top of page

New Standards for Regulated Entities: SEBI’s Comprehensive Cybersecurity and Resilience Framework

  • Editorial Board
  • Aug 26, 2024
  • 8 min read

Updated: May 2

Introduction

On 20.08.2024, the Securities and Exchange Board of India (‘SEBI’) released the Cybersecurity and Cyber Resilience Framework[i] (‘CSCRF/Framework’), marking a significant step forward in enhancing the cybersecurity measures of regulated entities (‘REs’) in the Indian securities market. This framework builds on SEBI’s previous initiatives, beginning with a series of circulars issued since 2015 aimed at strengthening cybersecurity resilience. The CSCRF was developed through extensive consultations with a diverse range of stakeholders, including Market Infrastructure Institutions (‘MIIs’), industry associations, government bodies like CERT-In and the National Critical Information Infrastructure Protection Centre, as well as industry experts and cloud service providers (‘CSPs’). Endorsed by SEBI’s High Powered Steering Committee on Cybersecurity (‘HPSC-CS’), the Framework supersedes earlier guidelines, providing a comprehensive standard for enhancing cyber resilience within the securities market.

Scope and Structure of CSCRF

The CSCRF offers a standardised approach to cybersecurity for SEBI REs, aligning with global standards like ISO 27000, CIS v8, and NIST 800-53. Based on their operational scope and thresholds, it classifies REs into five groups: MIIs, Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs. The Framework is divided into four parts: objectives and standards, guidelines, structured formats for compliance, and annexures and references, offering detailed guidance for implementing and reporting cybersecurity measures.

Changes from Erstwhile Provisions

Previously, SEBI issued separate cybersecurity and cyber resilience frameworks for different REs. The CSCRF now unifies these guidelines into a single, comprehensive framework applicable to all REs, ensuring consistency and standardisation. While earlier frameworks primarily focused on basic cybersecurity measures, the CSCRF addresses emerging threats, including data localisation, quantum computing risks, and evolving attack vectors, ensuring that REs adapt to new challenges.

Additionally, previous provisions did not categorise REs based on their operational span or thresholds. CSCRF introduces a graded compliance approach tailored to the RE’s size, resources, and cybersecurity needs, making compliance more manageable for smaller entities. Furthermore, earlier guidelines did not mandate the establishment of a Market Security Operations Centre (‘SOC’). The CSCRF requires the National Stock Exchange (NSE) and Bombay Stock Exchange (BSE) to set up market SOCs, offering smaller REs a cost-effective resource for monitoring and compliance.

Part-I: Goal and Objectives

The CSCRF is built on two primary approaches: cybersecurity, which includes governance and operational controls, and cyber resilience, which focuses on anticipating, withstanding, recovering from, and evolving in response to cyber threats. Key aspects include:

  • Governance Function: REs must establish clear cybersecurity roles, responsibilities, and accountability mechanisms while continuously improving their cyber risk management strategies.

  • Cyber Capability Index (‘CCI’): MIIs and Qualified REs are required to regularly assess their cyber resilience.

  • Protection Measures: Include implementing robust authentication policies, network segmentation, encryption, and ensuring compliance with third-party service regulations.

  • Regular Audits: Vulnerability assessments and ISO 27001 certification are mandatory for MIIs and Qualified REs.

  • SOC Monitoring: Continuous security monitoring through SOCs is required, with biannual efficacy assessments for MIIs and Qualified REs.

  • Incident Response: To handle cyber incidents effectively, REs must develop incident response management plans, including Cyber Crisis Management Plans (‘CCMP’) and Root Cause Analysis (‘RCA’).

  • Recovery Plans: Comprehensive recovery plans must be in place to restore affected systems and maintain communication with stakeholders, emphasising resilience.

  • Future Readiness: The CSCRF prepares REs for future cybersecurity challenges, including quantum computing threats, through continuous risk assessments and robust data protection strategies.

Part-II: CSCRF Guidelines

The guidelines provide direction to REs on implementing the standards specified in the CSCRF, which is based on 5 cyber resiliency goals derived from CERT-In’s CCMP: Anticipate, Withstand, Contain, Recover, and Evolve. These goals link to various cybersecurity functions as outlined above. Summarized herein are the key guidelines and their applicability:

Cyber Resilience Goal (Standard: S)

Anticipate

Governance (GV)

  • Organizational Context (OC) Guidelines

GV. OC. S2, S3 – Applicable to all REs except small, self-certification REs – Define cybersecurity roles and responsibilities for stakeholders. Conduct audits from third-party auditors. SEBI will have search and seizure powers and can request audit reports.

  • Role and Responsibilities and Authorities (RR) Guidelines

GV. RR. S3 – Applicable to MIIs, Qualified REs (Mandatory) – MIIs, Qualified REs (Mandatory).

GV. RR. S4 – Applicable to all REs except small, self-certification REs – Allocate resources aligned with cybersecurity risk strategy, rules and policies.

