Mayank Raj[1]
Abstract
Threats to cybersecurity in the securities market pose serious issues that jeopardize the integrity and stability of international financial institutions. There is a greater chance of cyberattacks aimed against trading systems, private financial information, and market infrastructure as the market depends more and more on digital platforms. Significant disruptions, monetary losses, and a decline in investor confidence may result from these assaults.
The Securities and Exchange Board of India (SEBI) and Cyber Resilience Framework (CSCRF) has acknowledged that cybersecurity is becoming more and more crucial to preserving market integrity. To improve the cybersecurity posture of market players, such as stock exchanges, depositories, and intermediaries, SEBI has put in place extensive frameworks and recommendations. By taking these steps, financial institutions will be better prepared to stop, identify, and handle cyberattacks. The main conclusions show that once first-time corporate hacking instances are made public, trading volume increases due to selling pressure, daily excess returns decline, and liquidity improves. Increased investor interest appears to be the driving force behind this transient market reaction, according to SEBI data frequency.
The issue of cyberattacks and the dangers of wireless communication technology have been a recent concern for many commercial businesses and governmental institutions across the world. Protecting electronic data from cyber assaults has become a major concern in today’s technologically advanced society. The main goal of cyberattacks is to cause financial damage to businesses. Diverse organizations are utilizing distinct tactics and remedies to thwart the harm inflicted by these assaults.
The cybersecurity vulnerabilities that the securities market faces are examined in this research paper, with an emphasis on the Indian environment. It assesses SEBI’s regulatory actions and contrasts them with international best practices, emphasizing the necessity of ongoing improvements and preventative measures to strengthen financial institutions’ resistance to changing cyberthreats and preserve the stability and security of India’s securities market.
Keywords: Cybersecurity, Securities and Exchange Board of India (SEBI), Cyber Resilience Framework (CSCRF), Stock exchanges, Depositories, Intermediaries, Cyber-attacks.
Introduction
The Indian securities market is becoming more susceptible to cyber threats, since cyberattacks pose serious dangers to the integrity of the market and financial stability. The increasing integration of technology and digital trading platforms into the financial ecosystem has led to an increase in the risks associated with cyber events, including phishing, hacking, and data breaches. These dangers have the potential to impair market activity, jeopardize private investor data, and cause monetary losses. The Securities and Exchange Board of India (SEBI) has created the complete Cybersecurity and Cyber Resilience Framework (CSCRF) in order to protect regulated entities (REs) and market infrastructure against these problems. Strengthening the cybersecurity defences of stock brokers, mutual funds, depository participants, and other financial intermediaries is the main goal of SEBI’s activities. Maintaining the resilience of India’s financial markets has grown more important as cyber-attacks become more sophisticated. To guarantee regulatory compliance and protection against new risks, SEBI is constantly updating its rules.
SEBI notified the Cybersecurity and Cyber resilience framework on August 20,2024 making it mandatory for all regulated entities in Indian securities market to comply with this framework. The CCPA is now the current cybersecurity framework and replaces earlier cybersecurity guidelines released by SEBI. The CSCRF has been prepared taking into account changing cyber threat landscape, aligning it with global best practices and ensuring in-depth cybersecurity controls across stock brokers, mutual funds and investment advisors.
It lays forth standards for preventing, containing, recovering from, and evolving in response to cyber events. The framework contains a defined approach for implementation and compliance and classifies businesses according to their size and scope. In an effort to make compliance easier for smaller organizations, it requires the creation of Security Operation Centers (SOC) and includes options for both self-managed and market-provided SOCs. Different entities have different deadlines for implementation; some must comply by January 1, 2025, while others must comply by April 1, 2025. The framework’s detailed guidelines, including reporting formats and compliance procedures, are available on the SEBI website under the “Legal” section.
A comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) was created in 2015 by the Securities and Exchange Board of India (SEBI) especially for Market Infrastructure Institutions (MIIs). With the launch of this project, SEBI began fortifying the Indian financial securities market against growing cyber threats. MIIs are essential to the integrity and efficient operation of the financial markets. Examples of these institutions are depositories, clearing firms, and stock exchanges. Acknowledging their significance, SEBI’s framework sought to guarantee that these organizations had strong defences against cyber threats.
