On August 20, 2024, the Securities and Exchange Board of India (“SEBI”) took a major step towards improving the cybersecurity landscape in India’s financial sector by releasing the Cybersecurity and Cyber Resilience Framework (“CSCRF”) for SEBI Regulated Entities (“Regulated Entities/RE”), including but not limited to:
(a) Alternative Investment Funds (AIFs)
(b) Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs)
(c) Clearing Corporations
(d) Collective Investment Schemes (CIS)
(e) Credit Rating Agencies (CRAs)
(f) Custodians
(g) Depositories and Depository Participants
(h) Investment Advisors and Research Analysts
(i) KYC Registration Agencies
(j) Merchant Bankers
The applicability of various standards and guidelines of CSCRF is based on different categories of Regulated Entities. CSCRF follows a graded approach and classifies Regulated Entities in the following five broad categories:
(i) Market Infrastructure Institutions (MIIs)
(ii) Qualified REs
(iii) Midsize REs
(iv) Small size REs
(v) Self certification REs
Indeed, nothing is more imperative than developing a foolproof cybersecurity structure that can meet the requirements of the emergent and dynamic financial sector of India. SEBI has also noted the dynamism and ever growing nature of the threat from cyber incidents and has put in place the CSCRF to tackle the challenges and enhance the security of Regulated Entities.
Banks and other financial institutions across the world in the last few years have been on the receiving end of cyber threats, ranging from theft of clients’ data to complex and dangerous hacking executed on the financial markets.
The CSCRF is thus an indication of SEBI’s strategy on how to address cyber risks and improve protection from cyber threats. The CSCRF is designed to be comprehensive, addressing a spectrum of cybersecurity issues from preventive measures to response strategies
The CSCRF is divided into four main parts to facilitate ease of compliance and implementation:
Part I - Objectives and Standards: This section outlines the goals that security controls need to achieve and the established principles for compliance.
Part II - Guidelines: This part provides recommendations and measures for complying with the standards. Some guidelines are mandatory and must be adhered to by the REs.
Part III - Structured Formats for Compliance: This section includes standard formats for compliance, ensuring uniformity and ease of reporting
Part IV - Annexures and References: This part contains additional resources and references to support the implementation of the framework.
Governance
Under the CSCRF, SEBI mandates that a dedicated cyber security committee responsible for formulating and overseeing the implementation of cyber security policies be established by all Regulated Entities and such a committee shall include senior management and IT experts to ensure that cyber security considerations are integrated into all the processes of the Regulated Entities.
Cyber Capability Index
SEBI has also provided for a Cyber Capability Index (“CCI”) under the CSCRF, which is a comprehensive framework intended to evaluate the resilience of cyber security framework. Market Infrastructure Institutions are mandated to undergo a third-party cyber resilience assessment biannually, while Qualified Regulated Entities are required to perform an annual self-assessment.
Incident Management and Response
An important aspect of the CSCRF is the emphasis on effective incident management. Regulated Entities are required to implement procedures for responding, detecting and recovering from cyber incidents. This includes the establishment of an Incident Response Team (“IRT”) along with a communication protocol for reporting incidents to SEBI and other relevant authorities. The CSCRF also stipulates that entities must maintain detailed records of all cyber incidents and their resolutions.
Risk Management - Third Parties
The CSCRF also takes into account the risks associated and posed with third-party vendors and service providers. The Regulated Entities are required to assess and manage the cyber security readiness of their third-party vendors and service providers making sure that they have in place, and comply with, similar security standards.
Compliances and Audits
SEBI has provided consistency in auditing Regulated Entities by creating and providing an auditors’ checklist under the CSCRF. This shall ensure a more effective audit process, ensuring that all Regulated Entities are held to the same standards.
Risk Management
Regulated Entities under the CSCRF are required to carry out regular risk assessments to identify any cybersecurity threats. This shall enable the Regulated Entities to implement appropriate strategies to mitigate any threats.
Data Protection and Privacy
Protecting sensitive data is the most important part of the CSCRF. It requires that Regulated Entities implement robust data encryption, access controls, and privacy measures to safeguard sensitive information. This includes ensuring compliance with data protection regulations and maintaining transparency in data handling practices.
The introduction of the CSCRF is a significant step taken SEBI, however, its effectiveness shall depend on its implementation. Regulated Entities have been provided with clear guidelines for to follow by SEBI, along with a timeline for compliance. Regulated Entities are required to submit reports regularly on their cyber security preparations and planning.
By setting high standards for cyber security and resilience, the CSCRF is expected to have a profound impact on the financial sector. SEBI is not only enhancing the protection of data but also reinforcing confidence in India’s financial markets.
The CSCRF aligns with best practices all over the world in cyber security, making the Indian financial institutions at par with international standards. This alignment is important as India continues to grow, integrate more deeply into the global financial system and attract international investments.
While the CSCRF is a crucial initiative by SEBI, the implementation of CSCRF may present challenges as smaller entities may face difficulties in meeting the stringent requirements under the CSCRF due to resource constraints. Therefore, to mitigate this, SEBI may need to provide additional and continued support to help such small entities comply with the CSCRF.
Moreover, the fast evolving nature of cyber threats will require that the CSCRF is regularly updated to address all the new challenges presented. The commitment of SEBI towards continuous improvement and engagement with the Regulated Entities will be crucial in ensuring the CSCRF remains relevant and effective.
About the authors: Sanika Mehra is a Co-Managing Partner and Head- Corporate Practice and Antra Ahuja is a Senior Associate at Saga Legal.
If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.