SEBI CSCRF Compliance With Infopercept

Introduction to SEBI CSCR Compliance

As adversaries keep refining their attack patterns, organizations, too, will have to refine their cybersecurity to stay protected from cyberattacks. SEBI introduced CSCRF for this purpose—to help its regulated entities not only stay one step ahead of adversaries but also deal with any cyber-related incidents effectively.

CSCRF stands for cybersecurity and cyber resilience framework as cyber threats keep on evolving, with Gen AI being the latest addition that adversaries use to launch cyberattacks. SEBI's CSCRF framework is a response to such evolving threats.

Which Frameworks and Standards Are Influencing CSCRF?

The first module within the GSOS platform is "Vision and Mission." This module aids in clearly defining your organization's vision and mission. Achieving the best results necessitates top management investing time in brainstorming and defining the organization's initial purpose.

• ISO 27000 series
• CIS v8
• NIST 800-53
• BIS Financial Stability Institute
• CPMI-IOSCO guidelines

How Are Regulated Entities Classified?

CSCRF classifies REs into five categories based on operational scope, client base, trading volume, and assets under management (AUM):

• Market Infrastructure Institutions (MIIs)
• Qualified REs
• Mid-size REs
• Small-size REs
• Self-certification REs

This categorization ensures cybersecurity requirements are proportional to an entity's size and risk exposure.

What Are The Governance and Compliance Requirements of CSCRF?

• Establish an IT Committee to oversee cybersecurity risk management.
• Conduct annual reviews of cybersecurity policies.
• Perform risk assessments and audits.
• Ensure third-party and outsourced services meet cybersecurity standards
• Establish cybersecurity awareness training for all employees.

Regulated Entities must regularly assess their Cyber Capability Index (CCI) to measure cybersecurity effectiveness.

SEBI also requires the establishment of Security Operations Centers (SOCs) for continuous monitoring. Market SOCs (M-SOCs) at NSE and BSE provide centralized monitoring support for smaller REs.

SEBI CSCRF Checklist

Here's a checklist taken from the CSCRF requirements that all regulated entities have to implement.

1.Governance and Oversight

• Establish a cybersecurity governance framework with defined roles and responsibilities.
• Develop and approve a cybersecurity policy at the board level.
• Conduct regular cybersecurity risk assessments and integrate findings into the risk management process.

2. Risk Assessment & Management

• Identify critical assets and assess potential cyber threats and vulnerabilities.
• Implement risk mitigation strategies based on assessment outcomes.

3. Information Security Policies

• Develop and maintain comprehensive information security policies addressing data protection, access controls, and incident management.
• Ensure policies are communicated and accessible to all employees.

4. Access Control Measures

• Implement strict access controls based on the principle of least privilege.
• Utilize multi-factor authentication mechanisms for critical systems.

5. Network Security

• Deploy firewalls, intrusion detection/prevention systems, and other security technologies to protect network infrastructure.
• Regularly update and patch systems to address known vulnerabilities.

6. Data Protection & Privacy

• Encrypt sensitive data both at rest and in transit.
• Implement data classification and handling procedures to ensure appropriate protection levels.

7. Incident Management & Response

• Develop and maintain an incident response plan detailing procedures for detecting, reporting, and responding to cybersecurity incidents.
• Conduct regular drills and simulations to test the effectiveness of the incident response plan.

8. Business Continuity & Disaster Recovery (BCDR)

• Establish and regularly update BCDR plans to ensure operational resilience during cyber incidents.
• Perform periodic testing of BCDR plans to validate their effectiveness.

9. Training & Awareness

• Implement ongoing cybersecurity training programs for all employees.
• Promote awareness of emerging threats and best practices through regular communications.

10. Compliance & Reporting

• Conduct regular cybersecurity audits and submit required reports to SEBI.
• Maintain records of compliance activities and make them available for regulatory review.

11. Technology Adoption & Upgrades

• Stay informed about emerging cybersecurity technologies and assess their applicability.
• Plan and execute technology upgrades to enhance security posture.

12. Monitoring & Vendor Management

• Implement continuous monitoring mechanisms to detect anomalies and potential threats.
• Assess the cybersecurity practices of third-party vendors and ensure they comply with organizational standards.

By addressing each item on this checklist, organizations can strengthen their cybersecurity posture and ensure compliance with SEBI's CSCRF requirements.

How Invinsense Can Help Your Organization in Implementing SEBI’s CSCRF Guidelines

SEBI guidelines often feel confusing to organizations. They come to us with queries like “Where to begin?” or “How to start?”. Fret not as Invinsense will take care of all the CSCRF compliance requirements on the behalf of your organization.

FAQs

• What structured formats are included in SEBI’s CSCRF for compliance reporting?

  CSCRF includes standardized compliance report formats, covering:

  • Audit reports
  • Incident reporting templates
  • Cybersecurity risk assessment reports
  • VAPT reports
  • Recovery plan templates
• How do I know under which category my entity falls according to SEBI’s CSCRF

  Key factors include:

  • Number of clients served
  • Trading volume and frequency
  • Asset under management (AUM)
  • Level of systemic importance in the securities market
• What is the role of Market SOC (M-SOC) in SEBI’s CSCRF?

  Market SOC, set up by NSE and BSE, provides centralized cybersecurity monitoring and response for smaller REs that may not have the resources to establish their own SOC.

• How often should the IT Committee review cybersecurity policies?

  The IT Committee should conduct reviews at least annually and after significant cybersecurity incidents or regulatory changes.

• What are the core cybersecurity principles in SEBI’s CSCRF?

  CSCRF is based on five cyber resilience goals:

  • Anticipate – Identify and prepare for cyber threats.
  • Withstand – Maintain operations despite attacks.
  • Contain – Limit the spread of cyber incidents.
  • Recover – Restore systems and operations.
  • Evolve – Continuously improve security posture.