SEBI comes up with framework to address cybersecurity risks to regulated entities

Capital markets regulator SEBI (Securities and Exchange Board of India), in a consultation paper on 'Consolidated Cyber Security and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities', has drafted a master framework on cybersecurity and cyber resilience, which provides a common structure for multiple approaches to cybersecurity to prevent any such incidents.

The framework is based on five functions of cybersecurity – Identify, Protect, Detect, Respond, and Recover. It refers to globally recognised standards, e.g., NIST Special Publication 800-53 Revision 5, COBIT 5, and CIS controls for cybersecurity controls, outcomes, and guidance.

The framework mandates all regulated entities will identify and classify critical assets based on their sensitivity and criticality for business operations, services, and data management. The board or partner or proprietor will approve the list of critical systems. They'll be solely accountable for all aspects related to third-party services taken, including confidentiality, integrity, availability, non-repudiation, among others.

Under the protect function, the periodic audit will be conducted by a CERT-In empanelled auditor to audit the implementation and compliance to standards, says SEBI, adding that all REs will implement network segmentation techniques to restrict access to sensitive information, hosts, and services.

To detect any threat, these entities will set up appropriate security mechanism via Security Operation Centre (SOC) -- own or third-party SOC, or a managed SOC -- for continuous monitoring of security events.

To ensure REs responds to such threats in a timely manner, they will formulate an "up-to-date cyber crisis management plan (CCMP); comprehensive incident response management plan and respective SOPs; and probe alerts generated from monitoring and detection systems".

In addition to that, they'll trigger a "response and recovery plan" for the timely restoration of systems affected by the cyber incident. "An indicative (but not limited to) recovery plan has been attached. Actions taken during the recovery process shall be informed to all related stakeholders," the market regulator says, adding the framework will continue to be updated and improved as technology and the securities market evolves.

The regulator has sought comments on the consultation paper from the regulator till July 25, 2023.

The market regulator says the use of information technology has grown rapidly in the securities market and has become a critical component of all entities regulated by SEBI. “However, with these swift technological advancements, protection of IT infrastructure and data through cybersecurity measures has become a key concern for SEBI and its REs.”

SEBI says various cybersecurity and cyber resilience frameworks have been issued to address cybersecurity risks and enhance cyber resilience for such entities. It has also issued an advisory on cybersecurity best practices for all the REs.

As per the regulator, the latest guidelines have been “formulated to enhance the scope of cybersecurity and cyber resilience framework, and address the need of the uniformity of cybersecurity guidelines for all REs and to strengthen the mechanism to deal with cyber risks/threats/incidents”.