Navigating Compliance with SEBI’s Cybersecurity and Cyber Resilience Framework – Expert Insights

Published:

Strengthening Cybersecurity: SEBI’s Comprehensive Cybersecurity and Cyber Resilience Framework

By Munjal Kamdar, Partner, Deloitte India and Upasana Mishra, Director, Deloitte India

In an age where digital transformation is accelerating at an unprecedented pace, the importance of cybersecurity cannot be overstated. As organizations increasingly rely on technology to manage sensitive information, the threats to this data have also evolved, becoming more sophisticated and pervasive. Recognizing this urgent need, the Securities and Exchange Board of India (SEBI) has taken a significant step forward by launching the Cybersecurity and Cyber Resilience Framework (CSCRF) for 19 of its regulated or registered entities (REs). This initiative is a testament to SEBI’s commitment to fostering a robust cybersecurity culture within the financial ecosystem.

The Essence of the CSCRF

The CSCRF is designed to create a resilient culture in cyber risk management, aligning with industry standards while addressing the ever-evolving threat landscape. After extensive consultations with stakeholders, SEBI has crafted a framework that not only sets a baseline for compliance audits but also encourages organizations to adopt a proactive approach to cybersecurity.

At its core, the CSCRF amalgamates five Cyber Resilience objectives derived from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In): Anticipate, Withstand, Contain, Recover, and Evolve. These objectives are complemented by the six Cybersecurity functions of the NIST framework: Governance, Identify, Protect, Detect, Respond, and Recover. Together, these elements provide a structured approach to managing cybersecurity risks and enhancing resilience among REs.

Governance: Setting the Tone at the Top

One of the foundational aspects of the CSCRF is its emphasis on governance. SEBI mandates that REs establish a governance structure that clearly defines cybersecurity roles and responsibilities. This structure must be documented in a comprehensive policy, which requires the Board’s approval and annual review. Such oversight is crucial for adapting to new business threats and changes in the regulatory landscape.

Moreover, the framework necessitates regular assessments of the Cyber Capability Index (CCI) and oversight of third-party and outsourced services to ensure compliance with security standards. This proactive governance approach ensures that cybersecurity is not merely an IT issue but a strategic priority for the organization.

Anticipate and Identify: Proactive Risk Management

The CSCRF encourages REs to adopt a forward-thinking approach to cybersecurity by focusing on the "Anticipate and Identify" objectives. Organizations are required to identify and classify critical systems and conduct periodic risk assessments. This includes evaluating potential risks associated with emerging technologies, such as post-quantum cryptography, and performing scenario-based testing to prioritize risk responses effectively.

By fostering a culture of anticipation, organizations can better prepare for potential threats, ensuring that they are not caught off guard by emerging risks.

Protection: Safeguarding Critical Assets

To bolster the "Protection" aspect of cybersecurity, SEBI outlines essential measures that REs must implement. These include robust authentication and access policies, network segmentation, encryption protocols, and the establishment of separate environments for production and development. Additionally, organizations are encouraged to undergo periodic audits by CERT-In and conduct comprehensive Vulnerability Assessment and Penetration Testing (VAPT).

The emphasis on obtaining ISO 27001 certification further underscores the importance of adhering to international standards for information security management. A quick gap analysis can help organizations identify areas for improvement and ensure they are implementing best practices.

Detect: Timely Threat Identification

The ability to detect cybersecurity threats in real-time is critical for minimizing damage. The CSCRF mandates that REs establish Security Operations Centres (SOCs) tailored to their business operations. These SOCs will facilitate continuous monitoring of systems and networks, ensuring timely detection of compromises.

SEBI also requires the establishment of Market SOCs at the Bombay Stock Exchange (BSE) and National Stock Exchange (NSE) for all REs, including small and mid-sized entities. Regular assessments of SOC effectiveness and red-teaming exercises for Market Infrastructure Institutions (MIIs) and Qualified REs are essential components of this detection strategy.

Withstand and Contain: Effective Incident Management

In the event of a cybersecurity incident, having a well-defined response plan is crucial. The CSCRF provides a framework for establishing a cyber incident reporting portal and mandates the creation of a detailed Incident Response Management plan. This includes developing Standard Operating Procedures (SOPs), updating the Cyber Crisis Management Plan (CCMP), and conducting Root Cause Analysis (RCA) when necessary.

Furthermore, REs are encouraged to document comprehensive response and recovery plans to ensure quick restoration of systems and effective communication with stakeholders during recovery efforts.

Evolve: Adapting to Emerging Threats

The final goal of the CSCRF is to foster an environment of continuous improvement. SEBI encourages REs to develop and integrate adaptive controls into their cybersecurity strategies, ensuring that these controls evolve in response to emerging threats. The use of Regulatory Technology (RegTech) solutions is recommended to facilitate this adaptive approach.

Conclusion: A Comprehensive Approach to Cybersecurity

In conclusion, SEBI’s Cybersecurity and Cyber Resilience Framework represents a significant advancement in the fight against cyber threats. By emphasizing governance, risk management, and protection, the CSCRF provides a comprehensive roadmap for REs to enhance their cybersecurity posture. The framework mandates clear roles, robust policies, and ongoing training, ensuring that organizations are well-equipped to navigate the complexities of the digital landscape.

As we move forward, it is imperative for organizations to embrace this framework and prioritize cybersecurity as a fundamental aspect of their operations. The stakes are high, and the time to act is now.


Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.

Related articles

Recent articles