CIRCULAR
SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 August 20, 2024
To,
All Alternative Investment Funds (AIFs)
All Bankers to an Issue (BTI) and Self-
Certified Syndicate Banks (SCSBs)
All Clearing Corporations
All Collective Investment Schemes (CIS)
All Credit Rating Agencies (CRAs)
All Custodians
All Debenture Trustees (DTs)
All Depositories
All Designated Depository Participants (DDPs)
All Depository Participants through Depositories
All Investment Advisors (IAs) / Research
Analysts (RAs)
All KYC Registration Agencies (KRAs)
All Merchant Bankers (MBs)
All Mutual Funds (MFs)/ Asset
Management Companies (AMCs)
All Portfolio Managers
All Registrar to an Issue and Share
Transfer Agents (RTAs)
All Stock Brokers through Exchanges
All Stock Exchanges
All Venture Capital Funds (VCFs)
To,
All Alternative Investment Funds (AIFs)
Subject: Cybersecurity and Cyber Resilience (CSCRF) for SEBI Regulated Framework Entities (REs)
Background:
SEBI had issued Cybersecurity and Cyber resilience framework for Market Infrastructure Institutions (MIIs) in 2015. Subsequently, SEBI had issued other Cybersecurity and Cyber resilience frameworks in line with MIIs circular of 2015 for following REs:
1.1. Stock Brokers and Depository Participants
1.2. Mutual Funds (MFs)/ Asset Management Companies (AMCs)
1.3. KYC Registration Agencies (KRAs)
1.4. Qualified Registrar to an Issue and Share Transfer Agents (QRTAs)
1.5. Portfolio Managers
2. Further, SEBI has also issued various advisories to REs, from time to time, on Cybersecurity best practices.
3. In order to strengthen the cybersecurity measures in Indian securities market, and to ensure adequate cyber resiliency against cybersecurity incidents/ attacks, Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs has been formulated in consultation with the stakeholders. The CSCRF aims to provide standards and guidelines for strengthening cyber resilience and maintaining robust cybersecurity of SEBI REs. This framework shall supersede existing SEBI cybersecurity circulars/ guidelines/ advisories/ letters (list of such superseded circulars/ guidelines/ advisories/ letters are given as part of the framework attached as Annexure-1).
Objective:
4. The key objective of CSCRF is to address evolving cyber threats, to align with the industry standards, to encourage efficient audits, and to ensure compliance by SEBI REs. The CSCRF also sets out standards formats for reporting by REs.
Approach:
5. The CSCRF is standards based and broadly covers the five cyber resiliency goals adopted from Cyber Crisis Management Plan (CCMP) of Indian Computer Emergency Response Team (CERT-In) for countering Cyber Attacks and Cyber Terrorism including:
5.1. Anticipate
5.2. Withstand
5.3. Contain
5.4. Recover
5.5. Evolve
6. These cyber resiliency goals have been linked with the following cybersecurity functions:
6.1. Governance
6.2. Identify
6.3. Protect
6.4. Detect
6.5. Respond
6.6. Recover
7. CSCRF follows a graded approach and classifies the REs in the following five categories based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc.:
7.1. Market Infrastructure Institutions (MIIs)
7.2. Qualified Res
7.3. Mid-size REs
7.4. Small-size Res
7.5. Self-certification REs
8. The framework provides a structured methodology to implement various solutions for cybersecurity and cyber resiliency. In order to facilitate better understanding and ease of compliance, the document is divided into four parts:
8.1. Part I: Objectives and Standards – It contains definitions, framework compliance matrix, audit report timelines, objectives and standards.
8.2. Part II: Guidelines – It contains guidelines which provide recommendations or suggestions on how to achieve a particular outcome or meet certain objectives and implement respective standards. There are certain guidelines, which are mandatory in nature and have been specified accordingly.
8.3. Part III: Compliance Formats – It contains standard formats for the submission of CSCRF compliance reports.
8.4. Part IV: Annexures and References – It contains guidelines to auditors, scenario-based cyber resilience testing, Cyber Capability Index (CCI), functional efficacy of Security Operations Centre (SOC), etc.
9. CSCRF highlights the importance of governance and supply chain risk Management and at the same time, it focuses on evolving security guidelines such as data classification and localization, Application Programming Interface (API) security, Security Operations Centre (SOC) and measuring its efficacy, Software Bill of Materials (SBOM), etc.
