Understanding the SEBI’s Cybersecurity and Cyber Resilience Framework

The Securities and Exchange Board of India (SEBI) introduced a Cybersecurity and Cyber Resilience Framework (CSCRF) for Portfolio Managers (with assets worth INR 3,000 crore or more) to protect data integrity and guard against privacy breaches.

The policy covers governance, identification of risks, protection measures, detection of incidents, response protocols, and recovery processes.

Five cyber-resilience goals are covered in the CSCRF: Anticipate, Withstand, Contain, Recover, and Evolve. These are adopted from the Indian Computer Emergency Response Team’s (CERT-in) Cyber Crisis Management Plan (CCMP), for countering cyber-attacks and cyber-terrorism.

1. Key components:
   • Formulation of a comprehensive cybersecurity policy
   • Appointment of a Chief Information Security Officer (CISO)
   • Constitution of a technology committee
   • Regular review and updates of the policy
2. Specific measures:
   • Access controls and strong authentication mechanisms
   • Physical security for critical systems
   • Network security management
   • Data encryption and protection
   • Hardware and software hardening
   • Vulnerability Assessment and Penetration Testing (VAPT)
3. Monitoring and incident response:
   • Continuous monitoring of security events
   • Timely detection and response to unauthorized activities
   • Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 30 minutes
4. Reporting requirements:
   • Cyber incidents must be reported to the SEBI within 6 hours
   • Quarterly reports on cyber incidents and mitigation measures
5. A framework is provided for training and awareness programs for employees and outsourced staff.
6. An annual audit by an independent Certified Information Systems Auditor (CISA)/Certified Information Security Manager (CISM)-qualified or CERT-In-empaneled auditor is required.
7. Registered entities — mainly financial institutions and brokerage firms that provide infrastructure for securities and derivatives markets — will be graded into five categories:
   • Market Infrastructure Institutions (MIIs): Provide essential infrastructure for the securities market. E.g., BSE, NSE, NSDL, CDSL, and NSE Clearing.
   • Qualified Regulated Entities (REs): Large financial institutions with a significant market presence that will follow specific regulatory criteria set by the SEBI. E.g., ICICI bank, HDFC bank, and Kotak securities.
   • Mid-Size REs: Midsize financial institutions in terms of assets under management (AUM), market capitalization, or transaction volumes. E.g., Federal Bank, South Indian Bank, Bajaj Finance, and L&T Finance.
   • Small REs – Financial institutions with limited market presence and smaller asset bases. E.g., Ujjivan Small Finance Bank, Equitas Small Finance Bank, and Co-operative Banks.
   • Self-certification REs. – Entities that do not require direct oversight or inspection from regulators, but rather self-verify that they comply with the applicable regulations and submit a certification. This typically applies to smaller or less complex institutions. E.g., Fintech firms like Fintso, Razorpay, and Paytm Payments Bank, and brokerage firms like Zerodha and Upstox.
8. Benefits:
   • Improved cyber risk governance
   • Data classification and localization
   • Implementation of Security Operations Center (SOC)
   • Enhanced API and mobile application security
   • Assessment of cyber resilience through the Cyber Capability Index
   • Mitigation of supply chain risks using Software Bill of Materials (SBOM)

The framework’s aim is to strengthen the overall cybersecurity posture of the Indian securities market.

However, understanding the framework can be complex and challenging for organizations. This is where Silverse steps in with its deep cybersecurity knowledge and years of expertise. Contact us now to set up a discussion with one of our cybersecurity experts.