Introduction
On 20.08.2024, the Securities and Exchange Board of India (‘SEBI’) released the Cybersecurity and Cyber Resilience Framework[i] (‘CSCRF/Framework’), marking a significant step forward in enhancing the cybersecurity measures of regulated entities (‘REs’) in the Indian securities market. This framework builds on SEBI’s previous initiatives, beginning with a series of circulars issued since 2015 aimed at strengthening cybersecurity resilience. The CSCRF was developed through extensive consultations with a diverse range of stakeholders, including Market Infrastructure Institutions (‘MIIs’), industry associations, government bodies like CERT-In and the National Critical Information Infrastructure Protection Centre, as well as industry experts and cloud service providers (‘CSPs’). Endorsed by SEBI’s High Powered Steering Committee on Cybersecurity (‘HPSC-CS’), the Framework supersedes earlier guidelines, providing a comprehensive standard for enhancing cyber resilience within the securities market.
Scope and Structure of CSCRF
The CSCRF offers a standardised approach to cybersecurity for SEBI REs, aligning with global standards like ISO 27000, CIS v8, and NIST 800-53. Based on their operational scope and thresholds, it classifies REs into five groups: MIIs, Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs. The Framework is divided into four parts: objectives and standards, guidelines, structured formats for compliance, and annexures and references, offering detailed guidance for implementing and reporting cybersecurity measures.
Changes from Erstwhile Provisions
Previously, SEBI issued separate cybersecurity and cyber resilience frameworks for different REs. The CSCRF now unifies these guidelines into a single, comprehensive framework applicable to all REs, ensuring consistency and standardisation. While earlier frameworks primarily focused on basic cybersecurity measures, the CSCRF addresses emerging threats, including data localisation, quantum computing risks, and evolving attack vectors, ensuring that REs adapt to new challenges.
Additionally, previous provisions did not categorise REs based on their operational span or thresholds. CSCRF introduces a graded compliance approach tailored to the RE’s size, resources, and cybersecurity needs, making compliance more manageable for smaller entities. Furthermore, earlier guidelines did not mandate the establishment of a Market Security Operations Centre (‘SOC’). The CSCRF requires the National Stock Exchange (NSE) and Bombay Stock Exchange (BSE) to set up market SOCs, offering smaller REs a cost-effective resource for monitoring and compliance.
Part-I: Goal and Objectives
The CSCRF is built on two primary approaches: cybersecurity, which includes governance and operational controls, and cyber resilience, which focuses on anticipating, withstanding, recovering from, and evolving in response to cyber threats. Key aspects include:
Governance Function: REs must establish clear cybersecurity roles, responsibilities, and accountability mechanisms while continuously improving their cyber risk management strategies.
Cyber Capability Index (‘CCI’): MIIs and Qualified REs are required to regularly assess their cyber resilience.
Protection Measures: Include implementing robust authentication policies, network segmentation, encryption, and ensuring compliance with third-party service regulations.
Regular Audits: Vulnerability assessments and ISO 27001 certification are mandatory for MIIs and Qualified REs.
SOC Monitoring: Continuous security monitoring through SOCs is required, with biannual efficacy assessments for MIIs and Qualified REs.
Incident Response: To handle cyber incidents effectively, REs must develop incident response management plans, including Cyber Crisis Management Plans (‘CCMP’) and Root Cause Analysis (‘RCA’).
Recovery Plans: Comprehensive recovery plans must be in place to restore affected systems and maintain communication with stakeholders, emphasising resilience.
Future Readiness: The CSCRF prepares REs for future cybersecurity challenges, including quantum computing threats, through continuous risk assessments and robust data protection strategies.
Part-II: CSCRF Guidelines
The guidelines provide direction to REs on implementing the standards specified in the CSCRF, which is based on 5 cyber resiliency goals derived from CERT-In’s CCMP: Anticipate, Withstand, Contain, Recover, and Evolve. These goals link to various cybersecurity functions as outlined above. Summarized herein are the key guidelines and their applicability:
Cyber Resilience Goal (Standard: S)
Anticipate
Withstand and Contain
Recover (RC)
Evolve (EV)
Part -III and Part- IV
These sections elaborate on the supersession of previous SEBI circulars, advisories, and letters issued since 2015, covering MIIs, stockbrokers, mutual funds, KYC registration agencies (KRAs), portfolio managers, etc. They also include structured formats for compliance, such as VAPT reports, cyber audit reports, recovery plans, and other relevant references.
Conclusion
The CSCRF is more than a regulatory mandate; it reflects SEBI’s commitment to safeguarding the integrity of India’s securities market in an era of increasingly sophisticated and pervasive cyber threats. By establishing a comprehensive and standardised approach to cybersecurity across all SEBI RE categories, the CSCRF recognises that the threats faced by large market infrastructure institutions differ in scope and scale from those encountered by smaller entities. This graded approach ensures that each RE, regardless of size or operational complexity, is equipped with the tools and protocols to effectively manage and mitigate cyber risks.
The CSCRF represents a forward-looking approach to cybersecurity and cyber resilience for SEBI REs. By standardising cybersecurity measures across distinct RE categories and addressing emerging threats, the framework ensures that India’s securities market is well-protected against the evolving landscape of cyber risks. As technologies and threats evolve, the CSCRF will be regularly updated to meet the securities market's future cybersecurity needs.
End Note
[i] Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, dated 20.08.2024.
Authored by Siddharth Jha, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinions.