where small size REs and self-certification REs have to be onboarded
- MIIs and qualified REs have to measure functional efficacy of their SOC on a half-yearly basis while rest of the REs can do this on a yearly basis from the SOC service providers
- MIIs and qualified REs will conduct red teaming exercises where they will stimulate cyber-attacks to test its strength of the cybersecurity framework
Withstanding & containing cyber attacks
- All cybersecurity related incidents should be reported in a timely manner through the SEBI incident reporting portal
- All REs will have to establish an incident response management plan with SOP and Cyber Crisis Management Plan (CCMP)
- In case of an incident, Root Cause Analysis (RCA) should be done to identify the cause leading to the incident
- In case the RCA is inconclusive, a forensic analysis should be undertaken for detailed investigation of the cybersecurity incident
Recovering and evolving from cyber attacks
- REs must document a comprehensive response and recovery plan which will be triggered to ensure prompt restoration of systems affected by a cybersecurity incident
- Actions taken during the recovery process will have to be informed to all relevant stakeholders as required
- Adaptive and evolving controls to tackle identified vulnerabilities to reduce attack surfaces will be created and incorporated into the CSCR
The deadline for adoption of CSCR provisions is Jan 1, 2025 for categories of REs for which CSCR already exists and April 1, 2025 for others.
