SEBI Proposes a Cybersecurity Framework for Regulated Entities

The Securities and Exchange Board of India (SEBI) released a consultancy paper on July 4, 2023, to prescribe a uniform and updated cybersecurity framework for Regulated Entities (REs).

In the consultancy paper, named the ‘Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF)’, SEBI emphasises the role of Information Technology (IT) in the growth of the securities market and the importance of an appropriate security framework to protect it. The paper, which serves as a ‘Master Framework’, was drafted after discussions with SEBI’s High-Powered Steering Committee on Cybersecurity. Its goal is to consolidate and create uniformity in the cybersecurity guidelines for REs, strengthening their mechanisms to deal with cyber risks, threats, and incidents.

The framework is based on the principles of cybersecurity, namely: Identify, Protect, Detect, Respond, and Recover. The guidelines aim to create a framework that addresses all the principles necessary for an ideal cybersecurity framework. According to the guidelines, REs must report framework compliance to their respective authorities using the standardized formats notified by SEBI. The guidelines also include formats for Vulnerability Assessment and Penetration Testing (VAPT) and cyber audit reporting. Further, the framework follows a graded approach, divided into three parts. These divisions include guidelines that are: (i) applicable to all REs, (ii) applicable to specified REs, and (iii) applicable to Market Infrastructure Institutions (MIIs).

In light of the implications that the proposed framework would have on the REs, SEBI is seeking public comments and feedback by July 25, 2023.