Cyber Security and Cyber Resilience

Framework for SEBI Regulated Entities (REs)

Priya Gandhi
Priya Gandhi

Published on: Sep 25, 2024

Khushboo Sharma
Khushboo Sharma

Updated on: Sep 26, 2024

(9 Ratings)
2768

Introduction:

Considering the rapid technological advancement in securities market, there was a greater need for maintaining robust cyber security and to have cyber resilience framework to protect integrity of data and guard against breaches of privacy. SEBI had issued CSCRF for MIIs in 2015. Subsequently, SEBI had issued other CSCRF in line with MIIs circular of 2015 for various other REs, as under:

July 06, 2015

Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporation and Depositories

September 08, 2017

Cyber Security and Cyber Resilience framework for RTAs

December 03, 2018

Cyber Security & Cyber Resilience framework for Stock Brokers / DPs

January 10, 2019

Cyber Security and Cyber Resilience framework for MFs / AMCs

October 15, 2019

Cyber Security & Cyber Resilience framework for KRAs

March 29, 2023

Cyber Security and Cyber Resilience framework for Portfolio Managers

August 20, 2024

Cyber Security and Cyber Resilience Framework for SEBI REs

The CSCRF notified on August 20, 2024, supersedes all the earlier framework, circulars, guidelines on the captioned subject, thereby bringing all the REs under a single umbrella of a consolidated framework, to align with the industry standards, encourage efficient audits and ensure compliance by SEBI REs.

Implementation Period for CSCRF:

SEBI has provided two different dates for the applicability of the said CSCRF for different REs, as under:

January 01, 2025

Intermediaries for which CSCRF was existing:

  1. Stock Exchanges
  2. Clearing Corporations
  3. Depositories
  4. QRTAs
  5. Stock Brokers
  6. DPs
  7. MFs / AMCs
  8. KRAs
  9. Portfolio Managers

April 01, 2025

Intermediaries for which CSCRF was not existing:

  1. AIFs
  2. BTI and SCSBs
  3. CIS
  4. CRAs
  5. Custodians
  6. DTs
  7. IAs/ RAs
  8. MBs
  9. VCFs

Categorization of Regulated Entities:

CSCRF follows a graded approach and classifies the REs, based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc., as under:

Entity Criteria Self-certification REs Small-size REs Mid-size REs Qualified REs
AIF AUM Less than Rs. 100 cr Rs. 100 cr and above but less than Rs. 500 cr Rs. 500 cr and above but less than Rs. 1000 cr Rs. 1000 cr and above
BTI and SCSBs Submit Certificate of Compliance with CSCRF to SEBI NA NA NA NA
Stock Brokers Active Client base as per UCC Less than or equal to 10,000 active clients and not providing IBT or Algo trading facility More than 10,000 and up to 50,000 More than 50,000 and up to 5,00,000 More than 5,00,000
Less than or equal to 10,000 active clients and providing IBT or Algo trading facility
CIS Yes
CRAs Yes Rs. 10 Lakh cr and above
Custodians AUC NA Less than Rs. 1 Lakh cr Rs. 1 Lakh cr and above but less than INR 10 Lakh cr
DTs* Yes
DPs Type of DP NA NA Non-institutional DP Institutional DP
DDPs Highest category among DPs and Custodians will be applicable to DDPs
IAs* Individual/ Non-Individual NA Non-Individual IAs shall be categorized as Small-size REs NA NA
RAs* Registration in Other Category of REs NA Yes Yes Yes
MBs NA NA All other MBs which are not covered in Mid-size REs and Qualified REs Engaged in any activity pertaining to issue management inter alia Public Issues (IPOs, FPOs, IPOs by SME), Public Offers by REITs/ InvITs, Buy-Back of Securities, Delisting of Equity Shares, Open Offer Entity or its parent/ subsidiary/ associate company which is a part of a conglomerate/ Systemically Important Financial Institutions
MFs/ AMCs AUM NA Less than Rs. 10,000 cr Rs. 10,000 cr and above but less than Rs. 1 lakh cr Rs. 1 lakh cr and above
Portfolio Managers AUM Less than Rs. 1000 cr Rs. 1000 cr and above but less than Rs. 3000 cr Rs. 3000 cr and above NA
RTAs* Servicing number of folios NA 10,000 and above but less than 1 cr 1 crore and above but less than 2 cr NA
VCFs Sum of corpus of all schemes of VCF Less than Rs. 100 cr Rs. 100 cr and above but less than Rs. 500 cr Rs. 500 cr and above but less than Rs. 1000 cr Rs. 1000 cr and above

