On August 20, 2024, SEBI introduced a new Cybersecurity and Cyber Resilience Framework (CSCRF) aimed at strengthening cybersecurity for all regulated entities in the Indian securities market. This framework updates and supersedes previous cybersecurity guidelines issued by SEBI. The CSCRF is designed to address evolving cyber threats, align with industry standards, and ensure robust cybersecurity practices across various entities, including stock brokers, mutual funds, and investment advisors. It sets forth guidelines for anticipating, withstanding, containing, recovering from, and evolving against cyber incidents. The framework categorizes entities based on their size and scope and includes a structured methodology for implementation and compliance. It mandates the establishment of Security Operation Centres (SOC) and provides provisions for both self-managed and market-provided SOCs, aiming to simplify compliance for smaller entities. Implementation timelines vary, with some entities required to comply by January 1, 2025, and others by April 1, 2025. The framework’s detailed guidelines, including reporting formats and compliance procedures, are available on the SEBI website under the “Legal” section.
Securities and Exchange Board of India
Circular No. SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 Dated: August 20, 2024
To,
All Alternative Investment Funds (AIFs)
All Bankers to an Issue (BTI) and Self-
Certified Syndicate Banks (SCSBs)
All Clearing Corporations
All Collective Investment Schemes (CIS)
All Credit Rating Agencies (CRAs)
All Custodians
All Debenture Trustees (DTs)
All Depositories
All Designated Depository Participants (DDPs)
All Depository Participants through Depositories
All Investment Advisors (IAs) / Research Analysts (RAs)
All KYC Registration Agencies (KRAs)
All Merchant Bankers (MBs)
All Mutual Funds (MFs)/ Asset
Management Companies (AMCs)
All Portfolio Managers
All Registrar to an Issue and Share Transfer Agents (RTAs)
All Stock Brokers through Exchanges
All Stock Exchanges
All Venture Capital Funds (VCFs)
Dear Sir / Madam,
Subject: Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)
Background:
1. SEBI had issued Cybersecurity and Cyber resilience framework for Market Infrastructure Institutions (MIIs) in 2015. Subsequently, SEBI had issued other Cybersecurity and Cyber resilience frameworks in line with MIIs circular of 2015 for following REs:
1.1. Stock Brokers and Depository Participants
1.2. Mutual Funds (MFs)/ Asset Management Companies (AMCs)
1.3. KYC Registration Agencies (KRAs)
1.4. Qualified Registrar to an Issue and Share Transfer Agents (QRTAs)
1.5. Portfolio Managers
2. Further, SEBI has also issued various advisories to REs, from time to time, on Cybersecurity best practices.
3. In order to strengthen the cybersecurity measures in Indian securities market, and to ensure adequate cyber resiliency against cybersecurity incidents/ attacks, Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs has been formulated in consultation with the stakeholders. The CSCRF aims to provide standards and guidelines for strengthening cyber resilience and maintaining robust cybersecurity of SEBI REs. This framework shall supersede existing SEBI cybersecurity circulars/ guidelines/ advisories/ letters (list of such superseded circulars/ guidelines/ advisories/ letters are given as part of the framework attached as Annexure-1).
Objective:
4. The key objective of CSCRF is to address evolving cyber threats, to align with the industry standards, to encourage efficient audits, and to ensure compliance by SEBI REs. The CSCRF also sets out standards formats for reporting by REs.
Approach:
5. The CSCRF is standards based and broadly covers the five cyber resiliency goals adopted from Cyber Crisis Management Plan (CCMP) of Indian Computer Emergency Response Team (CERT-In) for countering Cyber Attacks and Cyber Terrorism including:
5.1. Anticipate
5.2. Withstand
5.3. Contain
5.4. Recover
5.5. Evolve
6. These cyber resiliency goals have been linked with the following cybersecurity functions:
6.1. Governance
6.2. Identify
6.3. Protect
6.4. Detect
6.5. Respond
6.6. Recover
7. CSCRF follows a graded approach and classifies the REs in the following five categories based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc.:
7.1. Market Infrastructure Institutions(MIIs)
7.2. Qualified Res
7.3. Mid-size REs
7.4. Small-size Res
7.5. Self-certification REs
8. The framework provides a structured methodology to implement various solutions for cybersecurity and cyber resiliency. In order to facilitate better understanding and ease of compliance, the document is divided into four parts:
8.1. Part I: Objectives and Standards – It contains definitions, framework compliance matrix, audit report timelines, objectives and standards.
