The Securities and Exchange Board of India (SEBI) has recently provided updated guidance on its Cybersecurity and Cyber Resilience Framework (CSCRF), underscoring its commitment to enhancing cybersecurity measures and ensuring the resilience of regulated entities (REs) within the Indian securities market. This update is aimed at adapting to evolving cyber risks and technological advancements.
Key Updates in the Guidance
Extended Compliance Deadlines:
- Extension for Specific Categories: SEBI has extended the compliance deadlines for certain categories of regulated entities, giving them additional time to meet the new cybersecurity requirements. The revised deadlines are as follows:
- KYC Registration Agencies (KRAs): April 1, 2025.
- Depository Participants (DPs): April 1, 2025.
- General Extension: For entities that were initially required to comply by January 1, 2025, the deadline has been extended to March 31, 2025. This extension aims to ensure that entities have sufficient time to implement the necessary cybersecurity measures without facing undue pressure.
Regulatory Forbearance:
- Temporary Relief: During the extended period, SEBI will provide regulatory forbearance, meaning that entities will not face penalties for non-compliance, provided they can demonstrate progress in implementing the required cybersecurity measures. This approach is intended to offer a grace period for entities to achieve full compliance while maintaining progress towards enhanced cybersecurity.
Data Localisation Guidelines:
- Consultation and Feedback: SEBI has temporarily put on hold the guidelines related to data localization under the framework. This decision was made to allow for further consultation and to gather feedback from stakeholders. The guidelines will be notified at a later date after considering input from various stakeholders. This move underscores SEBI’s commitment to a collaborative approach in formulating cybersecurity policies.
Purpose and Objectives of the CSCRF
Strengthening Cybersecurity Posture:
- The primary objective of the CSCRF is to establish robust standards and guidelines that enhance the cybersecurity posture of SEBI-regulated entities. By implementing these measures, the framework aims to protect the securities market from increasing cyber threats and ensure that entities are well-prepared to handle cyber incidents efficiently.
Achieving Cyber Resiliency:
- The framework is structured around five key cyber resiliency goals adopted from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In). These goals are:
- Anticipate: Proactively identify potential cyber threats and vulnerabilities.
- Withstand: Develop robust defenses to withstand cyber attacks.
- Contain: Implement measures to limit the impact of a cyber incident.
- Recover: Ensure prompt recovery of systems and operations post-incident.
- Evolve: Continuously improve cybersecurity practices and resilience.
Implementation and Monitoring
Cyber Capability Index (CCI):
- Introduction of CCI: One of the hallmark features of the CSCRF is the introduction of a Cyber Capability Index (CCI). This index serves as a standardized tool to rate the cybersecurity and resilience controls of regulated entities. By periodically monitoring and evaluating their cybersecurity capabilities, entities can understand their current security posture and identify areas requiring enhancement.
Regular Assessments and Audits:
- Continuous Evaluation: Regulated entities are required to conduct regular assessments and audits of their cybersecurity and resilience capabilities. These evaluations help in identifying gaps and areas needing improvement. Entities are encouraged to adopt best practices and implement robust security measures to fortify their defenses against cyber threats.
Importance of Collaboration and Information Sharing
Collaborative Efforts:
- Public and Private Sector Cooperation: SEBI emphasizes the importance of collaboration among regulated entities, cybersecurity experts, and regulatory bodies. By sharing information, best practices, and threat intelligence, the overall cybersecurity posture of the securities market can be significantly enhanced.
Continuous Improvement:
- Adaptability and Evolution: The CSCRF promotes a culture of continuous improvement in cybersecurity practices. Entities are encouraged to stay updated with the latest developments in cybersecurity and adapt their strategies accordingly. This ensures that they remain resilient against evolving cyber threats.
Conclusion
The updated guidance on SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) represents a significant step towards strengthening the cybersecurity and resilience of SEBI-regulated entities. By adhering to the framework’s guidelines and implementing robust cybersecurity measures, entities can better protect themselves against cyber threats and minimize disruptions to market operations. The CSCRF aims to create a secure and resilient securities market, fostering trust and confidence among investors and stakeholders.