10. CSCRF aims to ensure that even smaller REs are equipped with adequate cybersecurity measures and achieve resiliency against cybersecurity incidents/ attacks
11. Cyber Capability Index (CCI) for MIIs and Qualified REs shall help these REs to monitor and assess their progress and cyber resilience on a periodic basis.
12. CSCRF mandates that all REs are required to establish appropriate security monitoring mechanisms through Security Operation Centre (SOC). The onboarding of SOC can be done through RE’s own/ group SOC or Market SOC or any other third-party managed SOC for continuous monitoring of security events and timely detection of anomalous activities.
13. As compliance with the cybersecurity guidelines may be onerous for smaller REs due to the lack of knowledge and expertise in cybersecurity and the cost factor involved in setting up own SOC. Therefore, CSCRF mandates NSE and BSE to set up Market SOC (M-SOC) with the objective of providing cybersecurity solutions to such categories of REs.
14. CSCRF contains provisions with respect to various areas such as requirements of IT services, Software as a Service (SaaS) solutions, hosted services, classification of data, audit for software solutions/ applications/ products used by REs, etc.
15. In order to simplify and streamline the reporting of compliance, structured formats for reports and submissions have been provided in the CSCRF.
Applicability:
16. The framework shall be applicable to the following REs:
16.1. Alternative Investment Funds (AIFs)
16.2. Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs)
16.3. Clearing Corporations
16.4. Collective Investment Schemes (CIS)
16.5. Credit Rating Agencies (CRAs)
16.6. Custodians
16.7. Debenture Trustees (DTs)
16.8. Depositories
16.9. Designated Depository Participants (DDPs)
16.10. Depository Participants through Depositories
16.11. Investment Advisors (IAs)/ Research Analysts (RAs)
16.12. KYC Registration Agencies (KRAs)
16.13. Merchant Bankers (MBs)
16.14. Mutual Funds (MFs)/ Asset Management Companies (AMCs)
16.15. Portfolio Managers
16.16. Registrar to an Issue and Share Transfer Agents (RTAs)
16.17. Stock Brokers through Exchanges
16.18. Stock Exchanges
16.19. Venture Capital Funds (VCFs)
Implementation Period:
17. Since new standards and controls have been added in CSCRF, a glide-path for adoption of CSCRF provisions has been provided as under:
17.1. For six categories of REs where cybersecurity and cyber resilience circular already exists – by January 01, 2025.
17.2. For other REs where CSCRF is being issued for the first time – by April 01, 2025.
18. REs shall put in place appropriate systems and procedures to ensure compliance with the provisions (i.e., applicable standards and guidelines) of CSCRF, and conduct cyber audit as per CSCRF after the above-mentioned timelines. Cyber audit reports along with other required documents shall be submitted as per timelines provided in the CSCRF
19. The reporting of compliance with respect to CSCRF shall be done to the authority as per the existing mechanism of reporting for cybersecurity audit.
20. The detailed framework is enclosed at Annexure-1 of this circular.
21. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
22. The circular is issued with the approval of Competent Authority.
23. This circular is available on SEBI website at www.sebi.gov.in under the category “Legal” and drop “Circulars”.
Yours Faithfully,
Shweta Banerjee
Deputy General Manager
Phone: 022-26449509
Email: [email protected]
LINK to the Framework – LINK
Annexure I
Cybersecurity and Cyber Resilience
Framework (CSCRF) for SEBI
Regulated Entities (REs)
Version 1.0
Executive Summary
The Information Technology Act, 2000 defines Cybersecurity as “Protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction”.
Technology has been a driving force in shaping the securities market, enabling greater efficiency, accessibility, and affordability. However, with swift technological advancements, protection of IT infrastructure and data has become a key concern for SEBI and its Regulated Entities (REs). Since 2015, SEBI has issued various cybersecurity and cyber resilience frameworks to address cybersecurity risks and enhance cyber resilience of SEBI REs. Further, SEBI has also issued several advisories on cybersecurity best practices for REs from time to time.
