Overview of SEBI Cybersecurity and Cyber Resilience Framework: Strengthening Financial Market Defenses
Overview of SEBI Cybersecurity and Cyber Resilience Framework: Strengthening Financial Market Defenses
Ensuring Robust Security Measures for a Resilient Financial Ecosystem
- Last Updated
Cyber threats have emerged as one of the most critical risks to financial systems in today’s hyper-connected world. The reliance on digital technologies in securities markets has increased significantly, making the financial sector a prime target for cyber-attacks. Cyber breaches can lead to significant financial losses, disruptions in market operations, data breaches, and a loss of investor confidence. These risks being there, with an objective of curbing such threats and securing the integrity of the financial market, the Securities and Exchange Board of India (SEBI), which is the regulatory authority entrusted with the critical responsibility of regulating the securities market and ensuring that market participants adhere to stringent guidelines to maintain market integrity, recently released the SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) on August 20, 2024, featuring various mandates for its Regulated Entities (REs). It emphasizes governance, threat identification, protection, detection, response, and readiness for inevitable cyberattacks.
This blog shall bring out the need for introduction of SEBI Cybersecurity and Cyber Resilience Framework (CSCRF), its objectives, structure, components, and approach, the key highlights and the upcoming challenges which would help Regulated Entities (REs) understand how to get compliance, build up their Cybersecurity posture, and improve their Cyber Resilience in an ever-evolving threat landscape.
Why was SEBI CSCRF Introduced?
Financial entities dealing with sensitive data, high-value transactions, and also with maintaining trust make irresistible targets of cybercrimes. Such entities deal with sensitive financial transactions, personal details, and even records of regulatory enforcement. An attack could cause serious implications among clients, stakeholders, and the Indian securities market system as a whole. The Securities and Exchange Board of India is responsible for protecting and safeguarding the interest of investors while ensuring the integrity of the Indian securities market. Its mandate includes Investor protection, Market Regulation, Facilitating Market Development and maintaining Market Integrity.
Since 2015, SEBI has been strengthening Cybersecurity awareness and Cyber resilience as the cyber threat landscape is continually changing. Various standards for different intermediaries have been introduced since the last decade, but it was found to have gaps and inadequacies. Some of the regulated entities were not covered, and the ones covered were not fully equipped to face cyber risks. A consolidated cybersecurity framework was, therefore, considered due to these deficiencies and hence would provide holistically integrated protection for the entire securities market. This framework, which has been developed post-consultation with industry bodies and feedback gathered and released in August 2024, is a response to technological advancements and thereby provides a comprehensive Cybersecurity and Cyber resilience standard.
What is SEBI CSCRF?
The CSCRF is the structured approach by SEBI towards Cybersecurity for Indian Financial Sector and a comprehensive, flexible framework that equips financial institutions with the tools and guidelines to protect their operations, data, and clients. It underlines continuous improvement, resilience, and preparedness, which ensure India’s financial markets are secure amidst changing cyber threats. Therefore, the framework by SEBI is a proactive response to the frequency and sophistication of cyber attacks against the organizations. The framework is supposed to help the organizations in the preparation and endurance against cyber-attacks due to robust security measures and protocols. It is purely focused on the precautions required to minimize the impact of cyber attacks and ensure business continuity. The CSCRF encompasses 128 standards, categorized into four parts, with some guidelines being mandatory and others providing compliance formats and references.
The Key Objectives of SEBI CSCRF
The primary goals of the SEBI Cybersecurity and Cyber Resilience Framework are to improve the practices and standardize the measures associated with Cybersecurity, ensure Cyber Resilience, encourage risk management, ensure periodic reviews, improve incident reporting, and to make SEBI Regulated Entities compliant. CSCRF also defines the formats for reporting by REs.
The Framework
The SEBI CSCRF is structured into four broad parts for the ease of compliance and implementation:
Part I – Objectives and Standards: This part defines the objectives that security controls must meet and the principles established for compliance.