The growing sophistication and frequency of cyberattacks worldwide have made SEBI realize that its cybersecurity protocols need to be updated and reinforced on a constant basis. The changing nature of cyber risks and the necessity for more comprehensive defences have led to the development of the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs. The goal of this new framework, which was created after extensive stakeholder input, is to provide precise rules and directives for preserving robust cybersecurity processes and bolstering cyber resilience in all SEBI-regulated organizations.
The cybersecurity circulars, recommendations, advisories, and letters that SEBI previously published are meant to be replaced by the CSCRF, which will combine them into a more cohesive and useful framework. By implementing these steps, SEBI hopes to strengthen the Indian securities market’s general stability and security while fortifying it against potential cyberattacks and events in the future.
This study looks at the serious cybersecurity threats that the Indian stock market is now facing and how SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) is proactively tackling these issues.
Cyber Risk: Definitions and the Need for a Focused, Collaborative Approach
While there remains some ambiguity regarding the terminology surrounding cyber risk, there is increasing consensus on key definitions. Cyber risk refers to the potential negative consequences resulting from cyberattacks, which are deliberate attempts to compromise the confidentiality, integrity, or availability of data and systems. For the purpose of this research, cybersecurity is viewed as a broad concept encompassing critical activities aimed at mitigating cyber risk. These activities include the identification, protection, detection, response, and recovery from cyber threats.
Despite the varying quality of data on cyberattacks, particularly at the global level, one thing is clear: cyberattacks are becoming more frequent and costly for organizations and society at large. The financial sector, including securities markets, is a prime target for these attacks, as it is where monetary assets are concentrated, making it an attractive target for both financially motivated criminals and politically driven activists.
Cyber risk is not merely “another risk”; it is a highly complex and rapidly evolving phenomenon. The human element, combined with the constant advancement of technologies, creates unique challenges. As financial institutions and market infrastructure entities strengthen their defences, cybercriminals continuously innovate new and more sophisticated attack methods. This dynamic nature of cyber risk makes it difficult to fully mitigate or anticipate emerging threats.
Moreover, the interconnectedness of the financial ecosystem means that cyberattacks may have systemic implications, threatening the stability and trust on which securities markets are built. If left unchecked, these attacks could compromise the integrity of the securities market, leading to a broader financial crisis. Therefore, regulators, market participants, and stakeholders must adopt a collaborative approach to enhance cybersecurity, focusing on resilience to ensure that the Indian securities market can withstand and recover from cyber incidents.
This underscores the importance of SEBI’s cybersecurity guidelines, which aim to establish a framework for Market Infrastructure Institutions (MIIs) to protect their systems and data, while also addressing Third-Party Risk Management (TPRM) to mitigate risks from external vendors and partners.
Role of Securities Regulators in Addressing Cybersecurity Risks
Globally, governments and financial authorities are taking significant measures to mitigate cyber risks in financial markets. Reflecting the increasing importance of cybersecurity, many countries now govern this area through securities regulations and technical requirements that regulated entities must comply with. However, the scope and depth of these regulations vary depending on the nature of each country’s financial markets, existing legislation, and regulatory frameworks. In some countries, regulations are well-established, while others have limited or no cybersecurity mandates in place.
Most regulated entities are expected to adopt risk management systems to minimize their exposure to cyber risks. This involves implementing robust physical and electronic security measures, ensuring compliance with financial stability standards, notifying authorities of cyber incidents, and safeguarding electronic trading systems from breaches.
Despite the common objectives, the regulatory approaches differ across jurisdictions. Some countries have specific and detailed regulatory requirements regarding cybersecurity, while others rely on self-regulatory governance rules or guidelines issued by financial authorities. In jurisdictions where regulatory requirements exist, they often vary, and these differences are influenced by the unique characteristics of the local financial ecosystem.
Securities regulators play various roles and employ different tools to help market participants enhance their cybersecurity frameworks. Common regulatory measures include:
- Raising awareness of cyber risks through examination sweeps and issuance of guidelines or frameworks.
