In the rapidly evolving digital landscape, cybersecurity and cyber resilience have become pivotal for maintaining robust financial systems. Recognizing this, SEBI (Securities and Exchange Board of India) has articulated detailed guidelines under the Cybersecurity and Cyber Resilience Framework (CSCRF), emphasizing robust governance structures, clearly defined roles, and rigorous oversight. With the SEBI amendments to the cybersecurity regulations it becomes essential for financial institutions to ensure compliance through proactive planning and structured oversight.

Understanding the CSCRF in order to stay compliant and resilient to the vulnerabilities posed by the cybersecurity landscape is the need of the hour. Organizational leadership should begin by integrating cybersecurity objectives and operations into existing Information Management and IT policies, including the organization’s cybersecurity protocols. Additionally, they should implement specific CSCRF requirements—such as performing Vulnerability Assessment Penetration Testing, evaluating their Cyber Capability Index, and addressing other requirements based on which of the five classification categories their organization belongs to.

CSCRF is part of a broader strategy around risk management and regulatory compliance introduced to strengthen resilience. This blog is all about flow of governance of CSCRF from the Board and Senior Management to the entire organization to stay CSCRF Compliant.

Role of the Board in Ensuring Compliance

Boards of Regulated Entities (REs) must document and implement comprehensive Cybersecurity Policies approved by them, incorporating industry best practices as stipulated by SEBI Guidelines.

Following are few of the key roles and responsibilities of the board:

  • They are required to approve the list of critical systems within the organization.
  • Establishing an IT Committee comprising experts proficient in technology. This committee will periodically review the implementation of the cybersecurity and cyber resilience policy. Self-certified and Small sized REs are exempted  from constituting IT Committee. Boards are also responsible for enabling vendor risk assessment protocols to support ongoing resilience.
  • The findings of the IT Committee’s reviews, including the goal setting for cyber resilience and plans for improvement, shall be placed before the Board/Partners/Proprietor for appropriate action.
  • Approve the IT and Cybersecurity Data that is sent to/consumed by global/international SOC and SaaS-based cybersecurity solutions annually.
  • Updates and changes in the contingency plan, COOP, training exercises, and incident response and recovery plan shall be communicated to and approved by the Board/Partners/Proprietor.

Based on the requirements of type of Registered Entity, a detailed gap assessment would help identify the necessary additions to bridge the gap between the existing Information Security and Information Technology framework and CSCRF. CSCRF is a crafted framework based out of Standards such as ISO 27000 series, CIS v8, NIST 800-53. The organizations which are compliant with the above mentioned frameworks would have substantially covered all the requirements of CSCRF and might require only few specific adoption measures to implement. These mandates are aligned with SEBI guidelines on corporate governance, reinforcing board accountability.

Related Read: Using SEBI’s Cybersecurity & Cyber Resilience Framework: An IT & Security Team Strategic Guide

CIO/CISO Responsibilities:

The Chief Information Security Officer, whose rank must at least match that of a CTO/CIO, is primarily responsible for assessing cybersecurity threats, reducing risks, establishing controls, and ensuring effective implementation of Cybersecurity Policies.

The MIIs and Qualified REs are mandated to appoint a CISO and perform roles and assume responsibilities as stated in the framework, whereas the other typer of REs are required to designate a senior official or management personnel as the “Designated Officer” who has similar responsibilities to that of a CISO.

Following are few of the key roles and responsibilities of the CISO/CIO/Designated Officer:

  • CISO or the Designated Officer needs to be attentive to the reporting mechanism established to report the cybersecurity incidents and take swift and prompt actions.
  • The CISO should develop a roles and responsibility matrix with appropriate personnel assigned to ensure that everyone is aware and understands about the risk management roles, responsibilities and relevant groups and authorities established.
  • As a part of the risk management ensure that Third-party stakeholders such as suppliers or customers/investors or partners are aware about their roles and responsibilities. Sufficient awareness training programmes to intimate the third-party stakeholders and vendor risk assessments shall be conducted. A structured third-party risk assessment helps ensure external dependencies don’t jeopardize compliance efforts.
  • Periodic Training awareness especially for the Board and senior management shall be conducted.

Additionally, the CISO has to be attentive to the cybersecurity landscape and engage a mechanism to conduct periodical risk assessments and communicate the results to the board for appropriate actions. Incorporating vendor risk management frameworks helps reinforce the commitment to  to compliance requirements in India.