Part II – Guidelines: This part contains recommendations and measures for compliance with the standards. Some guidelines are mandatory and must be followed by the REs.
Part III – Structured Formats for Compliance: This part contains standard formats for compliance, which will ensure uniformity and ease of reporting.
Part IV – Annexures and References: This part contains additional resources and references to support the implementation of the framework.
Related Read: ESG Risks: Role of Management and Advisory in Mitigation
The Key Components of SEBI CSCRF
SEBI’s framework emphasizes the following critical aspects:
Cybersecurity Governance: Establishing a governance structure that assigns accountability and responsibility at the highest levels of the organization.
Cyber Resilience Planning: Developing robust incident response mechanisms and disaster recovery plans to ensure quick recovery in case of a cyber incident.
Risk Assessment: Performing frequent assessments of possible risks and vulnerabilities and subsequently taking steps to mitigate.
Monitoring and Detection: Constantly monitoring systems for anomalous activity to catch possible data breaches or cyberattacks at the earliest possible stage.
Vulnerability Management: The process of proactive management and patching known vulnerabilities on systems, infrastructure, and applications.
Third-Party Risk Management: Third-party vendors should also have high standards for cybersecurity requirements so that no security lapse happens due to them.
Training and Awareness: Staff must receive regular training to keep abreast of new cyber threats and protection methods.
These processes prepare the financial infrastructure against modern threats while being strong enough to withstand threats of the future.
Compliance Timelines
The SEBI CSCRF has adopted a phased adoption approach, considering that new standards and controls are being introduced. The implementation schedule for the adoption of the new standards and controls is as follows:
• In case of RE categories where cybersecurity and cyber resilience circular already exists: by January 1st, 2025
However, regulatory forbearance is granted until March 31, 2025, allowing entities to demonstrate progress without facing regulatory actions during this period.
• In case of REs where the CSCRF is being introduced for the first time: by April 1st, 2025.
The Approach
The SEBI Cybersecurity and Cyber Resilience Framework broadly owes its base to two approaches: (1) Cyber resilience goals. and (2) Cybersecurity functions. Though the five cyber resilience goals are: Anticipate, Withstand, Contain, Recover, and Evolve, there are six cybersecurity functions which cover: Governance, Identify, Detect, Protect, Respond, and Recover. We begin with the five cyber resilience goals as formulated by the CSCRF:
• Anticipate involves maintaining the state of readiness to prevent compromising business functions as a result of cyberattacks
• Withstand-involves ensuring that the required business functions do not stop with the successful perpetration of cyberattacks
• Contain-involves isolating the trusted systems from the untrusted systems in the case of the successful perpetration of cyber attacks
• Restore-business functions to be restored to maximum extent after successful perpetration
• Evolves are the upgrade capabilities of the organizations in terms of cybersecurity so as to minimize damage from actual and predicted attacks
These objectives may be associated with one or all of the aforesaid six functions of Governance, Identify, Detect, Protect, Respond & Recover. A large part of these functions is likely to be under the category of the goal Anticipate since prevention always is better than cure in respect of cyber-attacks.
