Navigating SEBI’s 2024 Updated Cybersecurity Framework: Key Revisions

The Securities and Exchange Board of India (SEBI) has issued a notification regarding the Cybersecurity and Cyber Resilience Framework for Market Infrastructure Institutions (MIIs). This framework mandates MIIs to establish robust cybersecurity and resilience policies to secure their infrastructure against cyber threats. Key aspects include setting up a Cyber Security Operation Center (C-SOC), ensuring regular vulnerability assessments, implementing multi-factor authentication, and maintaining an incident response plan. The framework emphasizes continuous monitoring, timely reporting of cyber incidents to SEBI, and adherence to best practices to enhance the overall security posture of market infrastructure. In this blog, we will understand about the new guidelines in detail. 

Brief About the Framework

To enhance the scope of the current Cybersecurity and Cyber Resilience Framework (SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113) and ensure consistent cybersecurity guidelines for all regulated entities (REs), a comprehensive framework has been established to strengthen the response to cyber risks, threats, incidents, and more. “The CSCRF was created through a collaborative process involving extensive consultations with various stakeholders, including Market Infrastructure Institutions (MIIs), regulated entities (REs), industry associations, government bodies like the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre, the Industry Standard Forum (ISF), information security auditors, industry experts, Cloud Service Providers (CSPs), and more. SEBI’s High Powered Steering Committee on Cybersecurity (HPSC-CS) has also reviewed the framework.

The CSCRF offers a standardized approach for implementing various cybersecurity and cyber resilience strategies. In its formulation, it referred to international standards such as the ISO 27000 series, CIS Controls Version 8, NIST SP 800-53, BIS Financial Stability Institute guidelines, and CPMI-IOSCO principles, ensuring a robust and comprehensive cybersecurity framework for SEBI-regulated entities.

The framework is structured into four parts:

i. Part I: Objectives and Standards: This section outlines the goals that each security control must achieve. It also includes the established principles required for compliance with the CSCRF.

ii. Part II: Guidelines: This section provides recommended measures for adhering to the standards detailed in the framework. Some of these guidelines are mandatory requirements that regulated entities (REs) must follow.

iii. Part III: Structured Formats for Compliance: This section includes standardized formats to facilitate compliance reporting.

iv. Part IV: Annexures and References: This section contains additional materials and references to support the framework. 

For ease of compliance, REs are required to comply with all applicable standards and mandatory guidelines as mentioned in CSCRF.

Goals of CSCRF

The framework is built around two key approaches: cybersecurity and cyber resilience. The cybersecurity approach encompasses a range of elements, from governance measures to operational controls. The cyber resilience approach focuses on achieving the following goals: Anticipate, Withstand, Contain, Recover, and Evolve.

The details of the goals are as follows:

Cyber Resilience Goal: Anticipate | Governance

• Regulated entities (REs) must establish, communicate, and enforce cybersecurity risk management roles, responsibilities, and authorities to ensure accountability and continuous improvement.

• implement a comprehensive cybersecurity and cyber resilience policy, with approval from the Board, Partners, or Proprietor.

• Market Infrastructure Institutions (MIIs), Qualified REs, and mid-size REs must create a cyber risk management framework that encompasses the identification, analysis, evaluation, prioritization, response, and ongoing monitoring of cyber risks.

• MIIs must conduct third-party assessments of their cyber resilience using the CCI on a half-yearly basis, while Qualified REs should perform self-assessments annually.

• REs are fully accountable for all aspects related to third-party services, including confidentiality, integrity, availability, non-repudiation, and security of data and logs. They must also ensure compliance with all relevant laws, regulations, and guidelines issued by SEBI and the Government of India.

Cyber Resilience Goal: Anticipate | Identify

• Regulated entities (REs) must identify and classify critical systems based on their sensitivity and importance to business operations, services, and data management. The list of critical systems must be approved by the Board, Partners, or Proprietor.

• Regulated entities (REs) must perform regular risk assessments of their IT environment, including evaluations of potential post-quantum risks. This assessment should involve comprehensive scenario-based testing to evaluate both internal and external cybersecurity risks.

• REs must analyze the threats, vulnerabilities, likelihoods, and impacts to understand the inherent risks and prioritize their response strategies. 

Cyber Resilience Goal: Anticipate | Protect

• REs must document and implement an authentication and access policy, along with an effective log collection and retention policy.

• REs should design and implement network segmentation techniques to restrict access to sensitive information, hosts, and services.

• Use Full-Disk Encryption (FDE) in combination with File-Based Encryption (FE) to enhance data protection.

• There must be separate production and non-production environments for the development of software/applications related to critical systems and for any feature enhancements.

• Regular audits must be conducted by a CERT-In empanelled IS auditing organization to ensure compliance with the standards and mandatory guidelines of the CSCRF.

• Conduct Vulnerability Assessment and Penetration Testing (VAPT) to identify vulnerabilities across all critical systems, infrastructure components, and other IT systems. A comprehensive scope for VAPT is specified.