- Conducting cybersecurity drills to simulate potential cyber incidents, involving stakeholders like Self-Regulatory Organizations (SROs), trading venues, financial market infrastructures, and other market participants.
In India, SEBI has been at the forefront of ensuring cybersecurity preparedness within the securities market through its Cyber Security and Cyber Resilience Framework. This framework requires market intermediaries and Market Infrastructure Institutions (MIIs) to implement comprehensive security measures. SEBI’s guidelines, like many other international standards, allow for flexibility in the adoption of cybersecurity measures, recognizing that no “one size fits all” approach exists for market participants.
By adopting a collaborative, risk-based approach, Indian securities regulators like SEBI work closely with financial institutions, market participants, and infrastructure providers to enhance cybersecurity resilience. These actions are crucial to maintaining investor trust and market integrity amidst the growing threat of cyber-attacks.
SEBI releases a framework for cybersecurity and cyber resilience
For SEBI Regulated Entities (REs), the Cybersecurity and Cyber Resilience Framework (CSCRF) was released by the Securities Exchange Board of India (SEBI) on August 20, 2024. The CSCRF seeks to offer standards and recommendations for enhancing cyber resilience and preserving SEBI REs’ strong cybersecurity. Existing SEBI cybersecurity circulars, recommendations, advice, and letters are superseded by the Cybersecurity and Cyber Resilience Framework (CSCRF).
Important key provision in the Cybersecurity and Cyber Resilience Framework (CSCRF):
- Goals and benchmarks: The objectives of security controls and the accepted guidelines for compliance are described in this section.
- Rules – This section offers guidelines and actions to follow in order to adhere to the requirements. The REs are required to follow certain rules at all times.
- Organized structures for adherence: Standard forms for compliance are provided in this area to ensure uniformity and convenience of reporting; AND
- Appendices and Citations: This section includes supplementary materials and sources to help in putting the framework into practice.
Governance and Accountability
Under the CSCRF, SEBI requires all Regulated Entities to establish a dedicated cyber security committee that will be in charge of creating and monitoring the implementation of cyber security policies. This committee will be composed of senior management and IT specialists to make sure that cyber security considerations are incorporated into all Regulated Entities’ processes.
Cybersecurity Competency Index
A Cyber Capability Index (“CCI”), a comprehensive tool designed to assess the resilience of the cyber security system, has also been made available by SEBI under the CSCRF. Qualified Regulated Entities must conduct an annual self-evaluation, and Market Infrastructure Institutions are obliged to submit to a biennial third-party cyber resilience assessment.
Incident Response Strategies
The CSCRF places a strong focus on efficient incident handling. It is necessary for Regulated Entities to put policies in place for handling, identifying, and recovering from cyber events. This entails setting up an Incident Response Team (or “IRT”) and establishing a communication system for informing SEBI and other pertinent authorities about events. Additionally, according to the CSCRF, organizations have to keep thorough records of every cyber event and how it was resolved.
Third-Party Risk Management
The risks connected to those posed by outside suppliers and service providers are also considered by the CSCRF. The Regulated Entities are expected to evaluate and oversee the third-party suppliers’ and service providers’ cyber security preparedness, ensuring that comparable security requirements are followed.
Compliance Oversight and Audits
By developing and dispensing an auditors’ checklist under the CSCRF, SEBI has ensured uniformity in the auditing of Regulated Entities. As a result, the audit process will be more efficient and all Regulated Entities will be held to the same standards.
Risk Analysis and Management
In order to detect any cybersecurity risks, Regulated Entities under the CSCRF are obliged to conduct periodical risk assessments. This will make it possible for the Regulated Entities to put suitable plans in place to lessen any hazards.
Privacy Protection and Data Security
The CSCRF’s primary goal is to protect sensitive data. To protect sensitive data, Regulated Entities must have strong data encryption, access restrictions, and privacy safeguards in place. This entails making certain that data processing procedures are transparent and that data protection laws are followed.
