Alerts & Updates 2nd Sep 2024

Cybersecurity and Cyber Resilience Framework for SEBI Regulated Entities

Authors

Vinod Joseph Partner | Mumbai

Latest Thought Leadership

News & Media 6th Dec 2024

How the amended Banking Laws impact you

Read More
Articles 6th Dec 2024

US-India Relations – It’s Time to Trade

Read More
Alerts & Updates 5th Dec 2024

U.S. Sanctions and Export Controls Update: New Measures Targeting Iranian Petroleum and Chinese Semiconductor Capabilities

Read More
News & Media 4th Dec 2024

EPFO deadline ends to activate UAN for ELI benefits: What to do next

Read More

  • On August 20, 2024, the Securities and Exchange Board of India (SEBI) issued a Cybersecurity and Cyber Resilience Framework (CSCRF) for various entities regulated by SEBI (Regulated Entities or RE).

    In 2015, SEBI had issued a Cybersecurity and Cyber resilience framework for Market Infrastructure Institutions (2015 MIIs Circular). Subsequently, SEBI had issued other Cybersecurity and Cyber resilience frameworks in line with the 2015 MIIs Circular for certain specific Regulated Entities, namely stock brokers, depository participants, mutual funds, asset management companies, KYC registration agencies, qualified registrar to an issue, share transfer agents and portfolio Managers. The CSCRF issued by SEBI on August 20, 2024 applies to a much wider pool of Regulated Entities, including Alternative Investment Funds and replaces all previously issued circulars.

    A summary of the key features of the CSCRF is as follows:

  • Classification of REs

    The CSCRF classifies Regulated Entities into five categories based on their span of operations and thresholds such as number of clients, trade volume, asset under management, etc. These categories are:

    • Market Infrastructure Institutions (MIIs)
    • Qualified REs
    • Mid-size REs
    • Small-size REs
    • Self-certification REs

    The category of REs shall be decided at the beginning of the financial year based on the data of the previous financial year.

    A number of entities such as Collective Investment Schemes, Credit Rating Agencies shall be under Self-certification REs category. For the rest, the CSCRF also provides entity-wise categorization and corresponding thresholds which is as follows:

    Entity Criteria Self-certification REs Small-size REs Mid-size REs Qualified REs
    AIF AUM Less than INR 100 crores INR 100 crores and above but less than INR  500 crores INR  500 crores and above but less than INR  1000 crores INR 1000 crores and above
    VCF Sum of corpus of all schemes of the VCF Less than INR 100 crores INR 100 crores and above but less than INR 500 crores INR 500 crores and above but less than INR 1000 crores INR 1000 crores and above
    Stock brokers Active Client base as per UCC Less than or equal to 10 ,000 active clients and not providing IBT or Algo trading facility More than. 10,000 and up to 50,000 More than 50,000 and up to 5,00,000 More than 5,00,000
    Less than or equal to 10,000 active clients and providing IBT facility /Algo trading facility
    Custodians AUC NA Less thanINR 1 Lakh crores INR 1 Lakh crores and above but less than INR 10 Lakh crores INR 10 Lakh

    crores and above

    DP Type of DP NA NA Non-institutional DP Institutional DP
    Merchant Banker NA NA All merchant bankers not covered by the columns to the right If the entity is engaged in management of any public issue (IPOs etc.), public offers by REITs/InvITs, buy-back of securities, delisting of equity shares, open offer etc. If the entity or its parent or subsidiary or any associate company is a part of a conglomerate or of a  Systemically Important Financial Institution
    Mutual funds AUM NA Less than INR 10,000 crores INR 10,000 crores and above but less than INR 1 lakh crore INR 1 lakh crores and above
    Portfolio Managers AUM Less than INR 1000 crores INR 1000 crores and above but less than INR 3000 crores INR 3000 crores and above NA
    Non-individual Investment Advisors NA NA All Non-individual Investment Advisors NA NA
    RTA Servicing number of folios NA 10,000 and above but less than 1 crore 1 crore and above but less than 2 crore NA

    KRAs shall be treated at par with MIIs category for the applicability of the CSCRF.

  • Exclusions:

    Foreign Portfolio Investors (FPIs), Foreign Venture Capital Investors (FVCI), individual Investment Advisors, Limited Purpose Clearing Corporation (LPCC), Qualified Depository Participants (QDPs), Vault Managers, RTAs servicing less than 10,000 folios, Real Estate Investment Trusts (REITs) and Infrastructure Investment Trusts (InvITs)  are excluded from complying with CSCRF.

  • CSCRF Structure:

    The CSCRF sets out objectives, standards and guidelines. Objectives are goals which a security control needs to achieve. The standards represent established principles for compliance with the CSCRF. Guidelines recommend measures for complying with standards mentioned in the CSCRF. A few of the guidelines are mandatory in nature.

  • CSCRF Policy and cyber risk management framework:

    All REs are required to put in place a comprehensive cybersecurity and cyber resilience policy. MIIs, Qualified REs, and mid-size REs have to prepare a cyber risk management framework for identification and analysis, evaluation, prioritization, response and monitoring of cyber risks on a continuous basis.

  • Cyber Capability Index:

    MIIs and Qualified REs are required to prepare a Cyber Capability Index (CCI) to conduct third-party assessment of their cyber resilience on a half-yearly basis. Qualified REs should carry out a self-assessment of their cyber resilience using CCI on a yearly basis.

