SEBI’s New Regulations for MIIs: How It Will Strengthen the Framework of Brokerage Firms
Introduction
In August 2024, the Securities and Exchange Board of India (SEBI) introduced an updated Cybersecurity and Cyber Resilience Framework (CSCRF) to enhance cybersecurity defenses across its regulated entities (REs). As cyber threats continue to evolve, SEBI recognized the importance of establishing a framework that not only protects against cyberattacks but also ensures entities remain resilient during and after incidents.
What is the SEBI Cybersecurity Framework?
The CSCRF is designed to provide clear, actionable guidelines for all entities under SEBI’s regulation, including stock brokers, mutual funds, and portfolio managers, among others. It consolidates earlier cybersecurity frameworks and addresses new, emerging threats in a fast-changing technological landscape. This framework builds on SEBI’s previous circulars from 2015 and later years, which focused on cybersecurity for Market Infrastructure Institutions (MIIs), and now expands to cover a wider array of REs.
Cyberattacks are becoming more sophisticated, and the financial industry is an attractive target. The aim of this framework is to strengthen cyber resilience and ensure that REs can quickly detect, respond to, and recover from any cybersecurity incidents. The framework is organized around five primary goals: Anticipate, Withstand, Contain, Recover, and Evolve.
Why is Cybersecurity Important for SEBI-Regulated Entities?
The financial sector deals with vast amounts of sensitive information and transactions. Breaches in this sector not only affect companies but can also undermine public trust in financial markets. Cyber threats in the financial industry are diverse, including data breaches, ransomware attacks, and phishing schemes aimed at both individuals and organizations.
SEBI’s CSCRF ensures that all regulated entities, regardless of size, are held to high cybersecurity standards. The framework is not just a set of recommendations but a mandatory compliance requirement. It includes regular audits, cybersecurity assessments, and a structured reporting format to ensure transparency and accountability.
Key Objectives of CSCRF
The CSCRF framework is built around the following key objectives:
- Addressing Evolving Cyber Threats: SEBI recognizes that as technology advances, the nature of cyber threats evolves. The CSCRF aims to protect regulated entities against these emerging threats.
- Aligning with Global Standards: The framework adopts practices from international cybersecurity standards like ISO 27001, NIST, and CIS to ensure that Indian financial institutions are on par with their global counterparts.
- Promoting Efficient Audits: By laying down clear standards and compliance metrics, SEBI makes the audit process more streamlined, helping entities better assess and manage their cyber risks.
The 5 Core Goals of the CSCRF
The framework’s five core goals are based on CERT-In’s (Indian Computer Emergency Response Team) Cyber Crisis Management Plan and are critical to understanding how SEBI plans to address cybersecurity issues.
1. Anticipate
Anticipation is the first line of defense. SEBI encourages REs to stay ahead of potential threats by establishing robust cyber risk management frameworks. This involves identifying possible threats and assessing the vulnerabilities within an organization’s IT infrastructure. By doing so, organizations can preemptively plan to mitigate risks before they become severe.
SEBI mandates that entities perform risk assessments, which must include post-quantum risk evaluations, acknowledging the future threat of quantum computing, which could compromise traditional encryption methods. Regular scenario-based testing is also required to simulate various cyberattack scenarios.
2. Withstand
The Withstand goal focuses on the ability of an entity to maintain its critical operations during an ongoing cyberattack. This means that even when systems are under attack, essential functions should continue to run. SEBI calls for the development of business continuity plans and ensures that backup systems are in place, and ready to activate when the primary systems are compromised.
This aspect of the framework also emphasizes the importance of strong governance structures. Entities must have clear roles, responsibilities, and protocols in place, enabling them to respond swiftly and effectively to cybersecurity incidents.
3. Contain
Containment is about limiting the damage once an attack has been detected. SEBI requires entities to set up Security Operations Centers (SOC) that can monitor network activities in real time, allowing for immediate detection of suspicious activities. These SOCs can be in-house, group-level, or even third-party provided. For smaller entities that may lack resources, SEBI has mandated that the National Stock Exchange (NSE) and the Bombay Stock Exchange (BSE) establish a Market SOC (M-SOC) to assist them.
The goal here is to prevent an incident from escalating by quickly isolating compromised systems or sections of the network. Network segmentation, multi-factor authentication, and strong access controls are key measures under this goal.