Implementation and Compliance
Improving the cybersecurity posture of the Indian securities market has advanced significantly with the launch of the Cyber Security and Cyber Resilience Framework (CSCRF) by SEBI. The adoption of this system across all regulated companies will determine its actual efficacy, though. These businesses are expected to adhere to the extensive and well-defined rules set forth by SEBI, which offer them an organized method to strengthen their cybersecurity protocols. Furthermore, SEBI has established deadlines for compliance in order to guarantee that regulated companies take responsibility for following the framework.
Regulated entities must also submit monthly reports outlining their cybersecurity preparedness and strategic planning in order to support continuous evaluation and development. In addition to providing a form of accountability, these reports allow SEBI to keep an eye on the CSCRF’s overall efficacy and make any required modifications in light of the changing threat scenario. Through these reporting requirements, SEBI hopes to build a more robust cybersecurity environment that safeguards market participants as well as the market itself by promoting a culture of openness and responsibility.
Implementation Timeline
SEBI has taken a staged approach to make sure Regulated Entities (REs) comply with the Cyber Security and Cyber Resilience Framework (CSCRF) in a seamless manner. Newly regulated companies have until April 1, 2025, to achieve compliance; existing entities have until January 1, 2025. This schedule allows REs to examine and upgrade their cybersecurity procedures, ensuring a safe environment inside the Indian securities market while minimizing business interruptions.
Impact of Cyber Threats on Capital Markets
Globally, capital markets are facing serious risks due to the growing frequency and sophistication of cyber assaults, and India is no exception. These cyberattacks have the potential to have a significant impact on a number of market functions and investor confidence. Principal effects consist of:
- Market Disruption: Cyberattacks directed at financial systems or trading platforms have the potential to seriously impair market activity. For example, denial-of-service (DoS) assaults may render trading platforms unworkable, resulting to interrupted trading operations, delayed transactions, and a loss of market liquidity.
- Financial Losses: Market players may suffer direct financial losses as a result of cyber events if money is stolen, accounts are compromised, or cleanup and recovery expenses are incurred. Further aggravating financial hardship are the potential legal responsibilities and regulatory fines that businesses may incur following a breach.
- Investor Confidence: Preserving investor trust is contingent upon the integrity and security of the financial markets. Prominent hacks have the potential to undermine investor trust, resulting in increased market volatility and decreased involvement in trading operations. A decline in investor participation or money withdrawal might have a detrimental effect on the performance of the securities market as a whole.
- Reputational Damage: Businesses impacted by cyber attacks frequently experience reputational damage, which can result in a sustained decline in clientele and commercial connections. It may be difficult for businesses to recover from a breach and restore their reputation in the marketplace.
- Regulatory Scrutiny: As a result of the surge in cyberthreats, authorities are now paying closer attention. Capital market companies may need to make more expenditures in compliance and security measures due to the possibility of tougher rules and scrutiny pertaining to their cybersecurity activities. Licenses may be revoked or consequences applied if regulations are broken.
- Systemic Risk: Cyberattacks can have a systemic impact on a number of market players and could destabilize the larger financial system in a highly integrated financial ecosystem. A big breach at a financial institution or exchange might set off a series of events that would cause widespread fear and market downturns.
- Innovation and Investment in Cybersecurity: Capital market companies have made more investments in cutting-edge technology and cybersecurity solutions as a result of the threat landscape. To strengthen their defences against cyber attacks, organizations are progressively using risk management frameworks, enhanced security measures, and staff training programs.
Protecting India’s Market Infrastructures: SEBI’s Cybersecurity Framework & TPRM
or the Indian financial securities industry, the Securities and Exchange Board of India (SEBI) has created strong cybersecurity measures since 2015. So far, SEBI has customized its framework for cybersecurity and resilience primarily for market intermediaries (MIs), including mutual funds, stock brokers, depositories, and portfolio managers. As of February 2024, SEBI has initiated the process of putting in place a new framework that will enforce cybersecurity standards over a wider segment of the Indian capital market.
It is already, or soon will be, required for your firm to comply with SEBI if it operates in the Indian financial industry. Penalties and fines for noncompliance with SEBI’s cybersecurity framework can be quite high. In order to strengthen their cyber defence and adhere to SEBI’s framework, organizations who have not yet included third-party risk management (TPRM) methods into their cybersecurity routine should do so right away.
