• United States



Apurva Venkat
Special Correspondent

India’s stock market regulator Sebi releases cybersecurity consultation paper

Jul 05, 20235 mins

The framework is based on five concurrent and continuous functions of cybersecurity — identify, protect, detect, respond, and recover.

Credit: 1xpert/istock

The Securities and Exchange Board of India (SEBI) on Tuesday released a consultation paper on a proposed consolidated cybersecurity and cyberresilience framework (CSCRF) for regulated entities.

"In order to enhance the scope of cybersecurity and cyberresilience framework, to address the need for uniformity of cybersecurity guidelines for all REs (regulated entities) and to strengthen the mechanism to deal with cybersecurity risks/threats/incidents, the master framework on cybersecurity and cyberresilience has been drafted after discussion with Sebi's high powered steering committee for cybersecurity (HPSC-CS)," Sebi said in the consultation paper.

The framework follows a graded approach and divides the guidelines into three parts, which include applicability to all regulated entities, applicability to specified regulated entities, and applicability to Market Infrastructure Institutions (MIIs). Comments on the consultation paper need to be submitted to the regulator by July 25.

"The framework is based on five concurrent and continuous functions of cybersecurity as defined by NIST -- identify, protect, detect, respond, and recover," Sebi said.

Five functions of cybersecurity

The new framework proposes that regulated entities identify and classify critical assets based on their sensitivity and their criticality for business operations, services, and data management.

The regulated entities will need to formulate comprehensive cybersecurity and cyberresilience policies and conduct comprehensive scenario-based testing for assessing risks related to cybersecurity in the entities' IT environment, including both internal and external cybersecurity risks.

The paper also mentions that the regulated entity shall be solely accountable for all aspects of third-party services they use, including confidentiality, integrity, availability, non-repudiation, security of data and logs, as well as compliance with laws, regulations, circulars and other notices issued by Sebi or the government of India.

"Accordingly, REs shall be responsible and accountable for any violation of the same," Sebi said.

Under the protect function regulated entities need to document and implement strong log retention policies, password policies, and access policies. "REs shall implement network segmentation techniques to restrict access to the sensitive information, hosts, and services," Sebi said.

For the development of all critical software or applications, as well as feature enhancements, regulated entities must have separate development, system integration testing, user acceptance testing, and quality assurance environments.

Regulated entities will also have to carry out periodic audits by a CERT-In empaneled auditor to audit the implementation and compliance to standards mentioned in the framework. MIIs will need to conduct a self-assessment of their cyberresilience using the Cyber Capability Index (CCI) every quarter.

"Vulnerability Assessment and Penetration Testing (VAPT) shall be done to detect open vulnerabilities in the IT environment for critical assets and infrastructure components as defined in the framework. A comprehensive VAPT scope has also been added," Sebi said. 

For detection function, regulated entities will need to establish security mechanisms through Security Operation Centre (SOC) for continuous monitoring of security events and timely detection of anomalous activities. "Functional efficacy of SOC shall be measured on a half-yearly basis," Sebi said. 

For the response function, all regulated entities need to have an up-to-date Cyber Crisis Management Plan (CCMP) and formulate an incident response management plan and respective SOPs. Alerts generated from monitoring and detection systems must be suitably investigated for Root Cause Analysis (RCA). Regulated entities also need to document a comprehensive response and recovery plan that can be triggered for the timely restoration of systems affected by the cybersecurity incident.

Security experts say it's a step in the right direction

Cybersecurity experts hailed the consultation paper by Sebi as a step in the right direction.

"By and large these entities are becoming very fertile targets of continuing cyberattacks and cybersecurity breaches," said Dr. Pavan Duggal, cyberlaw expert and practicing advocate at the Supreme Court of India, adding that there has been a need felt for quite some time for a consolidated cybersecurity and cyberresilience framework.

"Sebi had come up with a cyberresilience framework some years ago, but the intersection of cybersecurity and cyberresilience had not been addressed. It is also an extension of what the existing principles of law are already stating," Duggal said. 

"Under the new updated IT rules 2023, every regulated entity has to adopt reasonable security practices and procedures to protect third-party data. In Sebi-regulated entities, these could become the parameters of due diligence on cybersecurity," Duggal said, adding that in the absence of a dedicated cybersecurity law and cyberresilience law, the framework assumes more relevance. 

Cybersecurity analysts believe the new proposed framework will help streamline the whole incident management process. "It's a great approach to streamline the entire incident management process and help organizations create CCMP – this will help them navigate through the entire complex process of incident handling," said Jaspreet Singh, clients and markets leader for advisory services at Grant Thornton.

Still, there are area where the framework falls short, including being vendor-neutral. "The Section B of the framework is not vendor-neutral, I feel ISO standard requirement is promoting ISO business and that could have been avoided. All policies and frameworks of regulators should be vendor-neutral," said Prashant Mali, an advocate for cybercrime and data protection.

Mali also points out that re-audit by Sebi of some cybersecurity audits and other reports submitted to exchanges by brokers is not mandated in the framework, adding that Sebi should selectively re-audit or review the audit reports submitted to exchanges to prevent hand-in-glove situations.

"Cyberattack scenarios in the framework are limited to known events and no consideration is given zero-day scenarios or social engineering attacks," Mali said.

Apurva Venkat
Special Correspondent

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld. She has previously worked at ISMG, IDG India, Bangalore Mirror, and Business Standard, where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news, and education.

More from this author