SEBI’s Cyber Security and Resilience Framework (CSCRF)

Published:

Building a Cyber-Safe India: The Role of SEBI’s Cyber Security and Cyber Resilience Framework

By Munjal Kamdar

In an increasingly digital world, the need for robust cybersecurity measures has never been more pressing. As India strides toward becoming a global economic powerhouse, the financial services industry stands at the forefront of this challenge. The stakes are exceptionally high, with sensitive financial data and transactions being prime targets for cybercriminals. Recognizing this urgent need, the Securities and Exchange Board of India (SEBI) took a significant step forward by releasing the Cyber Security and Cyber Resilience Framework (CSCRF) on August 20, 2024. This framework mandates comprehensive cyber controls for all 19 types of regulated entities (REs) under its purview, marking a pivotal moment in India’s journey toward a cyber-safe environment.

Key Measures of SEBI’s CSCRF

The CSCRF introduces a series of measures designed to enhance the cybersecurity posture of financial institutions. Here, we delve into some of the most critical components of this framework that promise to fortify India’s cyber defenses.

Establishing Regulations

At the heart of the CSCRF is the establishment of comprehensive cybersecurity regulations. These regulations are designed to ensure that organizations across the financial sector meet minimum security standards. By implementing these regulations, SEBI aims to create a baseline of security that all REs must adhere to, thereby fostering a more secure financial ecosystem.

Promoting Best Practices

The framework encourages the development and implementation of a comprehensive cybersecurity strategy. This strategy outlines the vision, goals, and actions necessary to secure the cyber infrastructure of regulated entities. By promoting best practices, SEBI aims to cultivate a culture of cybersecurity awareness and proactive risk management within the financial services sector.

Encouraging Transparent Reporting

Transparency is a cornerstone of effective cybersecurity. The CSCRF mandates regular audits and reporting of cyber incidents, fostering accountability among REs. This requirement not only helps regulators understand emerging trends but also enables them to shape better policies and responses to cyber threats. By encouraging transparent reporting, SEBI aims to create a more informed and responsive regulatory environment.

Fostering Collaboration

Cybersecurity is a collective responsibility that transcends individual organizations. The CSCRF emphasizes the importance of collaboration among government entities, the private sector, and law enforcement agencies. By promoting information sharing on threats and vulnerabilities, SEBI aims to create a unified front against cyber adversaries, enhancing the overall security posture of the financial sector.

Specific Mandates for Regulated Entities

Effective Cybersecurity Measures

One of the primary mandates of the CSCRF is for REs to adopt effective cybersecurity measures and risk management strategies. By implementing the framework, these entities can create a resilient cyber ecosystem that safeguards both individuals and businesses in India. This proactive approach is essential for mitigating risks associated with cyber threats.

Establishment of Market Security Operations Centres (SOCs)

To ensure compliance, SEBI mandates the establishment of Market Security Operations Centres (SOCs) by participating REs, including the National Stock Exchange (NSE) and the Bombay Stock Exchange (BSE). These SOCs will play a crucial role in monitoring and responding to cybersecurity incidents. Regular reporting on the effectiveness of these SOCs to SEBI will further enhance accountability and transparency in the financial sector.

Cybersecurity Supply Chain Risk Management

The CSCRF also emphasizes the importance of managing cybersecurity risks associated with the supply chain. REs are required to develop strategies and processes for identifying, assessing, and managing risks posed by suppliers and third-party providers. This initiative recognizes that a chain is only as strong as its weakest link, and enhancing the maturity of the entire supplier ecosystem is vital for maintaining robust cybersecurity.

Data Protection Measures

Data protection is a fundamental aspect of cybersecurity. The CSCRF mandates REs to implement operational controls that safeguard the confidentiality, integrity, and availability of data. This includes strong encryption measures for data-at-rest and data-in-transit, as well as ensuring separation between development and production environments. By prioritizing data protection, SEBI aims to mitigate the risks associated with data breaches and cyberattacks.

Transparent Audits

Finally, the CSCRF requires REs to undergo transparent audits conducted by CERT-In empaneled auditors. These audits will assess the cyber resilience posture of REs and ensure compliance with the framework’s requirements. Regular evaluations will help organizations remain effective against evolving threats, reinforcing the importance of continuous improvement in cybersecurity practices.

Challenges in Compliance

While the CSCRF presents a robust framework for enhancing cybersecurity, REs will face several challenges in compliance:

  1. Governance Framework: Establishing a governance framework within organizations to oversee cybersecurity initiatives will be crucial.

  2. Market SOCs Setup: Setting up Market SOCs will require significant investment and coordination among a fragmented stockbroking community.

  3. Supply Chain Security: Organizations will need to inventory service providers, perform risk assessments, and maintain robust follow-up assessments, which will demand time and resources.

  4. Audit Requirements: Maintaining compliance records and evidence for audits will require diligent documentation and remedial testing.

  5. Continuous Compliance: REs will need automated repositories and workflows to ensure ongoing compliance, necessitating capital investment and consulting assistance.

Conclusion

In conclusion, SEBI’s Cyber Security and Cyber Resilience Framework is a critical step toward enhancing India’s cybersecurity landscape, particularly within the financial sector. By establishing regulations based on best practices, promoting collaboration, and encouraging transparent reporting, the CSCRF aims to strengthen resilience and advance India’s preparedness to face the challenges of cyberspace. As the financial services industry adapts to these new requirements, it will not only safeguard its own interests but also contribute to the broader goal of creating a cyber-safe India.

(The author is Munjal Kamdar, Partner, Deloitte Touche Tohmatsu India LLP, and Upasana Mishra, Director, Deloitte Touche Tohmatsu India LLP. The views expressed in this article are their own.)

Related articles

Recent articles