GV. RR. S5, S6 – Applicable to all REs except small, self-certification REs – Ensure employees hired do not threaten cybersecurity posture.

  • Policy (PO)

GV. PO. S1, S2, S5:

Applicable to all REs (Mandatory) – Designate a senior official as CISO, reporting to CEO/MD. Designate personnel for cybersecurity risk assessment.

This is applicable to all REs except small self-certification REs. Establish an IT committee for compliance management, review cybersecurity incidents, and follow NCIIPC principles.

Applicable to all REs except small self-certification REs – Incorporate best practices from ISO 27001, ISO 27002, etc.

  • Oversight (OV) Guidelines

GV. OV. S4 – Applicable to MIIs and Qualified REs (Mandatory) – Conduct third-party and self-assessments of cyber resilience.

  • Risk Management (RM) Guidelines

GV. RM. S1, S2, S3 – Applicable to all REs except small, self-certification REs – Cyber risk management must include identification, classification, risk appetite, mitigation, monitoring and evaluation. Follow ISO 27005 and other standards.

  • Supply Chain RM (SC) Guidelines

GV. SC. S4:

Applicable to MIIs and Qualified REs (Mandatory) – Instruct third-party service providers to follow CSCRF guidelines and obtain cyber audit certifications.

Applicable to all REs (Mandatory) – Ensure outsourced activities comply with CSCRF, monitor third-party compliance and conduct background checks.

GV. SC. S5 – Applicable to all REs (Mandatory) – Obtain SBOMs for critical systems and mandate them in vendor criteria.

GV. SC. S7 – Applicable to all REs except small-size self-certification REs (Mandatory) – Address concentration risks in outsourcing by implementing controls and conducting audits.

Identity (ID)

  • Asset Management (AM) Guidelines

ID. AM. S1, S4 – Applicable to all REs (Mandatory) – Identify and classify critical systems, maintain an up-to-date asset inventory and conduct criticality assessments.

  • Risk Assessment (RA) Guidelines

ID. RA. S1, S2 – Applicable to all REs except small-size, self-certification REs (Mandatory) – Perform risk assessments, including post-quantum risks and develop a quantifiable cybersecurity risk score.

ID. RA. S3 – Applicable to MIIs and Qualified REs (Mandatory) – Engage in dark web monitoring, anti-phishing solutions and CERT-In advisories.

Protect (PR)

  • Identify, Manage, Authentication and Access Control (AA) Guidelines

PR. AA. S1, S2, S3, S7, S9 – Applicable to all REs (Mandatory) – Access to systems to be based on need-to-use and least privilege. Implement MFA, antivirus updates and network security management.

PR. AA. S1, S2, S3, S7, S9 – Applicable to all REs except small-size, self-certification REs (Mandatory) – Implement PIM solutions, strong password policies, network segmentation and email security.

PR. AA. S1, S2, S3 – Applicable to Stockbrokers/ Depository Participants (Mandatory) – Stockbrokers to secure perimeter and connectivity for algorithmic trading servers.

PR. AA. S4, S5 – Applicable to MIIs and Qualified REs (Mandatory) – Implement a zero-trust security model with delegated access and regular reviews.

PR. AA. S6, S8 – Applicable to all REs (Mandatory) – Identify and collect all log sources, implement strong log retention policies and monitor logs for unusual patterns.

PR. AA. S10, S11, S12 – Applicable to all REs (Mandatory) – Restrict physical access to critical systems, secure remote support services and monitor environment controls.

PR. AA. S13, S14 – Applicable to all REs (Mandatory) – Formulate data disposal and retention policies and dispose of storage media as required.

PR. AA. S15 – Applicable to all REs except small-size self-certification REs (Mandatory) – Implement EPP, EDR, anti-malware solutions and conduct penetration testing.

PR. AA. S16, S17 – Applicable to all REs except small-size self-certification REs (Mandatory) – Ensure API security with rate limiting, OWASP guidelines and mobile app security with anti-malware and reverse engineering controls.

Detect (DE)

  • Security Continuous Monitoring (CM) Guidelines

DE. CM. S1, S2, S3 – Applicable to all REs (Mandatory) – Implement robust security monitoring systems and use SOC services. Measure SOC efficacy and deploy SEBI solutions.

DE. CM. S4 – Applicable to all REs except small-size self-certification REs (Mandatory) – Monitor IT asset use and manage capacity.

DE. CM. S5 – Applicable to all REs (Mandatory) – Conduct regular cybersecurity audits and VAPT before deploying new systems – Report vulnerabilities to SEBI.

  • Detection Process (DP) Guidelines

DE. DP. S4 – Applicable to MIIs and Qualified REs (Mandatory) – Conduct red teaming exercises and report findings.

DE. DP. S5 – Applicable to MIIs and Qualified REs (Mandatory) – Proactively search for hidden threats on a quarterly basis.

