The Securities and Exchange Board of India (SEBI) has unveiled the Cybersecurity and Cyber Resilience Framework (CSCRF), a new set of guidelines aimed at bolstering the cybersecurity defenses of regulated entities in the Indian financial markets. This initiative, scheduled to be rolled out in phases commencing January 2025, signifies a significant departure from existing cybersecurity norms.
The CSCRF represents a comprehensive strategy designed to heighten both cybersecurity preparedness and resilience among entities under SEBI’s jurisdiction. This strategic move comes at a critical juncture as cyber threats continue to proliferate, posing a direct threat to the stability and credibility of financial systems. The framework showcases a substantial progression from prior cybersecurity directives by integrating cutting-edge measures to contend with emerging cybersecurity vulnerabilities and threats.
The introduction of the Cyber Capability Index (CCI) is a notable feature of the CSCRF. The CCI will play a pivotal role in continuously evaluating and monitoring the cybersecurity maturity and resilience of market infrastructure institutions and qualified regulated entities. This index serves as a pivotal benchmark for assessing cybersecurity efficacy and guiding requisite enhancements to fortify defenses.
In a bid to support smaller regulated entities in meeting the framework’s requirements and enhancing their cyber resilience, SEBI has mandated the establishment of Market Security Operation Centers (SOCs) by major stock exchanges like NSE and BSE. These SOCs will offer tailored cybersecurity solutions to aid smaller entities in compliance with the framework’s stipulations.
Additionally, regulated entities will now be subject to regular cybersecurity audits under the CSCRF, covering a gamut of IT services, Software as a Service (SaaS) solutions, and hosted services. These audits will be conducted periodically, with reports mandatorily submitted to the relevant authorities to ensure continual compliance and oversight.
To comply with the CSCRF, regulated entities must furnish compliance reports to SEBI or other pertinent authorities conforming to predefined periodic parameters. These reports will include biannual and annual reviews encompassing various critical facets of cybersecurity, such as Cyber Resilience, Vulnerability Assessment and Penetration Testing (VAPT), and cybersecurity training, to maintain a robust security posture.
Furthermore, within one year from the issuance of the CSCRF, Market Infrastructure Institutions (MIIs) and Qualified Regulated Entities must procure ISO 27001 certification. This certification must be accompanied by evidence submitted alongside cyber audit reports to showcase adherence to globally acknowledged standards for information security management.
Entities are also mandated to adhere to specified frequencies for conducting Vulnerability Assessment and Penetration Testing (VAPT) on their protected systems and other IT infrastructure. Reports from these assessments must be submitted within one month of their approval, with any identified issues addressed within three months and revalidated within five months to guarantee ongoing security.
Comprehensive cyber audits covering critical and sample non-critical systems should also be conducted by entities. Reports from these audits must be submitted within a month of completion, with any identified issues necessitating resolution within three months and subsequent audits conducted within five months.
To facilitate compliance with the CSCRF, NSE and BSE will establish Market Security Operation Centers (SOCs) by January 1, 2025. These SOCs will offer vital cybersecurity support, particularly for smaller entities. Additionally, other organizations like NSDL and CDSL might also establish similar facilities to bolster the implementation of the framework.
Entities are required to uphold an up-to-date inventory of authorized devices and employ automated tools for effective network management. Security protocols must include robust perimeter defenses for servers involved in algorithmic trading, alongside implementing a zero-trust security model. Access control mechanisms have to adhere to a zero-trust framework, necessitating regular reviews of delegated access, the enforcement of robust password policies, and the swift removal of unused user credentials.
Regarding log management, entities must rigorously collect and monitor all relevant logs from systems, applications, and networks. They are further mandated to enforce a strict log retention policy and actively monitor for any anomalous patterns to ensure comprehensive oversight. Physical security mandates restricted access to critical systems, fortified by stringent controls and surveillance for sensitive equipment.
For remote support and access, services must be efficiently governed and logged, incorporating multi-factor authentication and restricting access to whitelisted IP addresses. Data management practices should encompass secure data retention and disposal policies to ensure proper handling of all data and media with relevant security measures.
Endpoint and network security require the deployment of endpoint protection solutions and continuous network monitoring, with administrative rights disabled for nonessential functions. Security protocols governing applications and mobile systems must conform to OWASP guidelines and uphold secure storage practices.
Regular cybersecurity training is deemed essential for employees, necessitating updates to training materials as and when needed to reflect the latest security practices. Entities must also establish mechanisms for reporting fraudulent transactions and educate customers on cybersecurity risks, thereby augmenting overall customer and investor security.
The implementation of the CSCRF is slated to be closely monitored by SEBI, with entities expected to adhere to prescribed timelines and compliance mandates. The structured compliance reporting and phased implementation frameworks are designed to ensure a seamless transition to the new framework and improve the overall cybersecurity landscape.
SEBI’s cybersecurity framework marks a significant stride in regulating cybersecurity practices within India’s financial markets. By delineating clear guidelines, instituting regular assessments, and providing targeted support to smaller entities, SEBI endeavors to fortify the financial sector’s resilience against cyber threats.
As the CSCRF unfolds, it is imperative for all regulated entities to stay abreast of and comply with the new requirements to fortify their cybersecurity and resilience measures effectively. With cybersecurity threats becoming increasingly sophisticated, robust frameworks like the CSCRF serve as crucial safeguards to protect the integrity and stability of financial systems against malicious cyber activities.