8.2. Part II: Guidelines – It contains guidelines which provide recommendations or suggestions on how to achieve a particular outcome or meet certain objectives and implement respective standards. There are certain guidelines, which are mandatory in nature and have been specified accordingly.
8.3. Part III: Compliance Formats – It contains standard formats for the submission of CSCRF compliance reports.
8.4. Part IV: Annexures and References – It contains guidelines to auditors, scenario-based cyber resilience testing, Cyber Capability Index (CCI), functional efficacy of Security Operations Centre (SOC), etc.
9. CSCRF highlights the importance of governance and supply chain risk Management and at the same time, it focuses on evolving security guidelines such as data classification and localization, Application Programming Interface (API) security, Security Operations Centre (SOC) and measuring its efficacy, Software Bill of Materials (SBOM), etc.
10. CSCRF aims to ensure that even smaller REs are equipped with adequate cybersecurity measures and achieve resiliency against
cybersecurity incidents/ attacks.
11. Cyber Capability Index (CCI) for MIIs and Qualified REs shall help these REs to monitor and assess their progress and cyber resilience on a periodic basis.
12. CSCRF mandates that all REs are required to establish appropriate security monitoring mechanisms through Security Operation Centre (SOC). The onboarding of SOC can be done through RE’s own/ group SOC or Market SOC or any other third-party managed SOC for continuous monitoring of security events and timely detection of anomalous activities.
13. As compliance with the cybersecurity guidelines may be onerous for smaller REs due to the lack of knowledge and expertise in cybersecurity and the cost factor involved in setting up own SOC. Therefore, CSCRF mandates NSE and BSE to set up Market SOC (M-SOC) with the objective of providing cybersecurity solutions to such categories of REs.
14. CSCRF contains provisions with respect to various areas such as requirements of IT services, Software as a Service (SaaS) solutions, hosted services, classification of data, audit for software solutions/ applications/ products used by REs, etc.
15. In order to simplify and streamline the reporting of compliance, structured formats for reports and submissions have been provided in the CSCRF.
Applicability:
16. The framework shall be applicable to the following REs:
16.1. Alternative Investment Funds (AIFs)
16.2. Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs)
16.3. Clearing Corporations
16.4. Collective Investment Schemes (CIS)
16.5. Credit Rating Agencies (CRAs)
16.6. Custodians
16.7. Debenture Trustees (DTs)
16.8. Depositories
16.9. Designated Depository Participants (DDPs)
16.10. Depository Participants through Depositories
16.11. Investment Advisors (IAs)/ Research Analysts (RAs)
16.12. KYC Registration Agencies (KRAs)
16.13. Merchant Bankers (MBs)
16.14. Mutual Funds (MFs)/ Asset Management Companies(AM Cs)
16.15. Portfolio Managers
16.16. Registrar to an Issue and Share Transfer Agents (RTAs)
16.17. Stock Brokers through Exchanges
16.18. Stock Exchanges
16.19. Venture Capital Funds (VCFs)
Implementation Period:
17. Since new standards and controls have been added in CSCRF, a glide-path for adoption of CSCRF provisions has been provided as under:
17.1. For six categories of REs where cybersecurity and cyber resilience circular already exists – by January 01, 2025.
17.2. For other REs where CSCRF is being issued for the first time – by April 01, 2025.
18. REs shall put in place appropriate systems and procedures to ensure compliance with the provisions (i.e., applicable standards and guidelines) of CSCRF, and conduct cyber audit as per CSCRF after the above-mentioned timelines. Cyber audit reports along with other required documents shall be submitted as per timelines provided in the CSCRF.
19. The reporting of compliance with respect to CSCRF shall be done to the authority as per the existing mechanism of reporting for cybersecurity audit.
20. The detailed framework is enclosed at Annexure-1 of this circular.
21. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
22. The circular is issued with the approval of Competent Authority.
23. This circular is available on SEBI website at sebi.gov.in under the category “Legal” and drop “Circulars”.
Yours Faithfully,
Shweta Banerjee
Deputy General Manager
Phone: 022-26449509
Email: [email protected]
