SEBI Issues Proposal for Comprehensive Cyber-Security and Cyber-Resilience Framework

SEBI Issues Proposal for Comprehensive Cyber-Security and Cyber-Resilience Framework

The Securities and Exchange Board of India (SEBI) has issued a consultation paper on ‘Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs).’

The market regulator has released a consultation paper to improve the cybersecurity and cyber resilience of market intermediaries, market infrastructure institutions, and other regulated entities.

The paper outlines a consolidated cybersecurity and cyber resilience framework (CSCRF) which will seek to address five functions—identify, protect, detect, respond and recover. Ensuring the cyber-resilience and compliance of third-party vendors will fall under the identify function.

Under the proposed framework, a graded approach will be followed, however, some guidelines will be applicable to all REs, some to select REs and some to market infrastructure institutions (MIIs).

Under the Identify function, the REs will also need to identify critical systems, formulate a comprehensive cybersecurity and cyber resilience policy and do scenario-based testing for assessing risk, among other things.

Under the Protect function, REs will be required to implement network segmentation techniques to restrict access to sensitive information, hosts, and services; conduct a periodic audit by a CERT-In empanelled auditor to audit the implementation and compliance to standards mentioned in this new framework; and do vulnerability assessment and penetration testing (VAPT) to test the IT environment, among other things.

Moreover, the Detect function, REs must establish security mechanisms through Security Operation Centre (SOC) for continuous monitoring of security events and timely detection of anomalous activities and MIIs will need to include red-teaming exercises, among other things. Red teaming involves simulating a cyber-attack to assess an entity’s security framework.

Under the Respond function, all REs will be required to have a Cyber Crisis Management Plan (CCMP) and investigate alerts from detection systems for root-cause analysis, among other things.

Lastly under the Recover function, REs must be equipped with well-documented response and recovery plan for cyber incidents and need to inform of actions taken during the recovery process to all related stakeholders, among other things.