In today’s digitized financial ecosystem, cybersecurity is not luxury but operational necessity of an organization. Recognizing the constantly evolving cyber threat landscape, the Securities and Exchange Board of India (SEBI) has introduced the Cyber Security and Cyber Resilience Framework (CSCRF) to fortify the defense of Registered Entities (REs) in the capital market. And one of the mandates under CSCRF is the establishment and effective use of a Security Operations Centre (SOC). SOCs are more than just complex network monitoring team, they are the nerve centers of an organization’s cybersecurity posture. With attackers getting persistent everyday, SEBI’s CSCRF ensures that small financial intermediaries are not left vulnerable. 

The Need of an Security Operations Centre (SOC)

A SOC’s primary role is to proactively monitor security systems, identify cyber threats and mitigate them. It is a dedicated facility that continuously monitors, detects, analyze , and responds to cybersecurity incidents. Continuous SOC monitoring serves as the frontline of an organization’s defense mechanism that enables real-time threat detection and swift incident response. 

Here are some latest cybersecurity insights by the Data Security Council of India (DSCI): 

  • 69 million security incidents were detected across 8.44 million endpoints in India i.e., about 702 potential threats per minute. 
  • Cloud environments made up 62% of total detections, with Trojans being the most detected malware (140 million+) emphasizing the critical need for robust cloud security monitoring. 
  • While ransomware accounted for only 0.3% of detections, its financial and operational impact remained disproportionately high. 

Effective log management is crucial for identifying patterns of malicious activity and supporting incident investigations. The need for robust log monitoring capabilities is highlighted by the sheer volume of security incidents. It also implies why SEBI mandates continuous security monitoring through SOCs. Apart from compliance requirements they are about real time defense , rapid recovery, and business continuity. SOC monitoring helps create visibility, reduce dwell time, and ensure that sophisticated threats like ransomware are also tackled swiftly. 

Security Monitoring Compliances Enforced by CSCRF

Under the CSCRF, SEBI has laid out a structured and tiered approach to SOC adoption, recognizing the diversity among market participants. Every RE is expected to establish or subscribe to an effective Security Operations Centre (SOC) that functions 24×7. The SOC must be capable of the following: 

Build cyber resilience with structured SEBI CSCRF IT asset inventory, data classification & access control as per CSCRF guidelines

Related Read: Cyber Resilience Through IT Asset and Infrastructure Management for REs

  • Monitoring network and endpoint activity 
  • Performing continuous security monitoring for anomalies and threats 
  • Investigating security events 
  • Supporting incident response and remediation 

Exemptions for smaller, self-certified REs, typically with fewer than 100 clients are as below: 

  • Depository Participants (DPs) with less than 100 clients 
  • Portfolio Managers, Alernate Investment Funds/Venture Capital Funds, RTAs, and Stock Brokers with less than 100 clients 

Considering their limited risk profile, these entities are not required to onboard Market-SOC (M-SOC) or build their own SOC. Additionally, self-certified REs are exempt from CERT-In empanelled periodic cyber audits, cybersecurity posture evaluations and few other standards of CSCRF.  

Security Operations performed by a SOC

A compliant SOC must go far beyond basic alert management. Under CSCRF, it should encompass comprehensive logging and monitoring capabilities such as: 

Continuous Monitoring 

Effective SOC monitoring ensures constant surveillance of networks, endpoints, personnel activity, third-party access including dedicated cloud security monitoring, ensuring comprehensive security monitoring.  

Deploy anomaly detection across traffic patterns, system logs, and user behaviour. Monitoring personnel activity and providing ongoing security awareness and training to mitigate insider threats and human error. 

Logging and monitoring 

Log Management is a fundamental function of a compliant SOC. Centralized collection and analysis of logs from firewalls, operating systems, applications, and security devices using advance log monitoring tools is crucial. Effective log monitoring also involves behavioral baselines to distinguish between normal and malicious activity. 

Threat Response 

Related Read: Bridging Gaps and Prioritizing Mitigation with SEBI CSCRF

A mechanism and team to swiftly contain incidents by isolating affected systems. Communicating and co-ordinating with internal stakeholders and external response teams. This includes a clearly defined escalation matrix to communicate and coordinate with internal stakeholders and external response teams effectively. 

Alert and False Positive Management 

Intelligent parsing of alerts from various detection tools relies heavily on comprehensive log monitoring through advanced SIEM solutions to reduce noise through correlation and validation. Centralized collection and analysis of logs from various sources, often facilitated by SIEM solutions, allows for behavioural baselines to distinguish between normal and malicious activity 

Root Cause Analysis 

Perform post-incident reviews to identify the source of breaches and implement measures to prevent recurrence by strengthening internal controls. 

How to Comply with CSCRF SOC Requirements?

SEBI guidelines allow flexibility in how REs meet SOC requirements. The three acceptable models are as below: 

In-House Security Operations Centre (SOC)

Large institutions or Market Infrastructure Institutions (MIIs) may choose to develop and manage their own SOC for maximum control and customization. 

Market SOC (M-SOC) 

Related Read: Audit Trail Compliance: Key Verification and Testing for Auditors

NSE, BSE, NSDL, or CDSL sets up SOCs which provides affordable, scalable solutions for smaller and mid-sized REs. They also offer VAPT and cyber audit services via CERT-In empanelled auditors. 

Third-Party SOCs 

Managed SOC service providers (MSSPs) can be engaged by REs to meet compliance while outsourcing operational complexity. However, REs should understand that even if they outsource SOC services or onboard to M-SOC, the ultimate responsibility and accountability still lies with the RE, not the service provider. During periodical reviews and reporting, MIIs and qualified REs must review SOC effectiveness bi-annually using metrics specified in the framework. Other REs using M-SOC or MSSP services must obtain and review an annual Security Operations Centre (SOC) efficacy report. 

Final Thoughts: Building Resilience, Not Just Compliance

Security Operations Centre (SOC) might sound complex and bring images of blinking dashboards, sleepless nights and some technical jargons. However, with the right team, clear strategy, and regulatory clarity under SEBI’s CSCRF, building or subscribing to a Security Operations Centre (SOC) becomes feasible and transformational. Specified exemptions for self-certified REs and availability of M-SOCs and third-party service providers, small players with limited cybersecurity expertise can ensure robust and real-time protection. 

In a dynamic threat landscape, resilience requires agility. REs must adopt advanced detection techniques, implement threat intelligence feeds, perform periodical red team exercises and conduct regular phishing simulations. Phishing Simulation exercises are essential to enhance employee vigilance and reinforce cybersecurity best practices. REs shall ensure through a third-party risk management that vendors are SOC compliant because a supply chain is only as strong as its weakest link.  

Actively participating in security awareness and training campaigns organized by M-SOCs, staying up to date with evolving regulatory expectations, and building a cybersecurity culture that trickles down from top management to the operational personnel, combined with effective internal controls is essential for true resilience. While Security Operations Centre (SOC) might seem complex, it is achievable especially when approached as a shared responsibility.  

Why Choose InCorp Global?

We at InCorp provide services related to cybersecurity, information security, and data privacy. Our experienced team and networks provide a customized roadmap to effectively onboard Security Operations Centre(SOC), to meet compliance and improve cybersecurity postures. To learn more about our services, you can write to us at info@incorpadvisory.in or reach out to us at (+91) 77380 66622. 

Authored by:
Nakul Pranav | Cybersecurity 

FAQ