Alerts & Updates 2nd Sep 2024
On August 20, 2024, the Securities and Exchange Board of India (SEBI) issued a Cybersecurity and Cyber Resilience Framework (CSCRF) for various entities regulated by SEBI (Regulated Entities or RE).
In 2015, SEBI had issued a Cybersecurity and Cyber resilience framework for Market Infrastructure Institutions (2015 MIIs Circular). Subsequently, SEBI had issued other Cybersecurity and Cyber resilience frameworks in line with the 2015 MIIs Circular for certain specific Regulated Entities, namely stock brokers, depository participants, mutual funds, asset management companies, KYC registration agencies, qualified registrar to an issue, share transfer agents and portfolio Managers. The CSCRF issued by SEBI on August 20, 2024 applies to a much wider pool of Regulated Entities, including Alternative Investment Funds and replaces all previously issued circulars.
A summary of the key features of the CSCRF is as follows:
The CSCRF classifies Regulated Entities into five categories based on their span of operations and thresholds such as number of clients, trade volume, asset under management, etc. These categories are:
The category of REs shall be decided at the beginning of the financial year based on the data of the previous financial year.
A number of entities such as Collective Investment Schemes, Credit Rating Agencies shall be under Self-certification REs category. For the rest, the CSCRF also provides entity-wise categorization and corresponding thresholds which is as follows:
Entity | Criteria | Self-certification REs | Small-size REs | Mid-size REs | Qualified REs |
AIF | AUM | Less than INR 100 crores | INR 100 crores and above but less than INR 500 crores | INR 500 crores and above but less than INR 1000 crores | INR 1000 crores and above |
VCF | Sum of corpus of all schemes of the VCF | Less than INR 100 crores | INR 100 crores and above but less than INR 500 crores | INR 500 crores and above but less than INR 1000 crores | INR 1000 crores and above |
Stock brokers | Active Client base as per UCC | Less than or equal to 10 ,000 active clients and not providing IBT or Algo trading facility | More than. 10,000 and up to 50,000 | More than 50,000 and up to 5,00,000 | More than 5,00,000 |
Less than or equal to 10,000 active clients and providing IBT facility /Algo trading facility | |||||
Custodians | AUC | NA | Less thanINR 1 Lakh crores | INR 1 Lakh crores and above but less than INR 10 Lakh crores | INR 10 Lakh
crores and above |
DP | Type of DP | NA | NA | Non-institutional DP | Institutional DP |
Merchant Banker | NA | NA | All merchant bankers not covered by the columns to the right | If the entity is engaged in management of any public issue (IPOs etc.), public offers by REITs/InvITs, buy-back of securities, delisting of equity shares, open offer etc. | If the entity or its parent or subsidiary or any associate company is a part of a conglomerate or of a Systemically Important Financial Institution |
Mutual funds | AUM | NA | Less than INR 10,000 crores | INR 10,000 crores and above but less than INR 1 lakh crore | INR 1 lakh crores and above |
Portfolio Managers | AUM | Less than INR 1000 crores | INR 1000 crores and above but less than INR 3000 crores | INR 3000 crores and above | NA |
Non-individual Investment Advisors | NA | NA | All Non-individual Investment Advisors | NA | NA |
RTA | Servicing number of folios | NA | 10,000 and above but less than 1 crore | 1 crore and above but less than 2 crore | NA |
KRAs shall be treated at par with MIIs category for the applicability of the CSCRF.
Foreign Portfolio Investors (FPIs), Foreign Venture Capital Investors (FVCI), individual Investment Advisors, Limited Purpose Clearing Corporation (LPCC), Qualified Depository Participants (QDPs), Vault Managers, RTAs servicing less than 10,000 folios, Real Estate Investment Trusts (REITs) and Infrastructure Investment Trusts (InvITs) are excluded from complying with CSCRF.
The CSCRF sets out objectives, standards and guidelines. Objectives are goals which a security control needs to achieve. The standards represent established principles for compliance with the CSCRF. Guidelines recommend measures for complying with standards mentioned in the CSCRF. A few of the guidelines are mandatory in nature.
All REs are required to put in place a comprehensive cybersecurity and cyber resilience policy. MIIs, Qualified REs, and mid-size REs have to prepare a cyber risk management framework for identification and analysis, evaluation, prioritization, response and monitoring of cyber risks on a continuous basis.
MIIs and Qualified REs are required to prepare a Cyber Capability Index (CCI) to conduct third-party assessment of their cyber resilience on a half-yearly basis. Qualified REs should carry out a self-assessment of their cyber resilience using CCI on a yearly basis.