In order to enhance the scope of the current cybersecurity and cyber resilience framework, to ensure the need for uniformity of cybersecurity guidelines for all REs and to strengthen the mechanism to deal with cyber risks, threats, incidents, etc., the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs has been formulated. CSCRF is a result of coordinated efforts after an extensive consultations and discussions with the stakeholders including Market Infrastructure Institutions (MIIs), REs, industry associations, government organizations (for example Indian Computer Emergency Response Team – CERT-In, National Critical Information Infrastructure Protection Centre, etc.), Industry Standard Forum (ISF), information security auditors, industry experts, Cloud Service Providers (CSPs), etc., and has also been reviewed by SEBI’s High Powered Steering Committee on Cybersecurity (HPSCCS).
The framework provides a standardized approach to implement various cybersecurity and cyber resilience methodologies. Standards such as ISO 27000 series, CIS v8, NIST 800-53, BIS Financial Stability Institute, CPMI-IOSCO guidelines, etc. were referred to while formulating this framework.
The framework follows a graded approach and classifies the REs in the following five categories based on their span of operations and certain thresholds[1] like number of clients, trade volume, asset under management, etc.:
- Market Infrastructure Institutions (MIIs)
- Qualified REs
- Mid-size REs
- Small-size REs
- Self-certification REs
The framework is divided into four parts:
i. Part I: Objectives and Standards: The objectives highlight goals which a security control needs to achieve. The standards represent established principles for compliance with CSCRF.
ii. Part II: Guidelines: The guidelines recommend measures for complying with standards mentioned in this document. However, few of the guidelines are mandatory in nature and shall be complied by REs as applicable.
iii. Part III: Structured formats for compliance
iv. Part IV: Annexures and References
For ease of compliance, REs are required to comply with the all applicable standards and mandatory guidelines as mentioned in CSCRF.
The Structure of CSCRF
The framework is broadly based on two approaches: cybersecurity and cyber resilience. Cybersecurity approach covers various aspects from governance measures to operational controls and the cyber resilience goals include Anticipate, Withstand, Contain, Recover, and Evolve.
The framework also specifies guidelines to ensure standards are implemented in a uniform manner.
The summary of the CSCRF is as follows:
i. Cyber Resilience Goal: Anticipate | Cybersecurity function: Governance
a. REs shall establish, communicate and enforce cybersecurity risk management roles, responsibilities, and authorities to foster accountability and continuous improvement.
b. A comprehensive cybersecurity and cyber resilience policy shall be documented and implemented with the approval of the Board/ Partners/ Proprietor.
c. CSCRF mandates MIIs, Qualified REs, and mid-size REs to prepare cyber risk management framework for identification and analysis, evaluation, prioritization, response and monitoring the cyber risks on a continuous basis.
d. Cyber Capability Index (CCI): This shall be applicable only to MIIs and Qualified REs. MIIs shall conduct third-party assessment of their cyber resilience using CCI on a half-yearly basis. Qualified REs shall do self-assessment of their cyber resilience using CCI on a yearly basis.
e. REs shall be solely accountable for all aspects related to third-party services including (but not limited to) confidentiality, integrity, availability, nonrepudiation, security of their data and logs, and ensuring compliance with laws, regulations, circulars, etc. issued by SEBI/ Government of India. Accordingly, REs shall be responsible and accountable for any violations of the same.
ii. Cyber Resilience Goal: Anticipate | Cybersecurity function: Identify
a. REs shall identify and classify critical systems based on their sensitivity and criticality for business operations, services and data management. The Board/ Partners/ Proprietor of the RE shall approve the list of critical systems.
b. Risk assessment (including post-quantum risks[2]) of RE’s IT environment shall be done on a periodic basis. Risk assessment shall include comprehensive scenario-based testing for assessing risks (including both internal and external risks) related to cybersecurity in REs’ IT environment.
c. Threats, vulnerabilities, likelihoods, and impacts shall be used to understand inherent risks and undertake risk response prioritization.
iii. Cyber Resilience Goal: Anticipate | Cybersecurity function: Protect
a. Authentication and access policy along with effective log collection[3] and retention policy shall be documented and implemented.
b. REs shall design and implement network segmentation techniques to restrict access to the sensitive information, hosts, and services.
c. Layering of Full-disk Encryption (FDE) along with File-based Encryption (FE) shall be used for data protection.
d. There shall be separate production and non-production environments for the development of all software/ applications for critical systems and further feature enhancements.