Key compliance requirements for REs
Snapshot of the Key compliance requirements for REs, as mapped with the approaches of Cyber Resilience Goals and Cybersecurity functions:
| Cyber Resilience Goal |
Cybersecurity Function |
Compliance Requirements |
|---|---|---|
| Anticipate | Governance | Governance and Stakeholder Engagement
● The CSCRF emphasizes governance, including establishing cyber security risk management rules, responsibilities, and authorities. ● REs must have a cyber security policy and cyber resilience policy, including stakeholder engagement and continuous improvement. ● Top management, including boards, partners, and proprietors, must be aware of and approve cyber security policies, with regular reviews. ● The CSCRF includes qualified REs’ third-party assessments and self-assessments for cyber resilience. |
| Anticipate | Identify | Identification and Risk Assessment
● The CSCRF includes asset inventory requirements, ensuring proper identification and classification of critical assets. ● REs must maintain no shadow IT assets and use tools for asset discovery. ● Risk assessment guidelines are provided, including identification, classification, determination of risks, and mitigation measures. ● Risk management is integrated into governance, with periodic assessments and management responsibilities for REs. |
| Anticipate | Protect | Protection and Vulnerability Management
● The CSCRF includes policies for strong log retention, password policies, and vulnerability management. ● Vulnerability assessments (VAPT) are mandated on a periodic basis, with validation audits and board-level input. ● Internet-facing systems must implement multi-factor authentication, and mobile application and API security are crucial. ● The CSCRF includes guidelines for detecting vulnerabilities and ensuring security in mobile applications and APIs. |
| Anticipate | Detect | Detection and Security Operations Center (SOC)
● The CSCRF includes a list-based framework for detection, with the SOC as the first authority for security event monitoring. ● REs have flexibility to choose SOC models, including setting up their own or using third-party services. ● The SOC must generate timely alerts and manage false positives and negatives effectively. |
| Withstand
& Contain |
Respond | Response and Incident Management
● The CSCRF mandates a cyber crisis management plan, including comprehensive incident response management and respective SOPs. ● Incident management plans, templates for recovery, and SOPs for handling cyber security incidents are provided. ● REs must classify incidents into categories and decide on forensic audits or board-level involvement. ● The CSCRF includes a recovery plan template for timely restoration of affected systems. |
| Recover | Recover | Incident Recovery Plan
• A comprehensive response and recovery plan shall be documented and get triggered for the timely restoration of systems affected by the cyber incident. • REs shall conduct scenario-based cyber resilience testing to validate their ability to recover and resume operations following a cyber-disruption/attack. |
| Evolve | Evolve and Continuous Improvement
● The CSCRF emphasizes continuous improvement and evolving cyber resilience to tackle identified vulnerabilities. ● Continuous automated red teaming is mandated for MIS and qualified REs to detect open vulnerabilities. ● Lessons learned from red teaming must be incorporated into cyber security and cyber resilience strategies. ● REs must evolve their cyber resilience to reduce attack surfaces and improve security posture. |
How to be SEBI CSCRF Compliant?
Compliance with the CSCRF demands regular assessments and evidence of adherence to SEBI’s guidelines. It requires organizational commitment at all levels. The following is the list of key requirements for ensuring compliance with CSCRF:
| Key CSCRF Compliance
Requirements with Periodicity |
Market Infrastructure Institutions (MIIs) | Qualified REs | Mid-sized REs | Small-sized REs | Self-certification REs |
|---|---|---|---|---|---|
| Cyber resilience third party
Assessment using CCI *Self-assessment for Qualified REs |
Half-yearly | Annually | |||
| IT Committee for REs, including at least one external independent expert on cyber security | Quarterly | Quarterly | Quarterly | ||
| Functional Efficacy of SOC | Half-yearly | Half-yearly | Annually | Annually | Annually |
| Red Teaming exercise | Half-yearly | Half-yearly | |||
| Threat Hunting | Quarterly | Quarterly | |||
| ISO 27001 Audit and
Certification Within 1 year of issuance of CSCRF |
Yes | Yes | |||
| VAPT (at least once or twice in a FY) | Yes | Yes | Yes | Yes | Yes |
| Cyber Audit | Twice/ yr | Twice/ yr | Once/ yr) | Once/ yr) |
SEBI Cybersecurity and Cyber Resilience Framework – Important Takeaways
SEBI Cybersecurity and Cyber Resilience Framework signifies the need for governance and supply chain risk Management, while at the same time it focuses on evolving security guidelines like Data classification and localization, Application Programming Interface (API) security, Security Operations Centre (SOC), and measuring its efficacy, Software Bill of Materials (SBOM), etc.
• Data Classification and Localization
REs are mandated to classify data into Regulatory Data and IT & Cybersecurity Data. REs are mandated to store Regulatory Data in a form that is readily accessible, legible, and usable, within the legal limits of India. Where data is not in readable format, REs are mandated to maintain applications or systems to read retained data. The data localisation requirements have now been kept in abeyance.
