The Securities and Exchange Board of India (SEBI) on Tuesday released a consultation paper on a proposed consolidated cybersecurity and cyberresilience framework (CSCRF) for regulated entities.\u00a0\n\n\u201cIn order to enhance the scope of cybersecurity and cyberresilience framework, to address the need for uniformity of cybersecurity guidelines for all REs (regulated entities) and to strengthen the mechanism to deal with cybersecurity risks\/threats\/incidents, the master framework on cybersecurity and cyberresilience has been drafted after discussion with Sebi\u2019s high powered steering committee for cybersecurity (HPSC-CS),\u201d Sebi said in the consultation paper.\n\nThe framework follows a graded approach and divides the guidelines into three parts, which include applicability to all regulated entities, applicability to specified regulated entities, and applicability to Market Infrastructure Institutions (MIIs). Comments on the consultation paper need to be submitted to the regulator by July 25.\n\n\u201cThe framework is based on five concurrent and continuous functions of cybersecurity as defined by NIST \u2014 identify, protect, detect, respond, and recover,\u201d Sebi said.\n\nFive functions of cybersecurity\n\nThe new framework proposes that regulated entities identify and classify critical assets based on their sensitivity and their criticality for business operations, services, and data management.\n\nThe regulated entities will need to formulate comprehensive cybersecurity and cyberresilience policies and conduct comprehensive scenario-based testing for assessing risks related to cybersecurity in the entities\u2019 IT environment, including both internal and external cybersecurity risks.\n\nThe paper also mentions that the regulated entity shall be solely accountable for all aspects of third-party services they use, including confidentiality, integrity,\u00a0availability, non-repudiation, security of data and logs, as well as compliance with laws,\u00a0regulations,\u00a0circulars and other notices issued by\u00a0Sebi\u00a0or the government of India.\u00a0\n\n\u201cAccordingly, REs shall be responsible and accountable for any violation of the same,\u201d Sebi said.\n\nUnder the protect function regulated entities need to document and implement strong log retention policies, password policies, and access policies. \u201cREs shall implement network segmentation techniques to restrict access to the sensitive information, hosts, and services,\u201d Sebi said. \n\nFor the development of all critical software or applications, as well as feature enhancements, regulated entities must have separate development, system integration testing, user acceptance testing, and quality assurance environments.\u00a0\n\nRegulated entities will also have to carry out periodic audits by a CERT-In empaneled auditor to audit the implementation and compliance to standards mentioned in the framework. MIIs will need to conduct a self-assessment of their cyberresilience using the Cyber Capability Index (CCI) every quarter.\u00a0\n\n\u201cVulnerability Assessment and Penetration Testing (VAPT) shall be done to detect open vulnerabilities in the IT environment for critical assets and infrastructure components as defined in the framework. A comprehensive VAPT scope has also been added,\u201d Sebi said. \n\nFor detection function, regulated entities will need to establish security mechanisms through Security Operation Centre (SOC) for continuous monitoring of security events and timely detection of anomalous activities. \u201cFunctional efficacy of SOC shall be measured on a half-yearly basis,\u201d Sebi said. \n\nFor the response function, all regulated entities need to have an up-to-date Cyber Crisis Management Plan (CCMP) and formulate an incident response management plan and respective SOPs. Alerts generated from monitoring and detection systems must be suitably investigated for Root Cause Analysis (RCA). Regulated entities also need to document a comprehensive response and recovery plan that can be triggered for the timely restoration of systems affected by the cybersecurity incident.\u00a0\n\nSecurity experts say it\u2019s a step in the right direction\n\nCybersecurity experts hailed the consultation paper by Sebi as a step in the right direction.\n\n\u201cBy and large these entities are becoming very fertile targets of continuing cyberattacks and cybersecurity breaches,\u201d said Dr. Pavan Duggal, cyberlaw expert and practicing advocate at the Supreme Court of India, adding that there has been a need felt for quite some time for a consolidated cybersecurity and cyberresilience framework.\u00a0\n\n\u201cSebi had come up with a cyberresilience framework some years ago, but the intersection of cybersecurity and cyberresilience had not been addressed. It is also an extension of what the existing principles of law are already stating,\u201d Duggal said. \n\n\u201cUnder the new updated IT rules 2023, every regulated entity has to adopt reasonable security practices and procedures to protect third-party data. In Sebi-regulated entities, these could become the parameters of due diligence on cybersecurity,\u201d Duggal said, adding that in the absence of a dedicated cybersecurity law and cyberresilience law, the framework assumes more relevance. \n\nCybersecurity analysts believe the new proposed framework will help streamline the whole incident management process. \u201cIt\u2019s a great approach to streamline the entire incident management process and help organizations create CCMP - this will help them navigate through the entire complex process of incident handling,\u201d said Jaspreet Singh, clients and markets leader for advisory services at Grant Thornton.\n\nStill, there are area where the framework falls short, including being vendor-neutral. \u201cThe Section B of the framework is not vendor-neutral, I feel ISO standard requirement is promoting ISO business and that could have been avoided. All policies and frameworks of regulators should be vendor-neutral,\u201d said Prashant Mali, an advocate for cybercrime and data protection.\n\nMali also points out that re-audit by Sebi of some cybersecurity audits and other reports submitted to exchanges by brokers is not mandated in the framework, adding that Sebi should selectively re-audit or review the audit reports submitted to exchanges to prevent hand-in-glove situations.\n\n\u201cCyberattack scenarios in the framework are limited to known events and no consideration is given zero-day scenarios or social engineering attacks,\u201d Mali said.