SEBI has issued Consultation Paper on Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities(REs) on July 04, 2023. The framework provides following compliances for REs:
- REs shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The Board / Partner / Proprietor of the REs shall approve the list of critical systems.
- REs shall formulate a comprehensive cybersecurity and cyber resilience policy and incorporate best practices from standards such as ISO 27001, COBIT 5, etc.
- Comprehensive scenario-based testing shall be done for assessing risk related to cybersecurity in REs’ IT environment including both internal and external cyber-risks.
- REs shall be solely accountable for all aspects related to third-party services taken including (but not limited to) confidentiality, integrity, availability, non-repudiation, and security of its data and logs, and ensuring compliance with laws, regulations, circulars, etc. issued by SEBI / Government of India. Accordingly, REs shall be responsible and accountable for any violation of the same.
- Strong log retention policy, password policy and access policy shall be documented and implemented.
- REs shall implement network segmentation techniques to restrict access to the sensitive information, hosts, and services.
- Layering of Full-disk Encryption (FDE) along with File-based Encryption (FE) shall be used for data protection.
- For the development of all critical software / applications and further feature enhancements, there shall be separate Development, System Integration Testing, User Acceptance Testing and Quality Assurance environments.
- Periodic audit shall be conducted by a CERT-In empanelled auditor to audit the implementation and compliance to standards mentioned in the consolidated CSCRF.
- Vulnerability Assessment and Penetration Testing (VAPT) shall be done to detect open vulnerabilities in the IT environment for critical assets and infrastructure components as defined in the framework. A comprehensive VAPT scope has also been added.
- Application Programming Interface (API) security and Endpoint security solution shall be implemented with rate limiting, throttling, and proper authentication and authorisation mechanisms.
- Applicable to MIIs: ISO 27001 certification shall be mandatory for MIIs as it provides essential security standards with respect to Information Security Management System (ISMS).
- Applicable to MIIs: MIIs shall conduct self-assessment of their cyber resilience using Cyber Capability Index (CCI) on a quarterly basis.
- REs shall establish appropriate security mechanism through Security Operation Centre (SOC) [RE’s own SOC, third-party SOC, or a managed SOC] for continuous monitoring of security events and timely detection of anomalous activities.
- Functional efficacy of SOC shall be measured on a half-yearly basis. A quantifiable method and indicative (but not limited to) list of parameters for measuring SOC efficacy has been formulated.
- Applicable to MIIs: MIIs shall conduct red teaming exercise as part of their cybersecurity framework.
- All REs shall formulate an up-to-date Cyber Crisis Management Plan (CCMP).
- Comprehensive Incident Response management plan and respective SOPs shall be established by REs.
- Alerts generated from monitoring and detection systems shall be suitably investigated for Root Cause Analysis (RCA).
- A comprehensive response and recovery plan shall be documented and get triggered for the timely restoration of systems affected by the cyber incident.
- An indicative (but not limited to) recovery plan has been attached.
- Actions taken during recovery process shall be informed to all related stakeholders.
Framework compliance reporting shall be done by REs to their respective authorities in the standardized formats notified by SEBI.