• Application Programming interface (API) security
Application Programming Interface (API) security and Endpoint security with rate limiting, throttling, and proper authentication and authorization mechanisms.
• Security Operations Centre (SOC)
CSCRF requires all REs to have an appropriate security monitoring mechanism in place through a Security Operation Centre (SOC). The SOC can be onboarded either through the RE’s own/ group SOC, market SOC, or any other third-party managed SOC.
• Software Bill of Materials (SBOM)
Software Bill of Materials (SBOM) assessments and reporting for critical infrastructure is now a mandatory requirement. REs need to maintain a formal record containing the details and supply chain relationships of various components, such as open-source code, commercial components, etc., used in building
software. The SBOM enumerates these components in a product.
• VAPT after Major Change/ Major Release
VAPT has to be conducted after every major release which includes the implementation of a new SEBI circular and changes in core versions of software, policy pertaining to login/ password management, system modification in how data is exchanged with stock exchanges, security protocols, expansions into new financial markets and implantation of new processes/ schema changes. REs need to plan for their VAPT activity in the first quarter of the financial year and ensure that no audit cycle goes unaudited if any, because of category change
• Quantum Computing
One especially new focus area is post-quantum risk assessment, which many are just exploring. Organizations will need to create clear strategies on how they should approach this futuristic risk landscape. To reduce the risk that Quantum Computing will allow for breaking of the asymmetric cryptographic systems, REs have been given guidelines, such as:
• Maintain inventory of cryptographic assets
• Determine the possibility of embracing PQC and QKD type of technology
• Cyber Capability Index (CCI)
The SEBI Cybersecurity and Cyber Resilience Framework also has one of its critical dimensions in measuring and quantifying the preparedness of an organization for its cybersecurity. This is where CCI comes into play. The CCI tool, which leverages a comprehensive set of metrics, is an essential tool for organizations to gauge their cybersecurity posture and ensure they are meeting the regulatory requirements of SEBI’s CSCRF. By utilizing the CCI Tool, financial entities can standardize their evaluation processes, helping them identify strengths and weaknesses, monitor and assess their progress and cyber resilience on a periodic basis.
The CCI score offers an in-depth analysis of an organization’s ability to respond to, manage, and recover from cyber incidents. It helps companies:
• Understand their current cyber risk exposure
• Identify areas of improvement in their security posture
• Allocate resources effectively to mitigate potential cyber risks
• Provide evidence of compliance with SEBI’s guidelines
Upcoming Challenges
Implementation Challenges
• High costs of advanced cybersecurity tools.
• Shortage of skilled cybersecurity professionals.
• Integrating CSCRF requirements into existing operational processes.
Cybersecurity Challenges
Adoption of New Age Technologies
• Overlooked vulnerabilities of open-source systems
• Mobility apps have been identified as a major threat because they communicate with other applications and allow for data infiltration.
• Business social media outreach has been identified as a challenge in terms of phishing, identity theft, and other cyberattacks.
• Rise in usage of AI and ML, with tools such as ChatGPT, and related security risks.
• Compromised AI tools mean unauthorized access to sensitive data.
• Quantum proofing has become a serious issue, and present-day encryptions are endangered due to sophisticated computing environments.
• A new way of thinking would be required for secure transfer and processing of data, which involves the creation of secure algorithms.
Compliance with Data Protection Act (DPDPA)
• The Importance of Data Protection Act’s compliance, in the wake of increased data breaches through mobility devices and APIs.
• Mindful approach to compliance, avoiding investor data loss and penalties for non-compliance.
• Role of seminars and webinars in creating awareness among financial professionals and decision-makers.
Risk Management Framework
• CSCRF’s way of managing risk is very difficult but it is important for everyone to know how they identify attack surfaces and put secure solutions in place.
• Change management is a crucial thing, with focus given to change without damaging the cybersecurity.