Withstand and Contain

Respond (RS)

Incident Management (MA) Guidelines

RS. MA. S1 – Applicable to all REs (Mandatory) – Develop and update an Incident Response Management SOP and CCMP approved by the Board.

RS. MA. S2 – Applicable to all REs except small-size self-certification REs (Mandatory) – Optimise response abilities and ensure timely actions.

RS. MA. S5 – Applicable to MIIs and Qualified REs (Mandatory) – Collaborate with CERT-In’s CSK to trace bots and vulnerabilities.

Incident Response Reporting and Communication (CO) Guidelines

RS. CO. S1, S2, S3 – Applicable to all REs (Mandatory) – Report critical incidents within 6 hours and all other incidents within 24 hours to SEBI, CERT-In and NCIIPC. Submit quarterly reports detailing cyber incidents.

RS. CO. S2 – Applicable to MIIs and Qualified REs (Mandatory) – Coordinate response plans and communicate effectively with stakeholders. Notify customers of transaction details.

Incident Analysis (AN) Guidelines

RS. AN. S1, S2, S3 – Applicable to all REs (Mandatory) – Investigate alerts promptly, preserve data and evidence and analyse incidents.

RS. AN. S4, S5 – Applicable to all REs (Mandatory) – Conduct thorough investigations, including root cause and forensic analysis. Implement corrective measures based on findings.

Recover (RC)

Incident Recover Plan (RP) Execution Guidelines

RC. RP. S1 – Applicable to MIIs and Qualified REs (Mandatory) – Develop and test response and recovery plans, including backups and spare hardware. Conduct regular business continuity drills.

RC. RP. S2 – Applicable to all REs (Mandatory) – Declare critical disruptions as ‘Disasters’ within 30 minutes and resume operations within 2 hours with minimal data loss.

RC. RP. S3 – Applicable to MIIs and Qualified REs (Mandatory) – Conduct periodic resilience and backup testing involving stakeholders and report results to the IT Committee.

Incident Recovery Communication (CO) Guidelines

RC. CO. S1, S2, S3 – Applicable to all REs – Recovery plans shall be discussed with the IT Committee for REs by REs.

Improvements (IM) Guidelines

RC. IM. S1—Applicable to all REs—While ensuring data protection and process security, REs' BCP-DR capabilities shall support their cyber resilience objectives, rapid recovery, and resumption of critical operations after cybersecurity incidents.

RC. IM. S2—Applicable to all REs (Mandatory)—REs' RTO shall be met for all interconnected systems and networks through capacity upgradations and periodic coordinated resilience testing.

Evolve (EV)

Strategies (ST) Guidelines

EV. ST. S1, S2, S3 – Applicable to all REs except small-size, self-certification REs (Mandatory) – Conduct threat modelling to anticipate new attack vectors, reduce attack surfaces and continuously assess and adapt systems to emerging threats.

Part -III and Part- IV

These sections elaborate on the supersession of previous SEBI circulars, advisories, and letters issued since 2015, covering MIIs, stockbrokers, mutual funds, KYC registration agencies (KRAs), portfolio managers, etc. They also include structured formats for compliance, such as VAPT reports, cyber audit reports, recovery plans, and other relevant references.

Conclusion

The CSCRF is more than a regulatory mandate; it reflects SEBI’s commitment to safeguarding the integrity of India’s securities market in an era of increasingly sophisticated and pervasive cyber threats. By establishing a comprehensive and standardised approach to cybersecurity across all SEBI RE categories, the CSCRF recognises that the threats faced by large market infrastructure institutions differ in scope and scale from those encountered by smaller entities. This graded approach ensures that each RE, regardless of size or operational complexity, is equipped with the tools and protocols to effectively manage and mitigate cyber risks.

The CSCRF represents a forward-looking approach to cybersecurity and cyber resilience for SEBI REs. By standardising cybersecurity measures across distinct RE categories and addressing emerging threats, the framework ensures that India’s securities market is well-protected against the evolving landscape of cyber risks. As technologies and threats evolve, the CSCRF will be regularly updated to meet the securities market's future cybersecurity needs.










End Note

[i] Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, dated 20.08.2024.








Authored by Siddharth Jha, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinions.

Metalegal Advocates is a litigation-based law firm based in New Delhi and Mumbai, providing litigation and advisory services in the fields of economic offences, tax (income-tax, GST, black money, VAT and other taxes), general corporate advisory, FEMA, commercial laws, and other related business and mercantile laws to businesses and individuals in a wide array of industry verticals. 

NEW DELHI

11B, Jangpura B,
Mathura Road,
New Delhi - 110014
Tel: +91-11-46019520

MUMBAI

401, Trade Avenue,
Suren Road, Andheri (E),
Mumbai - 400093
Tel: 022-47784600

PRACTICE AREAS

Copyright © 2021-2025. All rights reserved. Metalegal Advocates. 

  • Instagram
  • LinkedIn
  • X
bottom of page