e. Periodic audits shall be conducted by a CERT-In empanelled IS auditing organization to audit the implementation and provide compliance with the applicable standards and mandatory guidelines mentioned in the CSCRF.
f. Vulnerability Assessment and Penetration Testing (VAPT) shall be done to detect vulnerabilities in the IT environment for all critical systems, infrastructure components and other IT systems as defined in the framework. To undertake this activity, a comprehensive VAPT scope has also been specified.
g. Application Programming Interface (API) security and Endpoint security solutions shall be implemented with rate limiting, throttling, and proper authentication and authorisation mechanisms.
h. ISO 27001 certification: ISO 27001 certification shall be mandatory for MIIs and Qualified REs as it provides essential security standards with respect to Information Security Management System (ISMS).
iv. Cyber Resilience Goal: Anticipate | Cybersecurity function: Detect
a. REs shall establish appropriate security mechanisms through Security Operations Centre (SOC) [RE’s own/ group SOC, third-party SOC, or market SOC] for continuous monitoring of security events and timely detection of anomalous activities.
b. Bombay Stock Exchange (BSE) and National Stock Exchange (NSE) have been mandated to setup Market SOC. Further, small-size REs and Selfcertification REs have been mandated to be onboarded on the Market SOC.
c. MIIs and Qualified REs shall measure functional efficacy of their SOC on a halfyearly basis. Rest of the REs shall obtain functional efficacy of the SOC utilized by them on a yearly basis from the SOC service providers. A quantifiable method and an indicative list of parameters for measuring SOC efficacy has been given in this framework. The report of functional efficacy of Market SOC shall be provided by BSE and NSE to SEBI on a periodic basis.
d. Red Teaming: MIIs and Qualified REs shall conduct red teaming exercises as part of their cybersecurity framework.
v. Cyber Resilience Goal: Withstand & Contain | Cybersecurity function: Respond
a. All cybersecurity incidents shall be reported in a timely manner through the SEBI incident reporting portal.
b. All REs shall establish a comprehensive Incident Response Management plan and the corresponding SOPs.
c. All REs shall formulate an up-to-date Cyber Crisis Management Plan (CCMP).
d. In the event of an incident, Root Cause Analysis (RCA) shall be conducted to identify the cause(s) leading to the incident.
e. Where RCA is inconclusive, a forensic analysis shall be undertaken for detailed investigation of the cybersecurity incident.
vi. Cyber Resilience Goal: Recover | Cybersecurity function: Recover
a. A comprehensive response and recovery plan shall be documented. The plan shall be triggered to ensure prompt restoration of systems affected by the cybersecurity incident. An indicative recovery plan has been provided in the CSCRF.
b. Actions taken during recovery process shall be informed to all the relevant stakeholders as required.
vii. Cyber Resilience Goal: Evolve
Adaptive and evolving controls to tackle identified vulnerabilities and to reduce attack surfaces shall be created and incorporated into the RE’s cybersecurity and cyber resilience strategy.
viii. Compliance requirements
The compliance reporting for CSCRF shall be done by the REs to their respective authorities[4] in the standardized formats mentioned in this framework as per the stated periodicity. A glide-path has been given to REs to comply with the CSCRF standards and mandatory guidelines. Since new standards and controls have been added in CSCRF, a glide-path for adoption of CSCRF provisions has been provided as under:
a. For six categories of REs where cybersecurity and cyber resilience circular already exists – by January 01, 2025.
b. For other REs where CSCRF is being issued for the first time – by April 01, 2025.
Further, to ensure the uniformity in auditing REs w.r.t. CSCRF, an auditors’ checklist and guidelines has been included in this framework.
Future proofing of CSCRF
It is envisaged that quantum computing may be a reality in near future and it may be able to break the encryption schemes widely used today. Thus, quantum computing may evolve into one of the biggest cybersecurity threats and it may potentially expose financial systems to cyber-attacks. While it is still uncertain when quantum technology would be adopted on a large scale, its potential as a cyber threat to the securities market ecosystem is already a matter of concern. The CSCRF has provisions to address ‘harvest now – decrypt later’ attacks through continuous risk assessment and adoption of robust data protection measures.
The framework will continue to be updated based on the maturity of the technologies and their adoption by the REs to meet the future cybersecurity needs of securities market.
