SEBI’s Cybersecurity Framework: A Gamechanger for REs

How Sebi’s Cybersecurity and Cyber Resilience Framework Is a Gamechanger in Cybersecurity

Regulators play a crucial role in coming up with strong measures to protect sensitive data from cybercriminals. Recently, the Securities and Exchange Board of India (SEBI) has introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) for 19 of its regulated or registered entities (REs) after extensive stakeholder consultation.

This comprehensive framework is designed to foster a culture of resilience against potential threats, adapt to the current threat landscape in line with industry standards, and establish the baseline for effective compliance audits.

To build Cyber Resilience, SEBI’s CSCRF guidance combines five key objectives.  

These are based on the Cyber Crisis Management Plan (CCMP) from the Indian Computer Emergency Response Team (CERT-In): Anticipate, Withstand, Contain, Recover, and Evolve.

It also incorporates the six functions from the NIST framework: Governance, Identify, Protect, Detect, Respond, and Recover. This framework provides a clear method for managing cybersecurity and improving resilience for regulated entities, focusing on governance and operational controls.

Furthermore, the Securities and Exchange Board of India (SEBI) has set rules that require Registered Entities (REs) to create a strong governance structure that shows a clear commitment to cybersecurity from the top management. This structure must clearly define cybersecurity roles and create a detailed policy.

The Board must approve this policy and review it every year to keep up with new cyber threats and changes in regulations to tackle them accordingly.

Additionally, the Cyber Security and Cyber Resilience Framework (CSCRF) requires regular checks of the Cyber Capability Index (CCI).  

These checks help evaluate how well an RE is managing cybersecurity.  

The framework also requires oversight of any third-party or outsourced services to ensure they meet necessary security and regulatory standards. This overall approach helps strengthen the organization's cybersecurity efforts.

SEBI has also established governance requirements that require REs to lead by creating a governance framework. It must outline and uphold cybersecurity responsibilities and develop a foolproof policy.  

It is essential for the Board to be involved in approving and annually reviewing this policy to address emerging cyber risks and adapt to shifts in the regulatory landscape.  

Importantly, CSCRF requires consistent assessments of the Cyber Capability Index (CCI) and oversight of third-party and outsourced services to ensure compliance with security and regulatory standards.

SEBI emphasizes the importance of anticipating and identifying risks. It requires registered entities (REs) to find and classify critical systems and regularly assess risks. This includes considering risks from post-quantum cryptography through scenario-based testing, threat assessments, and evaluating vulnerabilities, likelihoods, and impacts to prioritize risk responses effectively.

Additionally, the Cyber Security and Cyber Resilience Framework (CSCRF) builds on this by adding a “Protection” layer. This requires key measures such as setting up authentication and access policies, separating networks, using full-disk and file-based encryption, and having distinct environments for production and development.  

It also mandates periodic audits by the Computer Emergency Response Team (CERT-In), thorough Vulnerability Assessment and Penetration Testing (VAPT), and securing APIs and endpoints.  

CSCRF stresses obtaining ISO 27001 certification.  

Many of these practices are already part of what REs do.  

Conducting a quick gap analysis can show what additional controls are needed.

Detecting compromises quickly is essential for good cybersecurity.  

SEBI’s CSCRF includes a “Detect” layer. It requires REs to set up Security Operations Centres (SOCs) for continuous monitoring. This includes establishing Market SOCs at BSE and NSE for all REs, including smaller ones, reviewing SOC effectiveness twice a year (or once a year for others), and performing red-teaming exercises for Market Infrastructure Institutions (MIIs) and Qualified REs.

The CSCRF provides guidelines for handling cyber incidents. It includes a portal for reporting such incidents.  

Reporting Entities (REs) must create a detailed Incident Response Management plan with standard procedures. They should also develop an updated Cyber Crisis Management Plan (CCMP) and conduct Root Cause Analysis (RCA) and forensic analysis if necessary.  

REs are encouraged to document a clear response and recovery plan to restore systems quickly and keep all relevant stakeholders updated throughout the recovery process.

As per SEBI’s Evolve goal, REs need to develop and integrate flexible controls in their cybersecurity strategy. This helps address vulnerabilities and reduce potential attack surfaces.  

SEBI suggests using Regulatory Technology (RegTech) solutions for this purpose.

Finally, SEBI requires an annual cybersecurity audit by CERT-In approved auditors, and the audit report must be submitted as required.  

It’s also necessary to conduct regular cybersecurity training for all employees and outsourced staff to maintain preparedness and awareness.

In summary, the CSCRF provides a solid framework for cybersecurity and resilience. It emphasizes the importance of governance, risk management, and data protection for REs.