*Note:

  1. Category of REs shall be decided at the beginning of the FY based on the data of previous FY.
  2. REs excluded from submission of compliance with CSCRF:
    • FPIs
    • FVCI
    • Individual IAs
    • RAs who are not registered in other categories of REs
    • LPCC
    • QDPs
    • REITs/ InvITs
    • RTAs servicing less than 10,000 folios
    • Vault Managers
  3. KRAs shall be treated at par with MIIs category for the applicability of CSCRF.
  4. In case RE is registered under more than 1 category, then provision of highest category under which such RE falls shall be applicable to that RE.

Brief Look into Key Compliance Obligations under CSCRF:

Constitution of IT Committee

Constitute IT Committee including at least 1 external independent expert on cybersecurity

ISO Audit and Certification

Obtain ISO 27001 certificate (latest version) until August 20, 2025

VAPT

  1. VAPT activity atleast once or twice in a FY (basis category)
  2. Submit report within 1 month of completion of VAPT activity

Cyber Audit

  1. Cyber Audit atleast once or twice in a year (basis category)
  2. Submit report within 1 month of completion of Cyber Audit

Other Key Audits/ Exercise Requirements

  1. Cyber Resilience Third Party Assessment using CCI
  2. Risk Assessment (Threat Based)
  3. Cyber Security Training Program
  4. Red Teaming Excercise
  5. Threat Hunting
  6. Cyber Security scenario based drill exercise

Challenges in Implementing the Framework:

While the framework offers comprehensive guidelines, there are several challenges in its implementation. These include:

  1. Resource Constraints: Smaller entities may face financial and technical challenges in implementing advanced cyber security measures
  2. Evolving Threat Landscape: Cyber Threats are continuously evolving, and the framework must be regularly updated to addressed new vulnerabilities and attack vectors
  3. Talent Shortage: There is a shortage of skilled professionals in the cyber security domain, making it difficult for some entities to find the expertise needed to meet the framework’s requirement
  4. Compliance Burden: The extensive requirements of the framework may pose a compliance burden on entities, particularly when it comes to documentation and reporting obligations.

Conclusion:

In todays’ digital age, financial markets heavily depend on technology to operate smoothly and efficiently. This dependence however, comes with its own set of challenges, particularly concerning the security and resilience of these digital infrastructures. The increasing complexity and frequency of cyber threats have made it imperative for regulatory bodies to introduce robust security measures.

CSCRF for SEBI REs is a critical step in strengthening the financial sector’s defense against cyber threats. As cyber threats continue to evolve, it is essential for financial institutions to remain vigilant, continuously improve their security measures, and foster a culture of cyber awareness to ensure the safety and integrity of the entire financial ecosystem.

Abbreviations Used

Entity Description
SEBI Securities and Exchange Board of India
CSCRF Cyber Security and Cyber Resilience Framework
REs Regulated Entities
MIIs Market Infrastructure Institutions
QRTAs Qualified Registrar to an Issue and Share Transfer Agents
DPs Depository Participants
MFs / AMCs Mutual Funds / Asset Management Companies
KRAs KYC Registration Agencies
AIFs Alternative Investment Funds
BTI and SCSBs Bankers to an Issue and Self-Certified Syndicate Banks
CIS Collective Investment Schemes
CRAs Credit Rating Agencies
DTs Debenture Trustees
IAs/ RAs Investment Advisors / Research Analysts
MBs Merchant Bankers
VCFs Venture Capital Funds
FVCI Foreign Venture Capital Investors
FPI Foreign Portfolio Investors
DDP Designated Depository Participants
LPCC Limited Purpose Clearing Corporation
QDPs Qualified Depository Participants
REITs/ InvITs Real Estate Investment Trust/ Infrastructure Investment Trust
AUM Asset Under Management
CCI Cyber Capability Index
UCC Unique Client Code
AUC Asset Under Custody
FY Financial Year
CR Crore(s)
IBT Internet Based Trading
IPO Initial Public Offer
FPO Follow-on Public Offer
SME Small and Medium Enterprises
ISO International Organization for Standardization
VAPT Vulnerability Assessment & Penetration Testing

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.

Tell us how helpful was this post?

Subscribe Newsletter Request a demo Contact Us