  • Anticipating and identifying threats:

    REs shall identify and classify critical systems based on their sensitivity and criticality for business operations, services and data management. Risk assessment of the RE’s IT environment shall be done on a periodic basis. Risk assessment shall include comprehensive scenario-based testing for assessing risks (including both internal and external risks) related to cybersecurity in REs’ IT environment.

  • Access control:

    REs need to document and implement policies for authentication, access, log collection and retention. REs should also design and implement network segmentation techniques to restrict access to the sensitive information, hosts, and services.

  • Data protection:

    REs should use Layering of Full-disk Encryption (FDE) along with File-based Encryption (FE) to ensure data protection.

  • Software development:

    There should be separate production and non-production environments for the development of all software/ applications for critical systems and further feature enhancements.

  • Periodic audits:

    Periodic audits shall be conducted by a CERT-In empanelled IS auditing organization to audit the implementation and provide compliance with the applicable standards and mandatory guidelines mentioned in the CSCRF.

  • Vulnerability Assessment and Penetration Testing:

    Vulnerability Assessment and Penetration Testing (VAPT) shall be done to detect vulnerabilities in the IT environment for all critical systems, infrastructure components and other IT systems as defined in the CSCRF.

  • Application Programming Interface:

    Application Programming Interface (API) security and Endpoint security solutions shall be implemented with rate limiting, throttling, and proper authentication and authorisation mechanisms.

  • ISO 27001 certification:

    ISO 27001 certification shall be mandatory for MIIs and Qualified REs as it provides essential security standards with respect to Information Security Management System (ISMS).

  • Security Operations Centre:

    REs shall establish appropriate security mechanisms through Security Operations Centre (SOC). The SOC may be housed in the RE or in a group entity or even with a third-party. The SOC shall carry out continuous monitoring of security events for the timely detection of anomalous activities. CSCRF has mandated Bombay Stock Exchange (BSE) and National Stock Exchange (NSE) to setup Market SOC on which small-size REs and Self-certification REs shall be onboarded. MIIs and Qualified REs shall measure functional efficacy of their SOC on a half-yearly basis. The rest of the REs shall obtain functional efficacy of the SOC utilized by them on a yearly basis from the SOC service providers. The CSCRF has provided a quantifiable method and an indicative list of parameters for measuring SOC efficacy.

  • Red Teaming:

    MIIs and Qualified REs shall conduct “red teaming exercises” as part of their cybersecurity framework. A red teaming exercise has been defined as an exercise which reflects real-world conditions and is conducted as a simulated adversarial attempt to compromise organizational missions or business processes, to provide a comprehensive assessment of the security capabilities of an organization and its systems.

  • Handling cybersecurity incidents:

    All cybersecurity incidents shall be reported in a timely manner through the SEBI incident reporting portal. All REs shall establish:

    • a comprehensive Incident Response Management plan with appropriate SOPs; and
    • an up-to-date Cyber Crisis Management Plan (CCMP).

    In the event of an incident, Root Cause Analysis (RCA) shall be conducted to identify the cause(s) leading to the incident. Where RCA is inconclusive, a forensic analysis shall be undertaken for detailed investigation of the cybersecurity incident. Further, a  comprehensive response and recovery plan, which can be triggered to ensure prompt restoration of systems affected by a cybersecurity incident, shall be documented. The CSCRF provides an indicative recovery plan. All relevant stakeholders should be kept informed of actions taken during the recovery process.

  • Filing of compliance reports:

    Chapter IV of the CSCRF has detailed timelines for the filing of various compliance reports, which are based on the classification of the entity. REs should report to their respective authority(ies). Thus, MIIs shall report to SEBI, stock brokers shall report to stock exchanges, depository participants shall report to depositories etc.

  • Deadline for adoption of CSCRF:

    REs for whom a cybersecurity and cyber resilience circular has been issued by SEBI in the past should adopt the CSCRF by January 01, 2025. All other REs should adopt the CSCRF by April 01, 2025.

  • Structured formats for compliance:

    Part III  of CSCRF contains a number of standard formats for the submission of CSCRF compliance reports. Part IV of CSCRF has a number of annexures and references, such as guidelines for auditors, scope for vulnerability assessment and penetration testing etc.

  • ELP Comments

    Cybersecurity is of crucial importance to all business, especially those providing financial services. Cyber threats of various types are every increasing and regulators across the world are increasingly concerned about the ability of financial service providers to keep themselves safe in cyberspace. SEBI has been emphasising on the importance of cyber safety for over a decade and the latest circular from SEBI is a commendable effort from the regulator to keep regulated entities and their clients safe and secure. As usual, the cost of compliance would not be cheap, but non-compliance would undoubtedly be much more expensive.

    We hope you have found this information useful. For any queries/clarifications please write to us at insights@elp-in.com  or write to our authors:

    Vinod Joseph, Partner – Email – vinodjoseph@elp-in.com

    Paridhi Jain, Associate, Emailparidhijain@elp-in.com

Disclaimer: The information contained in this document is intended for informational purposes only and does not constitute legal opinion or advice. This document is not intended to address the circumstances of any individual or corporate body. Readers should not act on the information provided herein without appropriate professional advice after a thorough examination of the facts and circumstances of a situation. There can be no assurance that the judicial/quasi-judicial authorities may not take a position contrary to the views mentioned herein.

Privacy Policy

As per the rules of the Bar Council of India, lawyers and law firms are not permitted to solicit work or advertise. By clicking on the "I Agree" button, you acknowledge and confirm that you are seeking information relating to Economic Laws Practice (ELP) of your own accord and there has been no advertisement, personal communication, solicitation, invitation or any other inducement of any sort whatsoever by or on behalf of ELP or any of its members to solicit any work through this website.