Periodic Reviews and Continuous Improvement

Periodic cybersecurity audits, mandated under SEBI guidelines, must be conducted by CERT-In empanelled auditors. The audit ensures alignment with industry standards and evolving regulatory requirements. All REs except self-certified REs are  required to form an IT committee.

REs that excel in risk management and regulatory compliance often demonstrate higher cyber resilience scores. Following are few of the key review activities to be taken care of by the IT committee and the board.

  • The cybersecurity and cyber resilience policy shall be reviewed at least annually or when the dynamic cyber landscape poses the necessity to review.
  • The IT Committee shall meet on a periodic basis to review the implementation of the cybersecurity and cyber resilience policy. This review includes goal setting for cyber resilience and establishing improvement plans.
  • Cybersecurity risk management strategy outcomes shall be reviewed to inform and adjust strategy and directions.
  • Assessment of cyber resilience posture using the Cyber Capability Index (CCI) on a periodic basis. MIIs conduct third-party assessments half-yearly, while Qualified REs perform self-assessments annually. Other REs are exempted from CCI assessment.
  • The IT Committee shall periodically review instances of cybersecurity incidents/attacks, if any, along with their impact, Root Cause Analysis (RCA), and plans to strengthen cyber resilience.

Cyber intelligence practices play a crucial role here in identifying the changing threat landscape and ensuring that organizations review their cyber resilience strategies. For Small-size and Self-certification REs, the MD/CEO/Board member/Partners/Proprietor directly reviews and approves the CSCRF compliance, providing a clear chain of accountability.

Related Read: Why Are SEBI Cyber Security Audits Important for Finances

Considering the varied list of activities, an active cyber calendar can be prepared during the start of year and timely reminders for the stakeholders shall be sent to help them ensure compliance with CSCRF and other SEBI investment advisor regulations. Moreover, periodical review ensures ongoing cybersecurity vigilance to help them stay informed and compliant with SEBI Compliance directives.

Robust Reporting Mechanisms

SEBI regulations emphasize detailed and timely reporting to the relevant authorities. The reporting involves submissions of cyber audits, technical reports like VAPT and remediation actions and assessment of Cyber Capability Index. This rigorous reporting framework ensures transparency and accountability in cybersecurity practices. Following are few of the important reporting activities to be taken care of by the board and management.

  • Compliance reporting for CSCRF shall be done by the REs to their respective authorities (e.g., MIIs to SEBI, stock brokers to stock exchanges, etc.) as per the existing mechanism.
  • Cyber audit report submission timelines are specified based on the category of the RE and the completion of the audit. Along with the cyber audit report, REs shall also submit a required declaration from the MD/CEO.
  • The report of revalidation of VAPT exercise and open observations must be placed before the IT Committee for REs for confirmation and directions. The report of revalidation of VAPT and associated third party risk assessments must align with regulatory formats.
  • All cybersecurity incidents shall be reported in a timely manner through the SEBI incident reporting portal. Any incident falling under CERT-In Cybersecurity directions must be reported to SEBI and CERT-In within 6 hours.
  • Self-certification REs are required to submit a self-certification of compliance with applicable CSCRF provisions signed by an authorized signatory.

These submissions are crucial to satisfy compliance India mandates and keep pace with SEBI new guidelines.

Conclusion

In essence, while the fundamental principles of governance apply across all categories, the specific implementation requirements, mandatory controls, oversight mechanisms (like the IT Committee and CISO reporting structure), audit obligations, and periodic reporting frequency are tailored based on the RE’s size, scope of operations, and categorization within the CSCRF framework. The establishment of the Market SOC is a key initiative under the CSCRF to specifically address the cybersecurity needs and compliance burdens of smaller REs.

The CSCRF demands the board and management to ensure effective governance, clearly defined roles, and diligent oversight, aiming to enhance Cyber Resilience. Aligning organizational cybersecurity strategies with regulatory requirements, maintaining an effective reporting system and ensuring robust third-party risk management are key responsibilities of the Board, CIO/CISOs and designated officers. Periodic updates should integrate insights from cybersecurity threat intelligence to anticipate new threat vectors.  Adhering to these SEBI guidelines, significantly bolsters the organization’s ability to navigate the cybersecurity challenges effectively, ensuring trust and stability with all the user entities of the organization. Maintaining consistent SEBI compliance not only fulfills legal obligations but also reinforces trust among market participants.

Authored by:
CA Nakul Pranav | Cybersecurity

FAQ