Circular Date: August 20, 2024
Circular No.: SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113
Key Themes:
- Strengthening Cybersecurity: This document outlines SEBI's framework for enhancing cybersecurity and cyber resilience within the Indian securities market.
- Risk Management: The framework emphasizes a risk-based approach, requiring REs to identify, assess, mitigate, and monitor cyber risks.
- Compliance: The document lays out specific standards, guidelines, and reporting formats to ensure REs adhere to the framework.
- Graded Approach: The framework acknowledges different operational scales and risk profiles by categorizing REs into five groups (MIIs, Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs).
- Security Operations Center (SOC): The framework mandates the establishment of SOCs by REs for continuous monitoring and proactive threat detection.
Most Important Ideas/Facts:
- Background: SEBI has previously issued cybersecurity frameworks for Market Infrastructure Institutions (MIIs) and specific RE categories. This new framework builds upon those and aims to create a more comprehensive and standardized approach.
- Objectives: The CSCRF aims to:
- Address evolving cybersecurity threats.
- Establish clear cybersecurity standards and audit procedures.
- Ensure compliance by SEBI REs.
- Provide consistent reporting formats.
Framework Structure: The document is divided into four parts
- Part I: Objectives and Standards – Definitions, compliance expectations, audit reporting, objectives, and standards.
- Part II: Guidelines – Practical steps and measures for implementing cybersecurity controls and achieving framework objectives.
- Part III: Compliance Formats – Standardized formats for REs to submit compliance reports.
- Part IV: Annexures and References – Includes auditor guidelines, scenario-based testing protocols, Cyber Capability Index (CCI) details, Security Operations Centre (SOC) functional efficacy assessment, and more.
- Key Focus Areas: Governance and Supply Chain Risk Management: Highlighting the importance of establishing robust governance structures and managing cybersecurity risks within the supply chain.
- Data Security: Emphasizing data classification, data localization, securing APIs, and implementing DLP solutions.
- Security Monitoring: Mandating the use of Security Operations Centers (SOCs) for continuous security monitoring and anomaly detection.
- Cyber Capability Index (CCI): This index will be used for MIIs and Qualified REs to periodically assess and track their cybersecurity posture and progress.
- Market SOC (M-SOC): NSE and BSE are mandated to establish M-SOCs to assist smaller REs in meeting cybersecurity requirements and provide cost-effective security solutions.
Implementation Period:
- REs with existing cybersecurity circulars - January 1, 2025.
- REs without existing circulars - April 1, 2025.
Applicability: The framework applies to a wide range of SEBI-regulated entities, including:
- Alternative Investment Funds (AIFs)
- Bankers to an Issue (BTI)
- Clearing Corporations
- Collective Investment Schemes (CIS)
- Credit Rating Agencies (CRAs)
- Custodians
- Debenture Trustees (DTs)
- Depositories
- Depository Participants (DPs)
- Designated Depository Participants (DDPs)
- Investment Advisors (IAs)
- KYC Registration Agencies (KRAs)
- Merchant Bankers (MBs)
- Mutual Funds (MFs)
- Portfolio Managers
- Registrar to an Issue and Share Transfer Agents (RTAs)
- Stock Brokers
- Stock Exchanges
- Venture Capital Funds (VCFs)
- "CSCRF highlights the importance of governance and supply chain risk management and at the same time, it focuses on evolving security guidelines such as data classification and localization, Application Programming Interface (API) security, Security Operations Centre (SOC) and measuring its efficacy, Software Bill of Materials (SBOM), etc."
- "CSCRF mandates that all REs are required to establish appropriate security monitoring mechanisms through Security Operation Centre (SOC)."
- "CSCRF aims to ensure that even smaller REs are equipped with adequate cybersecurity measures and achieve resiliency against cybersecurity incidents/ attacks."
- REs should thoroughly review the CSCRF document and begin taking necessary steps to align with the framework requirements.
- SEBI will continue to monitor the cybersecurity landscape and may update the framework as needed.
This briefing document provides a high-level overview of the SEBI Cybersecurity and Cyber Resilience Framework (CSCRF). REs are strongly encouraged to refer to the full document for detailed information and guidance.
