It's time to fortify India's Financial Sector

With cyber threats escalating, the Securities and Exchange Board of India (SEBI) has launched a sweeping Cybersecurity and Cyber Resilience Framework (CSCRF) to protect the country's financial institutions. This new framework, which sets rigorous cybersecurity and resilience standards, aims to shield regulated entities (REs) from the expanding wave of cyber threats facing financial markets globally. Indians faced significant financial losses from "digital arrest" scams, totaling around Rs.120.3 crore in the first quarter of 2024 alone. The National Cybercrime Reporting Portal recorded a staggering 0.74 million complaints between January 1 and April 30, following 1.5 million reported cases in 2023. This steady rise—from 0.45 million cases in 2021 to 0.96 million in 2022—underscores the urgent need for stronger cybersecurity measures.

In response, the Insurance Regulatory and Development Authority of India (IRDAI) has also directed insurers to bolster their cybercrime defenses and is considering revisions to its anti-fraud policy to address this escalating threat more effectively.

As attackers grow more sophisticated, financial markets worldwide face the reality of intensified risks, making SEBI’s framework timely and critical for India’s financial resilience. Here’s an in-depth look at the CSCRF, its expected impact on Indian financial institutions, and how Allied Digital can support compliance and operational resilience.

Understanding SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF)

The CSCRF establishes a structured approach to cybersecurity and resilience, focusing on five goals that cover end-to-end cybersecurity needs:

1. Anticipate – Prepare proactively for potential cyber threats.
2. Withstand – Maintain essential operations even during an attack.
3. Contain – Rapidly isolate threats to prevent wider impact.
4. Recover – Promptly restore affected systems.
5. Evolve – Adapt to prevent future vulnerabilities based on past incidents and new technological advancements.

Key Components of the Framework

The CSCRF framework mandates continuous monitoring, reporting, and resilience, setting a high bar for India’s financial institutions. Key elements include:

• Security Operations Centers (SOCs): Market Infrastructure Institutions (MIIs), such as stock exchanges and depositories, must establish 24x7 SOCs by January 2025. This requirement includes real-time monitoring of security events, proactive threat detection, and incident response. According to a 2024 Gartner report, SOCs have reduced the average time to detect a cyber threat from over 200 days to just 63 days, significantly curtailing potential damages. SEBI’s SOC mandate will ensure that financial institutions can monitor threats continuously and respond swiftly.
• Data Localization and Protection Standards: With global data privacy mandates tightening, SEBI’s CSCRF aligns closely with India’s data localization laws, emphasizing data sovereignty. Regulatory Data, including client and operational data, must remain within Indian borders to protect it from international cyber risks. This aligns SEBI’s framework with the Reserve Bank of India’s (RBI) data localization policies, addressing the need to keep investor and client information secure within India’s jurisdiction.
• Rigorous Auditing and Compliance Requirements: SEBI mandates several forms of reporting, including Vulnerability Assessment and Penetration Testing (VAPT) and cybersecurity audits, with stringent standards for larger institutions. Mid-size and Qualified REs must also implement ISO 27001 standards and submit frequent assessments to ensure compliance with CSCRF. A 2024 PwC report showed that institutions conducting regular VAPT saw a 34% reduction in critical vulnerabilities, underscoring the effectiveness of SEBI’s auditing requirements in improving cybersecurity resilience.
• Flexible, Tiered Requirements for Different Entities: SEBI tailors CSCRF compliance based on an entity’s size and operational complexity, with requirements scaling up for entities handling large transaction volumes or significant client data. Large entities like MIIs face the highest standards, while smaller entities have a lighter compliance load, allowing the framework to be both rigorous and adaptable.

Who Will Be Impacted?

The CSCRF has sweeping implications for India’s securities market, affecting a wide array of entities regulated by SEBI:

• Market Infrastructure Institutions (MIIs): These include stock exchanges, depositories, and clearing corporations, which must adhere to the highest standards under CSCRF.
• Mutual Funds and Asset Management Companies (AMCs): To protect investor data and assets, AMCs and mutual funds must comply with SEBI’s data protection, risk assessment, and recovery mandates.
• Stock Brokers, Custodians, and Depository Participants: Brokers and depository participants handling sensitive transaction data will implement heightened cybersecurity protocols to prevent unauthorized access and data breaches.
• Credit Rating Agencies, Portfolio Managers, and KYC Registration Agencies: These entities must fortify customer data protection through stronger identity management protocols.

SEBI’s extensive applicability ensures that all entities, from large infrastructure institutions to investment advisors, are equipped to guard against cyber risks.

How Allied Digital Supports SEBI Compliance and Cyber Resilience

As regulated entities work to comply with SEBI’s new framework, Allied Digital offers specialized solutions to help them meet CSCRF’s standards effectively. With a track record of over four decades in managed IT and cybersecurity services, Allied Digital provides a full spectrum of compliance, monitoring, and resilience solutions to align with SEBI’s framework.

• Comprehensive Security Operations Centers (SOCs): Allied Digital ’s AI-powered SOC services offer real-time threat detection, anomaly detection, and response, meeting SEBI’s SOC standards. With tools like Digital Desk+, Allied Digital ensures financial institutions can manage cybersecurity incidents across endpoints, cloud, and network environments.
• Regular Vulnerability Assessments and Compliance Reporting: Allied Digital conducts VAPT and continuous compliance assessments, enabling entities to meet CSCRF’s requirements. Allied Digital’s team can also assist in ISO 27001 certification preparation, essential for entities requiring advanced resilience strategies.
• Threat Intelligence and Resilience Consulting: In a constantly evolving threat landscape, Allied Digital provides threat intelligence and resilience consulting, helping institutions identify vulnerabilities proactively. Allied Digital’s resilience strategies help financial entities prepare for evolving threats, protect customer trust, and ensure operational continuity.
• Data Localization Strategy and Supply Chain Security: Allied Digital offers expert guidance in data localization and supply chain security, helping REs store and process data within India’s jurisdiction. Allied Digital’s consultancy services ensure that institutions adhere to data sovereignty requirements while remaining agile for cross-border compliance.

By adhering to SEBI’s framework and leveraging Allied Digital’s tailored solutions, financial entities in India are well-positioned to transform compliance into resilience, building long-term trust and operational strength in a digital world where cybersecurity is paramount.

?