REs shall identify and classify critical systems based on their sensitivity and criticality for business operations, services and data management. Risk assessment of the RE’s IT environment shall be done on a periodic basis. Risk assessment shall include comprehensive scenario-based testing for assessing risks (including both internal and external risks) related to cybersecurity in REs’ IT environment.
REs need to document and implement policies for authentication, access, log collection and retention. REs should also design and implement network segmentation techniques to restrict access to the sensitive information, hosts, and services.
REs should use Layering of Full-disk Encryption (FDE) along with File-based Encryption (FE) to ensure data protection.
There should be separate production and non-production environments for the development of all software/ applications for critical systems and further feature enhancements.
Periodic audits shall be conducted by a CERT-In empanelled IS auditing organization to audit the implementation and provide compliance with the applicable standards and mandatory guidelines mentioned in the CSCRF.
Vulnerability Assessment and Penetration Testing (VAPT) shall be done to detect vulnerabilities in the IT environment for all critical systems, infrastructure components and other IT systems as defined in the CSCRF.
Application Programming Interface (API) security and Endpoint security solutions shall be implemented with rate limiting, throttling, and proper authentication and authorisation mechanisms.
ISO 27001 certification shall be mandatory for MIIs and Qualified REs as it provides essential security standards with respect to Information Security Management System (ISMS).
REs shall establish appropriate security mechanisms through Security Operations Centre (SOC). The SOC may be housed in the RE or in a group entity or even with a third-party. The SOC shall carry out continuous monitoring of security events for the timely detection of anomalous activities. CSCRF has mandated Bombay Stock Exchange (BSE) and National Stock Exchange (NSE) to setup Market SOC on which small-size REs and Self-certification REs shall be onboarded. MIIs and Qualified REs shall measure functional efficacy of their SOC on a half-yearly basis. The rest of the REs shall obtain functional efficacy of the SOC utilized by them on a yearly basis from the SOC service providers. The CSCRF has provided a quantifiable method and an indicative list of parameters for measuring SOC efficacy.
MIIs and Qualified REs shall conduct “red teaming exercises” as part of their cybersecurity framework. A red teaming exercise has been defined as an exercise which reflects real-world conditions and is conducted as a simulated adversarial attempt to compromise organizational missions or business processes, to provide a comprehensive assessment of the security capabilities of an organization and its systems.
All cybersecurity incidents shall be reported in a timely manner through the SEBI incident reporting portal. All REs shall establish:
In the event of an incident, Root Cause Analysis (RCA) shall be conducted to identify the cause(s) leading to the incident. Where RCA is inconclusive, a forensic analysis shall be undertaken for detailed investigation of the cybersecurity incident. Further, a comprehensive response and recovery plan, which can be triggered to ensure prompt restoration of systems affected by a cybersecurity incident, shall be documented. The CSCRF provides an indicative recovery plan. All relevant stakeholders should be kept informed of actions taken during the recovery process.
Chapter IV of the CSCRF has detailed timelines for the filing of various compliance reports, which are based on the classification of the entity. REs should report to their respective authority(ies). Thus, MIIs shall report to SEBI, stock brokers shall report to stock exchanges, depository participants shall report to depositories etc.
REs for whom a cybersecurity and cyber resilience circular has been issued by SEBI in the past should adopt the CSCRF by January 01, 2025. All other REs should adopt the CSCRF by April 01, 2025.
Part III of CSCRF contains a number of standard formats for the submission of CSCRF compliance reports. Part IV of CSCRF has a number of annexures and references, such as guidelines for auditors, scope for vulnerability assessment and penetration testing etc.
Cybersecurity is of crucial importance to all business, especially those providing financial services. Cyber threats of various types are every increasing and regulators across the world are increasingly concerned about the ability of financial service providers to keep themselves safe in cyberspace. SEBI has been emphasising on the importance of cyber safety for over a decade and the latest circular from SEBI is a commendable effort from the regulator to keep regulated entities and their clients safe and secure. As usual, the cost of compliance would not be cheap, but non-compliance would undoubtedly be much more expensive.
We hope you have found this information useful. For any queries/clarifications please write to us at insights@elp-in.com or write to our authors:
Vinod Joseph, Partner – Email – vinodjoseph@elp-in.com
Paridhi Jain, Associate, Email – paridhijain@elp-in.com
As per the rules of the Bar Council of India, lawyers and law firms are not permitted to solicit work or advertise. By clicking on the "I Agree" button, you acknowledge and confirm that you are seeking information relating to Economic Laws Practice (ELP) of your own accord and there has been no advertisement, personal communication, solicitation, invitation or any other inducement of any sort whatsoever by or on behalf of ELP or any of its members to solicit any work through this website.