A synopsis of SEBI’s charter
The Securities and Exchange Board Act was published in April 1992, and the Indian government thereafter established SEBI. The Controller of Capital Issues, which had overseen the Indian securities market since 1947, was superseded by SEBI upon its establishment.
The three primary groups that SEBI oversees are investors, market intermediaries, and securities issuers, as stated in the official charter. The following are SEBI’s main goals:
- Investor protection: Safeguarding the interests of investors who are participating in the Indian securities market is SEBI’s main goal.
- Controlling the stock market: SEBI is responsible for regulating the securities market by creating standards and regulations that apply to all market participants.
- Stopping insider trading: The purpose of SEBI is to stop anyone from utilizing confidential information to make financial decisions.
- Promoting equitable practices: By imposing a code of conduct on all of its market participants, SEBI encourages safe market practices.
- Preventing fraudulent activity: When participants violate the board’s code of conduct, SEBI looks into fraudulent behaviour and imposes remedial actions.
- Creating a secondary market: By adding fresh market liquidity and improving efficiency, SEBI hopes to expand the Indian capital market.
In the Indian financial securities industry, SEBI has prioritized improving cybersecurity and cyber resilience in recent years. This emphasis prompted the creation of the SEBI cybersecurity framework, which it has since enforced on several market players and is now modifying to control the cyber danger of additional groups.
Third-Party Risk Management (TPRM)
The goal of third-party risk management (TPRM), a kind of risk management, is to recognize and minimize risks associated with using third parties (also known as partners, suppliers, contractors, or service providers).
The goal of the discipline is to help businesses understand the third parties they work with, how they work with them, and what security measures they have in place. A TPRM program’s criteria and scope vary greatly based on the company, industry, regulatory guidelines, and other variables. Nonetheless, a lot of TPRM best practices are cross-industry and fit for any type of company or organization.
The phrase “third-party risk management” is frequently used synonymously with other widely used industry terminology, such as vendor risk management (VRM), vendor management, supplier risk management, or supply chain risk management, although precise meanings may differ. On the other hand, TPRM is frequently seen as the broad discipline that covers all kinds of risks and third parties.
The Essential Role of Third-Party Risk Management
Although the notion of third-party risk is not new, more industry-wide breaches and a larger dependence on outsourcing have elevated the discipline to a new level of prominence. Disruptive events, regardless of size, location, or sector, have affected nearly every firm and its third parties. Furthermore, situations involving cyber security or data breaches are frequent. Outages and other third-party occurrences in 2021 brought to light the effect that third parties have on company resilience. Among the ways that you could be affected are:
- Internal breakdowns and deficiencies in the ability to operate
- External disruptions impacting various regions of the supply chain
- Supplier disruptions that expose your company to supply chain risks
- Changes in operations that impact the collection, storing, and protection of data
- The majority of contemporary businesses depend on outside partners to maintain seamless operations. Therefore, when your suppliers, vendors, or third parties fail to deliver, the consequences may be severe and protracted.
For instance, you can depend on a service provider like Amazon Web Services (AWS) to host a cloud application or website. Your website or application will stop working if AWS goes down. Another illustration would be depending on a third party to ship your goods. A strike by the shipping company’s drivers might cause delays in anticipated delivery dates, client cancellations, and mistrust, all of which would be detrimental to your business’s finances and image.
The SEBI cybersecurity framework and Third-Party Risk Management (TPRM)
Third-party risks pose a serious challenge to the financial sector in the current technology context. More than ever, businesses are networked, and the typical MI depends on a vast network of outside providers to accomplish basic everyday tasks. These suppliers increase productivity and provide financial advantages, but they also expose businesses to concerns related to data security and privacy.
In addition to being essential for compliance, TPRM is a top concern for MIs in order to safeguard their operations and interests. Every MI must create a TPRM program that includes all of the following tactics:
1. Extensive diligence – Preventing dangerous vendors from ever joining their digital supply chain is the greatest approach for financial institutions to safeguard their third-party environments and adhere to SEBI regulations. MIs should do due diligence to assess possible suppliers during the procurement and onboarding processes. This effective TPRM technique evaluates the security posture of third-party service providers using security ratings and questionnaires.