• People risk is seen as basic. So people need to have access that is well-controlled and they need regular checks.
• Focus on concentration risk against third-party software people who give supplies.
Cyber Hygiene and Cyber Resilience
• Importance of Cyber Hygiene in giving Practical use for Cybersecurity Solutions.
• The idea of market SOC to make sure basic cyber hygiene exists across the securities market.
• Cyber Resilience to deal with cyber incidents and why attack isolation drills matter so much.
• Critical drill of Threat hunting to find and isolate threats that are in the system.
Regulatory Perspective and Value Proposition
• Regulatory mandates of protecting investors, developing the market, and supervising activities which is what they have to do.
• The value proposition of CSCRF, which have confidentiality, integrity, availability, and non-repudiation.
• Focus on the importance of two-factor authentication and API security to make sure transactions are legit.
• Essential practices of Penetration testing and Red Teaming exercises for keeping system security good.
Vendor Engagement and Tabletop Exercises
• The framework for vendor engagement, which includes securing software and doing regular tabletop exercises.
• The importance of tabletop exercises for technical teams and board members which can make security posture stronger.
• Industry initiatives with NISM (National Institute of Securities Markets) to make awareness and compliance better.
• The need for continuous compliance and the using of tools and techniques to ensure ecosystem safety.
Incident Reporting and Resolution
• The importance of incident reporting and resolution through a portal that is dedicated to this.
• Regulated entities to report incidents on the portal to spread information and track resolution processes.
• The need for continuous feedback to maintain cyber resilience in the market environment which is important.
• Special purpose audits to validate the audit process and ensure compliance with CSCRF
Cost Of Non-Compliance
Cybersecurity breaches are changing faster than compliance regulations. So what can one do to save them from these threats? The threat landscape is always moving, and SEBI’s CSCRF mandates are made to keep the REs ahead of these threats. But the highest cost of non-compliance is not just penalties; its the breach that follows the gap in the defenses. A breach costs organizations a lot in damages, reputation loss, and legal fees.
Why Act Now?
Early adoption of SEBI CSCRF ensures compliance, avoids penalties, and aligns with 2025 deadlines. Not just that, bringing in quantum-safe technologies now matches with CSCRF’s forward-looking approach, ensuring that entities are ready for regulatory changes and avoid costly adjustments later.
Conclusion
The SEBI Cybersecurity and Cyber Resilience Framework is a step that will help to protect India’s financial ecosystem. By setting out strict cybersecurity standards, SEBI aims to provide REs with the knowledge and tools to better protect their assets, data, and operations.
What makes the SEBI Cybersecurity and Cyber Resilience Framework stand out in this matter is its forward-looking approach to emerging cybersecurity threats. SEBI have recognized potential risks that Quantum Computing creates, which is a area rapidly evolving, and potentially cuts across traditional methods of encryption. By proactively handling such advanced threats, SEBI ensures that the securities market of India remains safe from technological advancements into the future.
By establishing a holistic and future-oriented cybersecurity framework, SEBI is not only safeguarding the integrity of the market but also strengthening the confidence of investors in India’s financial system which is crucial for every citizen of India.
Why Choose InCorp Global?
In today’s rapidly evolving digital landscape, ensuring cybersecurity and resilience is not just a regulatory mandate but is a cornerstone of trust for organizations operating in the financial ecosystem.
InCorp Global is your trusted partner in guiding Regulated Entities through the complexities of the CSCRF regulations, and provides a compliance roadmap backed by comprehensive cybersecurity services that fulfill all SEBI requirements. With InCorp Global, Regulated Entities can confidently navigate the framework’s complexities, ensuring robust security practices and a resilient approach to future cyber threats of the organization based on its strategy and evolving threat landscape.We are a full fledged cyber security consulting company, having many years of experience in regulatory compliance. Our expert team along with security leads helps organizations perform gap assessment and quickly comply with the CSCRF controls.
Authored by:
Chandramohan Nair | Cybersecurity
Frequently asked questions on SEBI CSCRF
Share
Share