• Implement security solutions for APIs and endpoints, including rate limiting, throttling, and suitable authentication and authorization mechanisms.

• ISO 27001 certification is mandatory for MIIs and Qualified REs, providing essential security standards related to the Information Security Management System (ISMS).

Cyber Resilience Goal: Anticipate | Detect

• Regulated entities (REs) must establish appropriate security mechanisms through a Security Operations Centre (SOC)—either their own, a group SOC, a third-party SOC, or a market SOC—for continuous monitoring of security events and timely detection of any anomalous activities.

• The Bombay Stock Exchange (BSE) and National Stock Exchange (NSE) are mandated to set up a Market SOC. Small-size REs and Self-certification REs must be onboarded onto the Market SOC.

• MIIs and Qualified REs must assess the functional efficacy of their SOC every six months. Other REs must obtain a yearly assessment of the SOC’s functional efficacy from their SOC service providers. The framework provides a quantifiable method and a list of parameters for measuring SOC efficacy. BSE and NSE must provide periodic reports on the functional efficacy of the Market SOC to SEBI.

• MIIs and Qualified REs must conduct red teaming exercises as a part of their cybersecurity framework.

Cyber Resilience Goal: Withstand & Contain | Respond

• Report all cybersecurity incidents promptly using the SEBI incident reporting portal.

• All regulated entities (REs) must establish a comprehensive Incident Response Management plan along with corresponding Standard Operating Procedures (SOPs).

• All REs must develop and maintain an up-to-date Cyber Crisis Management Plan (CCMP).

• In the event of a cybersecurity incident, REs must conduct a Root Cause Analysis (RCA) to identify the underlying causes of the incident.

• If the Root Cause Analysis (RCA) is inconclusive, conduct a forensic analysis to thoroughly investigate the cybersecurity incident.

Cyber Resilience Goal: Recover

• Develop and document a comprehensive response and recovery plan for cybersecurity incidents.

• Ensure the plan is activated for prompt system restoration.

• Follow the indicative recovery plan provided in the CSCRF.

• Inform relevant stakeholders of actions taken during the recovery process.

Cyber Resilience Goal: Evolve

• Implement adaptive and evolving controls to address vulnerabilities and minimize attack surfaces as part of the cybersecurity strategy.

• REs (Regulated Entities) must report compliance with CSCRF requirements to their respective authorities in standardized formats.

• A glide-path is provided for REs to comply with new CSCRF standards:

1. Existing RE categories: Compliance by January 01, 2025.
2. New RE categories: Compliance by April 01, 2025.

• A checklist and guidelines for auditors are provided to ensure consistent auditing practices for CSCRF compliance.

Objectives of CSCRF

The primary objective of the Cybersecurity and Cyber Resilience Framework (CSCRF) is to strengthen the cybersecurity posture of entities regulated by the Securities and Exchange Board of India (SEBI). To achieve this, the CSCRF aims to:

Address evolving Cyber Threats

In a rapidly advancing technological landscape, cyber threats are constantly evolving. The CSCRF is designed to adapt to evolving changes, enabling SEBI-regulated entities to proactively address and mitigate cybersecurity risks. This approach ensures that entities remain resilient against emerging threats.

Align with Global Industry Standards

The framework integrates best practices and standards from leading global cybersecurity frameworks, ensuring that Indian entities align with international benchmarks. This alignment enhances the overall cybersecurity maturity of these entities, making them comparable to their global counterparts.

Promote Efficient Auditing Process

By establishing clear guidelines and standards, the CSCRF facilitates more streamlined and effective auditing processes. This efficiency enables entities to better assess their compliance and cybersecurity posture, thereby enhancing risk management capabilities.

Ensure Robust Compliance

The framework outlines specific compliance requirements tailored for SEBI-regulated entities, fostering a culture of accountability and transparency in cybersecurity practices. These requirements ensure that entities adhere to a robust cybersecurity framework, ultimately protecting their data and operations from potential threats.

How can Kratikal Help you with SEBI Complaince Audit?

Navigating SEBI’s 2024 Cybersecurity Framework can be complex, but Kratikal is here to simplify and streamline the process for you. Our expert team offers comprehensive support in performing thorough vulnerability assessments and implementing robust multi-factor authentication measures. We ensure that your organization maintains continuous monitoring of security events, adheres to prompt incident reporting requirements, and meets SEBI’s updated standards with ease. By collaborating with us, you can enhance the efficiency of your cybersecurity practices, ensure compliance with the latest regulations, and protect your infrastructure against emerging threats.

FAQs

The post Navigating SEBI’s 2024 Updated Cybersecurity Framework: Key Revisions appeared first on Kratikal Blogs.

*** This is a Security Bloggers Network syndicated blog from Kratikal Blogs authored by Shikha Dhingra. Read the original post at: https://kratikal.com/blog/navigating-sebi-2024-updated-cybersecurity-framework-key-revisions/