Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) - SEBI - SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113

CIRCULAR SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 August 20, 2024 To, All Alternative Investment Funds (AIFs) All Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs) All Clearing Corporations All Collective Investment Schemes (CIS) All Credit Rating Agencies (CRAs) All Custodians All Debenture Trustees (DTs) All Depositories All Designated Depository Participants (DDPs) All Depository Participants through Depositories All Investment Advisors (IAs) / Research Analysts (RAs) All KYC Registration Agencies (KRAs) All Merchant Bankers (MBs) All Mutual Funds (MFs)/ Asset Management Companies (AMCs) All Portfolio Managers All Registrar to an Issue and Share Transfer Agents (RTAs) All Stock Brokers through Exchanges All Stock Exchanges All Venture Capital Funds (VCFs) Dear Sir / Madam, Subject: Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) Background: 1. SEBI had issued Cybersecurity and Cyber resilience framework for Market Infrastructure Institutions (MIIs) in 2015. Subsequently, SEBI had issued other Cybersecurity and Cyber resilience frameworks in line with MIIs circular of 2015 for following REs: 1.1. Stock Brokers and Depository Participants 1.2. Mutual Funds (MFs)/ Asset Management Companies (AMCs) 1.3. KYC Registration Agencies (KRAs) 1.4. Qualified Registrar to an Issue and Share Transfer Agents (QRTAs) 1.5. Portfolio Managers 2. Further, SEBI has also issued various advisories to REs, from time to time, on Cybersecurity best practices. 3. In order to strengthen the cybersecurity measures in Indian securities market, and to ensure adequate cyber resiliency against cybersecurity incidents/ attacks, Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs has been formulated in consultation with the stakeholders. The CSCRF aims to provide standards and guidelines for strengthening cyber resilience and maintaining robust cybersecurity of SEBI REs. This framework shall supersede existing SEBI cybersecurity circulars/ guidelines/ advisories/ letters (list of such superseded circulars/ guidelines/ advisories/ letters are given as part of the framework attached as Annexure-1). Objective: 4. The key objective of CSCRF is to address evolving cyber threats, to align with the industry standards, to encourage efficient audits, and to ensure compliance by SEBI REs. The CSCRF also sets out standards formats for reporting by REs. Approach: 5. The CSCRF is standards based and broadly covers the five cyber resiliency goals adopted from Cyber Crisis Management Plan (CCMP) of Indian Computer Emergency Response Team (CERT-In) for countering Cyber Attacks and Cyber Terrorism including: 5.1. Anticipate 5.2. Withstand 5.3. Contain 5.4. Recover 5.5. Evolve These cyber resiliency goals have been linked with the following cybersecurity functions: 6.1. Governance 6.2. Identify 6.3. Protect 6.4. Detect 6.5. Respond 6.6. Recover 7. CSCRF follows a graded approach and classifies the REs in the following five categories based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc.: 7.1. Market Infrastructure Institutions (MIIs) 7.2. Qualified Res 7.3. Mid-size REs 7.4. Small-size Res 7.5. Self-certification REs 8. The framework provides a structured methodology to implement various solutions for cybersecurity and cyber resiliency. In order to facilitate better understanding and ease of compliance, the document is divided into four parts: 8.1. Part I: Objectives and Standards It contains definitions, framework compliance matrix, audit report timelines, objectives and standards. 8.2. Part II: Guidelines It contains guidelines which provide recommendations or suggestions on how to achieve a particular outcome or meet certain objectives and implement respective standards. There are certain guidelines, which are mandatory in nature and have been specified accordingly. 8.3. Part III: Compliance Formats It contains standard formats for the submission of CSCRF compliance reports. 8.4. Part IV: Annexures and References - It contains guidelines to auditors, scenario-based cyber resilience testing, Cyber Capability Index (CCI), functional efficacy of Security Operations Centre (SOC), etc. 9. CSCRF highlights the importance of governance and supply chain risk Management and at the same time, it focuses on evolving security guidelines such as data classification and localization, Application Programming Interface (API) security, Security Operations Centre (SOC) and measuring its efficacy, Software Bill of Materials (SBOM), etc. 10. CSCRF aims to ensure that even smaller REs are equipped with adequate cybersecurity measures and achieve resiliency against cybersecurity incidents/ attacks. 11. Cyber Capability Index (CCI) for MIIs and Qualified REs shall help these REs to monitor and assess their progress and cyber resilience on a periodic basis. 12. CSCRF mandates that all REs are required to establish appropriate security monitoring mechanisms through Security Operation Centre (SOC). The onboarding of SOC can be done through RE s own/ group SOC or Market SOC or any other third-party managed SOC for continuous monitoring of security events and timely detection of anomalous activities. 13. As compliance with the cybersecurity guidelines may be onerous for smaller REs due to the lack of knowledge and expertise in cybersecurity and the cost factor involved in setting up own SOC. Therefore, CSCRF mandates NSE and BSE to set up Market SOC (M-SOC) with the objective of providing cybersecurity solutions to such categories of REs. 14. CSCRF contains provisions with respect to various areas such as requirements of IT services, Software as a Service (SaaS) solutions, hosted services, classification of data, audit for software solutions/ applications/ products used by REs, etc. 15. In order to simplify and streamline the reporting of compliance, structured formats for reports and submissions have been provided in the CSCRF. Applicability: 16. The framework shall be applicable to the following REs: 16.1. Alternative Investment Funds (AIFs) 16.2. Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs) 16.3. Clearing Corporations 16.4. Collective Investment Schemes (CIS) 16.5. Credit Rating Agencies (CRAs) 16.6. Custodians 16.7. Debenture Trustees (DTs) 16.8. Depositories 16.9. Designated Depository Participants (DDPs) 16.10. Depository Participants through Depositories 16.11. Investment Advisors (IAs)/ Research Analysts (RAs) 16.12. KYC Registration Agencies (KRAs) 16.13. Merchant Bankers (MBs) 16.14. Mutual Funds (MFs)/ Asset Management Companies (AMCs) 16.15. Portfolio Managers 16.16. Registrar to an Issue and Share Transfer Agents (RTAs) 16.17. Stock Brokers through Exchanges 16.18. Stock Exchanges 16.19. Venture Capital Funds (VCFs) Implementation Period: 17. Since new standards and controls have been added in CSCRF, a glide-path for adoption of CSCRF provisions has been provided as under: 17.1. For six categories of REs where cybersecurity and cyber resilience circular already exists by January 01, 2025. 17.2. For other REs where CSCRF is being issued for the first time by April 01, 2025. 18. REs shall put in place appropriate systems and procedures to ensure compliance with the provisions (i.e., applicable standards and guidelines) of CSCRF, and conduct cyber audit as per CSCRF after the above-mentioned timelines. Cyber audit reports along with other required documents shall be submitted as per timelines provided in the CSCRF. 19. The reporting of compliance with respect to CSCRF shall be done to the authority as per the existing mechanism of reporting for cybersecurity audit. 20. The detailed framework is enclosed at Annexure-1 of this circular. 21. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange of India Act, 1992 , to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. 22. The circular is issued with the approval of Competent Authority. 23. This circular is available on SEBI website at www.sebi.gov.in under the category Legal and drop Circulars . Yours Faithfully, Shweta Banerjee Deputy General Manager Phone: 022-26449509 Email: [email protected]