By Munjal Kamdar, Partner, Deloitte India and Upasana Mishra, Director, Deloitte India
In the ever-evolving world of cybersecurity, regulators are at the forefront of implementing measures to protect sensitive information from a constantly expanding spectrum of threats. In this endeavour, after widespread stakeholder consultation, the Securities and Exchange Board of India (SEBI) has launched the Cybersecurity and Cyber Resilience Framework (CSCRF) for 19 of its regulated or registered entities (REs).
This comprehensive framework aims to build a resilient culture in cyber risk management, address the evolving threat landscape to align with industry standards, and define the baseline for effective compliance audits.
SEBI’s CSCRF guidance amalgamates five Cyber Resilience objectives, adapted from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In): Anticipate, Withstand, Contain, Recover, and Evolve, along with the six Cybersecurity functions of the NIST framework – Governance, Identify, Protect, Detect, Respond, and Recover. The framework offers a structured approach to managing cybersecurity and enhancing resilience for REs, focusing on governance and operational controls.
Let’s summarise the requirements specified in the SEBI CSCRF in the context of the standards identified above.
To begin with, SEBI has laid out governance requirements that mandate REs to set the tone at the top by creating a governance structure. The governance structure must define and enforce cybersecurity roles and document a comprehensive policy. This requires involvement by the Board to approve and review it annually to adapt to new business threats and changes in the regulatory environment. Crucially, CSCRF mandates regular Cyber Capability Index (CCI) assessments and oversight of third-party and outsourced services to meet security and regulatory standards.
Secondly, SEBI builds on the theme of “Anticipate and Identify” by requiring REs to identify and classify critical systems and conduct periodic risk assessments (including post-quantum cryptography risks) with scenario-based testing, threat assessments, vulnerabilities, likelihoods, and impacts to effectively prioritise risk responses.
Furthermore, CSCRF advances its Cyber Resilience Goal of “Anticipate” by adding a layer of “Protection,” mandating key measures such as authentication and access policies, network segmentation, full-disk and file-based encryption, separate environments for production and development, periodic CERT-In audits, comprehensive VAPT, and API and endpoint security. Additionally, CSCRF emphasises the importance of obtaining ISO 27001 certification. Many of these controls would be part of best practices already implemented by REs. A quick gap analysis will provide a view of controls required to be implemented.
Timely detection of compromises is a critical cybersecurity requirement. SEBI’s CSCRF incorporates the layer of “Detect” by mandating that REs establish Security Operations Centres (SOCs) suited to their business operations for continuous monitoring. This includes setting up Market SOCs at BSE and NSE for all REs, including small and mid-sized ones, assessing SOC effectiveness semi-annually (or annually for others), and conducting red-teaming exercises for Market Infrastructure Institutions (MIIs) and Qualified REs.
Moreover, CSCRF facilitates the domain of “Withstand and Contain” by providing an interface for a cyber incident reporting portal. REs will be required to establish a detailed Incident Response Management plan with SOPs, create an updated Cyber Crisis Management Plan (CCMP), and conduct Root Cause Analysis (RCA) with forensic analysis if needed. Additionally, CSCRF recommends that REs document a comprehensive response and recovery plan for quick system restoration and keep all relevant stakeholders informed during the recovery process.
Next, SEBI’s Evolve goal requires REs to develop and integrate adaptive controls into their cybersecurity strategy to address identified vulnerabilities and reduce attack surfaces, ensuring that these controls evolve in response to emerging threats. For this purpose, SEBI recommends the use of Regulatory Technology (RegTech) solutions.
Finally, to get an objective review of the interplay of the above, SEBI requires an annual cybersecurity audit conducted by CERT-In empaneled auditors, with the audit report submitted accordingly. Additionally, regular cybersecurity training for employees and outsourced staff is also mandated to ensure ongoing preparedness and awareness.
In conclusion, the CSCRF provides a comprehensive framework for cybersecurity and resilience, emphasising governance, risk management, and protection. It mandates clear roles, robust policies, risk assessments, and measures for protecting the data assets of REs.
Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.