SEBI's Framework for Cloud Service Adoption: What You Need to Know as a Regulated Entities (REs)

The Securities and Exchange Board of India (SEBI) has released a circular titled Framework for the Adoption of Cloud Services by SEBI Regulated Entities (REs). The SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 sets baseline standards for regulatory compliance and security. The framework is an essential addition to SEBI's existing guidelines on cloud computing designed to help REs achieve secure and compliant cloud adoption.

SEBI

“To address this issue, SEBI formed a working group in response to the growing number of such incidents. A framework to address technical glitches has been developed based on recommendations from the working group and views obtained from stakeholders and industry experts."

The main purpose of this framework is to highlight the key risks and mandatory control measures which REs need to put it in the place before adopting Cloud Computing. The document also sets out the regulatory and legal compliances by REs if they adopt such solutions, said in the circular.

By adhering to the framework's guidelines, REs can establish a solid risk management strategy for cloud adoption, which includes assessing risks, implementing appropriate controls, monitoring compliance, and ensuring regulatory compliance.

Applicability of Framework

1. Stock exchanges
2. All clearing corporations
3. Depositories
4. All stockbrokers through exchanges
5. Depository participants through depositories
6. Mutual Funds (MFs) and Asset Management Companies (AMC)
7. KYC registration agencies
8. Qualifies registrars to an issue and share transfer agents.

Cloud computing is becoming increasingly popular for delivering IT services due to its scalability, ease of deployment, and lower maintenance costs. It does, however introduce new cybersecurity risks and challenges that businesses must be aware of. Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs).

What is Cloud Computing?

Cloud computing is the delivery of on-demand computing services via the Internet. Storage, processing power, applications, and software are examples of services that can be provided. It is typically provided via a network of remote servers hosted by third-party providers. This means that if you have an internet connection, users can access computing resources from anywhere, at any time. It has grown in popularity in recent years because it enables businesses and individuals to scale their computing resources up or down based on their needs without investing in costly hardware or infrastructure.

As per NIST definition, "Cloud Computing is defined as a model for providing ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction from service providers.

Cloud Computing has Four types of deployment models

1. Public Cloud - The most common type of cloud computing deployment is in public clouds. A third-party cloud service provider owns and operates the cloud resources (such as servers and storage), which are delivered over the Internet. The cloud provider owns and manages all hardware, software, and other supporting infrastructure in a public cloud.

In a public cloud, you share the same hardware, storage, and network devices as other organizations, or "tenants," and you use a web browser to access services and manage your account. Public cloud deployments are frequently used to provide web-based email, online office applications, storage, and testing and development environments.

2. Private Cloud - Private Clouds (also known as corporate clouds, internal clouds, and on-premises clouds) In this model, cloud computing resources are dedicated to a single organization. The organization or a third-party provider can own, operate, and manage the infrastructure.

Private clouds offer many benefits, including increased security and control, greater flexibility and scalability, and improved performance. They can also be tailored to meet specific business needs and regulatory requirements, such as data privacy laws compliance.

3. Hybrid Cloud - A hybrid cloud deployment, is a combination of private and public clouds. This infrastructure enables the interchangeability of data, information, and apps. The private side can handle sensitive tasks like finances and data recovery, whereas the public side can handle high-volume applications.

In a hybrid cloud model, enterprises deploy workloads in either private or public clouds and switch between them as computing requirements and costs change. This provides a company with more flexibility and data deployment options. A hybrid cloud workload includes the network, hosting, and web service features of an application.

4.Community Cloud - Depending on the needs of the community, the community cloud can be either public or private. The infrastructure in a public community cloud is hosted by a third-party provider and is accessible to members of the community via the Internet. The infrastructure in a private community cloud is hosted within the community's own data centre or a third-party data centre and access are restricted to members of the community.

The community cloud offers the benefits of cloud computing, such as scalability, flexibility, and cost savings, while also meeting the community's specific needs. Members of the community contribute to the cost of the cloud infrastructure, and the cloud service provider oversees its management, maintenance, and security.

How has the Advisory impacted

One of the primary objectives of SEBI's cloud framework is to reduce the risk of cloud adoption by establishing the foundation for necessary access and data controls.

Since cloud computing is a new field, the first step in increasing widespread cloud adoption is to develop a framework to mitigate technological and compliance risks.

The Cloud framework is a principle-based framework that has 9 high level-principles and can be summarized as,

Principle 1: Governance, Risk, and Compliance Sub-Framework

Principle 2: Cloud Service Provider Selection

Principle 3: Data Ownership and Data Localization

Principle 4: Regulated Entity Responsibility

Principle 5: Regulated Entity Due Diligence

Principle 6: Security Controls

Principle 7: Contractual and Regulatory Obligations

Principle 8: Business Continuity Planning, Disaster Recovery, and Cyber Resilience

Principle 9: Vendor Lock-in and Concentration Risk Management

The cloud framework is based on principles, with nine high-level principles. The framework highlights the risks associated with cloud adoption and recommends mandatory controls that are required. It also recommends baseline security measures that must be implemented (by RE and CSP), and RE may decide to add additional measures based on its business needs, technology risk assessment, risk appetite, and compliance requirements in all applicable circulars/guidelines/advisories issued by SEBI from time to time, among other things.

Transition Period for Implementation of Framework

Timeline For Regulated Entities is as follows,

• For the REs, those that do not utilize any Cloud Services framework shall be applicable.
• REs, those who are currently utilizing up to 12 months shall be given to ensure their compliance with the framework

Zybisys in relation to SEBI guidelines:

Zybisys, as a cloud service-based company, can greatly assist organizations in adhering to SEBI (Securities and Exchange Board of India) guidelines.

• Robust Security Measures - Zybisys implements stringent security protocols to safeguard sensitive financial data, ensuring compliance with SEBI's data protection guidelines. We have advanced encryption techniques and secure infrastructure to minimize the risk of data breaches and unauthorized access.
• Regulatory Compliance - Zybisys stays updated with SEBI guidelines and ensures that our cloud services align with the regulatory framework. We assist organizations in implementing appropriate controls, monitoring systems, and audit trails to meet SEBI's compliance requirements.
• Disaster Recovery and Business Continuity - Zybisys offers robust disaster recovery and business continuity solutions, enabling organizations to recover swiftly from unforeseen events. This ensures uninterrupted operations and compliance with SEBI's guidelines regarding business continuity planning.

We here at ZYBISYS act as a valuable partner for organizations seeking to navigate the complex landscape of SEBI guidelines. Our expertise, comprehensive services, and commitment to compliance can greatly assist your organization in meeting regulatory requirements, mitigating risks, and fostering a culture of good corporate governance.