Insights

Cybersecurity and Cyber Resilience Framework for SEBI Regulated Entities

7, October 2024

WHAT’S NEW?

The Securities and Exchange Board of India (SEBI) has introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) as a comprehensive update to its previous cybersecurity guidelines. This framework explicitly supersedes all prior SEBI cybersecurity circulars etc. to create a unified framework that addresses the evolving nature of cyber threats more effectively than previous iterations.

OVERVIEW OF SEBI CSCRF CIRCULAR

Background

Since 2015, the Securities and Exchange Board of India (SEBI) has issued Cybersecurity and Cyber resilience frameworks (CSCRF) and various advisories for Market Infrastructure Institutions (MIIs) and other Regulated Entities (REs).
However, on 20 August 2024, to strengthen cybersecurity measures across the Indian securities market and ensure adequate cyber resiliency against cybersecurity incidents/ attacks, SEBI formulated the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs.

Objective

CSCRF’s main objectives are to proactively strengthen REs’ security postures and prepare their operations to withstand and recover from cyber incidents.

Enhance Scope of current CSCRF
Uniformity of cybersecurity guidelines for all REs
Strengthen the mechanism to deal with cyber risks, threats, incidents, etc.

CSCRF – THE FRAMEWORK

SEBI’s CSCRF framework provides a standardized approach to implement various cybersecurity and cyber resilience methodologies, such as ISO 27000 series, CIS v8, NIST 800-53, etc. Below is the CSCRF framework structure that SEBI expects RE to implement for compliance.

CSCRF – IMPORTANT HIGHLIGHTS

CSCRF highlights the importance of governance and supply chain risk Management, and at the same time, it focuses on evolving security guidelines such as data classification and localization, Application Programming Interface (API) security, Security Operations Centre (SOC), and measuring its efficacy, Software Bill of Materials (SBOM), etc.

Security Operations Centre (SOC)

CSCRF mandates that all REs establish appropriate security monitoring mechanisms through a Security Operation Centre (SOC). The SOC can be onboarded through the RE’s own/ group SOC, market SOC, or any other third-party managed SOC.

Software Bill of Materials (SBOM)

REs to maintain a formal record containing the details and supply chain relationships of various components, such as open-source code, commercial components, etc., used in building software. The SBOM enumerates these components in a product.

Data Classification & Localization

All the data generated (including creation and storage) within the legal boundaries of India remains within the legal boundaries of India. CSCRF has provided standards on Data Localization for:

Regulatory Data
IT and Cybersecurity Data

VAPT after Major Change/ Major Release

CSCRF has mandated VAPT after every major release. Few example of major release(s)/ change(s):

Implementation of a new SEBI circular.
Changes in core versions of software
Introduction of new security protocols

Application Programming interface (API) security

Application Programming Interface (API) security and Endpoint security solutions shall be implemented with rate limiting, throttling, and proper authentication and authorization mechanisms.

Cybersecurity and Quantum Computing

To mitigate the risk of Quantum Computing enabling breaking of the asymmetric cryptographic systems, REs have been provided guidelines, such as:

Maintain inventory of cryptographic assets
Explore the feasibility to adopt PQC and technologies like Quantum Key Distribution (QKD)

CSCRF – COMPLIANCE REQUIREMENTS

Obligations of Res

Put in place appropriate systems and procedures to ensure compliance with the provisions (i.e., applicable standards and guidelines) of CSCRF.
Conduct cyber audit as per CSCRF and submit audit reports to SEBI along with other required documents as per timelines provided in the CSCRF.
For ease of compliance, REs must comply with all applicable standards and mandatory guidelines as mentioned in CSCRF.
MIIs and Qualified REs shall strive to build an automated tool and suitable dashboards (preferably integrated with a log aggregator) for submitting compliance with CSCRF.

SUGGESTED APPROACH TO CSCRF

Identify

Identify CSCRF requirements based on the RE category.
Identify stakeholders across the CSCRF value chain.
Conduct Table- Top exercises with stakeholders to identify high-level gaps against CSCRF requirements.
Identify the current state of security capabilities.

Assess

Conduct a detailed assessment against CSCRF standards and guidelines and identify gaps.
Risk-prioritize mitigation actions and develop a roadmap in line with CSCRF compliance reporting timelines.

Design

Develop/update CSCRF policies, procedures, and templates in line with the standards, guidelines & reporting requirements of CSCRF.
Identify, evaluate, and select solutions/ methods/ vendors/ updates, etc., to comply with CSCRF’s requirements.

Implement

Implement the updated policies, procedures, templates, tools, solutions, etc.
Monitor KPIs and iterate improvements to achieve adherence to CSCRF requirements.

Report & Certify

Conduct pre- certification assessments (including CCI) to assess readiness.
ISO Certification (MIIs & Qualified REs).
Identify & contract CERT-In empaneled auditor.
Conduct Cyber Audit and submit audit reports to SEBI for certifying compliance.

HOW CAN UNIQUS HELP?

We have developed a customized approach to help clients meet the CSCRF requirements based on their current state of maturity and mandatory requirements and incorporate the future needs of the organization based on its strategy and evolving threat landscape. We offer full spectrum Cyber services in a collaborative, alliance-led, fit-for-purpose, and business-centric model.

Assess and Design

CSCRF Current State Assessment with
Risk-Prioritized Roadmap
Technical Security Assessments – VA/ PT, API Security, Cloud Security, Red Teaming, Threat Hunting, SOC, etc.
Cyber GRC Framework development including policies, procedures, plans, templates, etc.
Design of Cyber Architecture, Tools/ Solutions specifications, Third-Party Risk Management, etc.

Implement

Cyber Program Management Office (PMO) for Implementation
Cyber Tools/ Solutions (SOC, Threat Intelligence, Data Classification, etc.) implementation with Alliance Partners
Cyber GRC implementation
Automation & Dashboarding for Continuous Controls/ Compliance Monitoring (CCM)

Manage

Operate, Monitor & Manage Cyber GRC
Cyber Capability Index (CCI) Maturity monitoring and improvement through Automation
External Independent Expert on Cybersecurity for IT Committee
Compliance Reporting Management

KEY ACTIONS

We have defined some immediate key actions, which Uniqus can support the REs with to implement an optimal approach for SEBI’s CSCRF.

Identify key stakeholders & formulate CSCRF committee
Review current security posture, including third- party risk
Update existing policies and procedures aligned to CSCRF
Implement/ Enhance Threat Monitoring and Incident Reporting tools

Topics in this article

Tech

Early Impressions

Elevating TPRM to a strategic risk and boardroom priority

SAMA Vision 2030: Pioneering the Future of Saudi Arabia’s Financial Landscape The Saudi Central Bank (SAMA) Vision 2030 is a strategic pillar aligned with the Kingdom’s broader Vision 2030, driving a digitally empowered, resilient, and globally competitive financial sector. As...

ESG Corner- June 2025

In the news This section focuses on key developments globally, in the U.S., India, and the Middle East. It dissects the most recent news and analyzes its potential to influence regional landscapes, businesses, and consumers. Uniqus provides insights into recent...

IFRS 18 – Practical considerations for Banking institutions in the Middle East

Executive Summary IFRS 18, Presentation and Disclosure in Financial Statements, issued by the IASB, substantially changes the structure and presentation of financial statements. It brings a renewed focus on amanagement-relevant metrics and investor-aligned disclosures. The key concepts introduced under IFRS...