A thorough security check of a possible third-party vendor is known as vendor due diligence (VDD), and it is done prior to establishing a relationship. The evaluation determines whether a candidate is telling the truth about their security posture and highlights any security threats that may jeopardize a business partner. Vendors typically need access to private corporate data, including personally identifiable information and even consumer financial data.
2. Tiering of risks – Vendor tiering is the process of grouping suppliers according to how serious a danger they pose. Depending on the business impact a service provider has on your firm, you should put vendor connections into several danger tiers: low risk, medium risk, high risk, and critical risk.
Financial institutions, particularly those that are in the process of developing their TPRM program, may find it difficult to quickly reduce the risks associated with all third-party suppliers. With resource and personnel constraints, risk tiering can assist MIs in prioritizing mitigation and remediation actions across their vital vendor relationships. MIs may guarantee that there are no business disruptions brought on by an unforeseen event affecting a crucial vendor by concentrating on the most important vendors first.
3. Evaluation of risks – Comprehensive risk management protocols are required by SEBI’s cybersecurity framework, and a strong risk assessment cadence aids MIs in complying with SEBI regulations. Financial institutions can examine the risks connected to a third-party connection in a comprehensive way by using third-party risk assessments.
4. Ongoing surveillance for security – To ensure ongoing SEBI compliance and management of their third-party ecosystem, MIs need to be extremely watchful. Throughout the vendor lifetime, companies may monitor changes in a vendor’s security posture and spot new vulnerabilities thanks to continuous security monitoring, or CSM.
Conclusion
The stability and integrity of the Indian securities market are seriously threatened by the increasing complexity and frequency of cyberattacks. With the progression of technology and the growing dependence on digital platforms, the financial ecosystem is increasingly susceptible to hacking, breaches, and other cyber disasters. With the implementation of the Cybersecurity and Cyber Resilience Framework (CSCRF), which requires strict cybersecurity standards throughout the industry, SEBI has taken aggressive measures in response to this rising worry.
The framework makes sure that regulated enterprises (REs) including stock brokers, mutual funds, depositories, and portfolio managers are prepared for, able to withstand, and recover from cyber catastrophes. It also covers Market Infrastructure Institutions (MIIs). SEBI wants to strengthen the robustness of the Indian capital market by broadening the scope of its regulations and bringing them into line with international best practices.
The Indian securities market is being strengthened by SEBI as a demonstration of its dedication to market stability and investor safety. But in order for this framework to be truly effective, it must be carefully put into practice and continuously improved in response to the always changing landscape of cyber threats. Organizations must keep cautious, maintaining continual adherence to SEBI’s standards while embracing modern technical measures.
Nowadays, cybersecurity is a crucial component of financial regulation rather than only an IT problem. Because of this, market players need to work with regulatory agencies, promote a culture of cybersecurity awareness, and make investments in safe technology. Regulators, companies, and stakeholders working together will be essential to protecting India’s securities market against cyberattacks in the future. Consequently, SEBI’s proactive measures provide an example for preserving the robustness and resilience of the financial markets and guaranteeing that they are ready to meet the ever-changing challenges of the digital era.
Reference
- https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html
- https://ciso.economictimes.indiatimes.com/news/grc/sebi-comes-out-with-new-cyber-security-framework-for-regulated-entities/112671577
- https://www.barandbench.com/law-firms/view-point/cybersecurity-cyber-resilience-framework-sebi-digital-safety
- https://www.dataguidance.com/news/india-sebi-issues-cybersecurity-and-cyber-resilience
- https://seconize.co/blog/sebis-cybersecurity-and-cyber-resilience-framework-cscrf-circular/#:~:text=Implementation%20Timeline:%20To%20allow%20REs%20adequate%20time,deadline%20for%20compliance%20is%20April%201%2C%202025.
Notes:-
[1] Students, University of Petroleum &Energy Studies (UPES), Dehradun, School of LAW, 4th Year, Course BA LL. B(Hons) specialization in Corporate Law. Email: [email protected].