Sheena Khan
September 2, 2024
The Securities and Exchange Board of India (“SEBI”) on August 20, 2024 introduced a new Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) (hereinafter referred to as the “Framework”). The Framework supersedes the guidelines, circulars, advisories, etc. previously issued by SEBI with respect to cybersecurity. SEBI has issued the Framework to enhance cybersecurity in the Indian securities market and to ensure adequate resilience against cyber incidents and attacks.
The framework is based on five main goals viz. Anticipate, Withstand, Contain, Recover, and Evolve. The Framework divides Regulated Entities into five categories depending on certain factors such as the number of clients, trading volume, and assets under management. These categories include Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs. SEBI has structured the Framework into four parts: Part (I) outlines the objectives, standards, and compliance timelines; Part (II) provides mandatory guidelines to achieve and implement these standards; Part (III) offers standardized formats for compliance reporting; and Part (IV) includes annexures and references, offering detailed guidelines for auditors, cyber resilience testing, the Cyber Capability Index (CCI) and functional efficacy of Security Operations Centre (SOC), etc.
One of the key features of the Framework is the CCI (Cyber Capability Index). This index will help MIIs and Qualified REs regularly assess and monitor their progress and cyber resilience. Such a grading mechanism is expected to considerably improve the ability of these entities to predict and deal with cyber threats. The Framework further highlights the importance of Security Operation Centres (SOCs) in maintaining cybersecurity. Depending on their resources, REs can set up their own SOCs, join group SOCs, or use market or any other third party SOCs for the purpose of continuous monitoring of security events and timely detection of unusual activities.
For smaller REs, SEBI has required the National Stock Exchange (NSE) and the Bombay Stock Exchange (BSE) to set up market-level SOCs (M-SOCs). These M-SOCs will provide specialized cybersecurity solutions to such smaller entities, helping them achieve the necessary level of cybersecurity without requiring significant resources.
The Framework will be implemented in two phases wherein Regulated Entities that were already following SEBI’s previous cybersecurity guidelines must comply with the new framework by January 1, 2025. However, all other Regulated Entities are required to comply by April 1, 2025. Subsequent to end of these deadlines, all REs are required to conduct cybersecurity audits as per the Framework and submit their reports to SEBI.
Alternative Investment Funds (AIFs); Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs); Clearing Corporations; Collective Investment Schemes (CIS); Credit Rating Agencies (CRAs); Custodians; Debenture Trustees (DTs); Depositories; Designated Depository Participants (DDPs); Depository Participants through Depositories; Investment Advisors (IAs)/ Research Analysts (RAs); KYC Registration Agencies (KRAs); Merchant Bankers (MBs); Mutual Funds (MFs)/ Asset Management Companies (AMCs); Portfolio Managers; Registrar to an Issue and Share Transfer Agents (RTAs); Stock Brokers through Exchanges; Stock Exchanges; Venture Capital Funds (VCFs).
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below. Read more...