4. Recover
Recovery is an essential aspect of cyber resilience. SEBI mandates that all entities have a comprehensive recovery plan that includes steps to restore operations post-attack. This involves ensuring that systems can be restored to full functionality as quickly as possible, minimizing downtime and mitigating long-term damage.
An integral part of this recovery plan is regular Vulnerability Assessments and Penetration Testing (VAPT), which helps identify weak points in the system. This proactive approach ensures that entities can fix vulnerabilities before they are exploited. Additionally, Root Cause Analysis (RCA) and forensic investigations are required following major cybersecurity incidents to understand how the breach occurred and to prevent future attacks.
5. Evolve
In the face of rapidly changing technology and cyber threats, SEBI emphasizes the need for entities to continuously evolve their cybersecurity measures. This includes updating security protocols regularly, investing in advanced threat detection technologies, and fostering a culture of cybersecurity awareness within the organization.
Evolving cybersecurity practices should be adaptable, considering new technologies such as quantum computing and AI-driven attacks. Regular audits, training programs, and continuous monitoring help ensure that organizations remain at the forefront of cybersecurity best practices.
Framework Structure of CSCRF
The Cybersecurity and Cyber Resilience Framework (CSCRF) introduced by SEBI is divided into four key parts, each guiding entities in implementing robust cybersecurity measures.
1. Objectives and Standards
This section outlines the core cyber resilience goals of the framework—Anticipate, Withstand, Contain, Recover, and Evolve—and sets clear security standards that regulated entities (REs) must follow. These standards aim to ensure that REs are prepared to address both current and emerging cyber threats by establishing strong governance and risk management strategies.
2. Guidelines
This section provides actionable steps to meet the objectives and security standards. While some guidelines are advisory, others are mandatory and include regular Vulnerability Assessments and Penetration Testing (VAPT), incident response planning, and establishing a clear governance structure.
3. Compliance Formats
To ensure consistency across all SEBI-regulated entities, standardized formats are provided for submitting compliance reports, audit findings, and cybersecurity assessments. These templates ensure transparency and uniformity in reporting, helping SEBI maintain a streamlined audit process.
4. Annexures and References
This final section includes additional tools such as VAPT report formats, recovery plan templates, and audit guidelines. These annexures provide practical resources to assist entities in complying with the framework and ensuring effective cybersecurity operations.
Key Requirements of CSCRF
The framework emphasizes several core requirements to ensure REs maintain strong cybersecurity defenses:
1. Cyber Risk Management Framework
Every Regulated Entity (RE) must implement a comprehensive Cyber Risk Management Framework to continuously identify, assess, and mitigate cyber risks. SEBI mandates that entities regularly evaluate current and emerging risks, including post-quantum threats, to ensure proactive and agile responses.
2. Vulnerability Testing and Audits
Regular Vulnerability Assessments and Penetration Testing (VAPT) are mandatory for critical systems to identify and fix vulnerabilities. Larger entities must also achieve ISO 27001 certification, a globally recognized standard for managing information security.
3. Security Operations Centers (SOC)
Each regulated entity must have a Security Operations Center (SOC) for real-time monitoring of security events. For smaller entities, SEBI mandates the establishment of Market SOCs (M-SOC), managed by the NSE and BSE, to provide cost-effective monitoring solutions. This ensures that all entities, regardless of size, have access to continuous security monitoring and real-time threat detection.
Compliance and Deadlines
To ensure a smooth transition, SEBI has introduced a phased compliance timeline:
- January 1, 2025: Entities that were already subject to previous SEBI cybersecurity frameworks must comply by this date.
- April 1, 2025: Newly regulated entities must comply by this deadline
Conclusion
SEBI’s Cybersecurity and Cyber Resilience Framework is a forward-thinking and comprehensive set of guidelines that will help protect the integrity of India’s financial markets. By focusing on the five pillars of cyber resilience—Anticipate, Withstand, Contain, Recover, and Evolve—SEBI ensures that all regulated entities are well-equipped to handle the ever-evolving landscape of cybersecurity threats. Organizations that prioritize compliance with the CSCRF will not only safeguard their operations but also enhance their reputation as secure and trustworthy financial institutions.