[1] Refer ‘Thresholds for REs’ categorization’ section
[2] Quantum computing is a rapidly emerging technology that exploits quantum mechanics’ laws to solve complex problems. Post-quantum cryptography solutions can avert post-quantum risks and provide protection against quantum attacks.
[3] With all relevant fields including verbosity and relevancy.
[4] Refer ‘CSCRF Compliance, Audit Report Submission, and Timelines’ section.
Table of Contents
Abbreviations 20
Definitions 26
1. Introduction 31
2. Thresholds for REs’ categorization: 39
3. IT Committee for REs 44
4. CSCRF Compliance, Audit Report Submission, and Timelines: 46
4.1. Compliance with the Standards/ Guidelines 46
4.2. ISO Audit and Certification 47
4.3. VAPT 48
4.4. Cyber Audit 50
4.5. Market SOC 52
Part I: CSCRF Objectives and Standards 53
1. Cyber Resilience Goal: ANTICIPATE | Cybersecurity function: GOVERNANCE 53
1.1. GV.OC: Organizational Context (GV.OC): 53
1.2. GV.RR: Roles, Responsibilities and Authorities: 54
1.3. GV.PO: Policy: 54
1.4. GV.OV: Oversight: 55
1.5. GV.RM: Risk Management: 55
1.6. GV.SC: Cybersecurity Supply Chain Risk Management: 56
2. Cyber Resilience Goal: ANTICIPATE | Cybersecurity function: IDENTIFY 58
2.1. ID.AM: Asset Management 58
2.2. ID.RA: Risk Assessment 59
3. Cyber Resilience Goal: ANTICIPATE | Cybersecurity function: PROTECT 61
3.1. PR.AA: Identity Management, Authentication, and Access Control 61
3.2. PR.AT: Awareness and Training 63
3.3. PR.DS: Data Security 63
3.4. PR.IP: Information Protection Processes and Procedures 65
3.5. PR.MA: Maintenance 66
4. Cyber Resilience Goal: ANTICIPATE | Cybersecurity function: DETECT 68
4.1. DE.CM: Security Continuous Monitoring 68
4.2. DE.DP: Detection Process 70
5. Cyber Resilience Goal: WITHSTAND & CONTAIN | Cybersecurity function: RESPOND 71
5.1. RS.MA: Incident Management 71
5.2. RS.CO: Incident Response Reporting and Communication 72
5.3. RS.AN: Incident Analysis 73
5.4. RS.IM: Improvements 73
6. Cyber Resilience Goal: RECOVER | Cybersecurity function: RECOVER 74
6.1. RC.RP: Incident Recovery Plan Execution 74
6.2. RC.CO: Incident Recovery Communication 74
6.3. RC.IM: Improvements 75
7. Cyber Resilience Goal: EVOLVE 76
7.1. EV.ST: Strategies 76
8. Exemption Table 77
Part II: CSCRF Guidelines 79
Part III: Structured Formats for CSCRF Compliance 133
Annexure-A: VAPT Report Format 133
Annexure-B: Cyber Audit Report Format 142
Annexure-C: Recovery Plan Template (Reference Guide) 150
Part IV: CSCRF Annexures and References 152
Annexure-D: Audit Guidelines 152
Annexure-E: Scenario-based Cyber Resilience Testing 155
Annexure-F: Guidelines on Outsourcing of Activities 158
Annexure-G: Application Authentication Security 159
Annexure-H: Data Security on Customer Facing Applications 160
Annexure-I: Data Transport Security 161
Annexure-J: Framework for Adoption of Cloud Services 162
Annexure-K: Cyber Capability Index (CCI) 163
Annexure-L: VAPT Scope 188
Annexure-M: Cyber-SOC Framework for MIIs 189
Annexure-N: Functional Efficacy of SOC 190
Annexure-O: Classification and Handling of Cybersecurity Incidents 198
Annexure-P: Reporting Format for Self-certification REs 205
Abbreviations
SN. | Abbreviation | Explanation/ Expansion |
1. | ACL | Access Control List |
2. | AIF | Alternative Investment Fund |
3. | AMC | Asset Management Company |
4. | API | Application Programming Interface |
5. | ASVS | Application Security Verification Standard |
6. | AUC | Asset Under Custody |
7. | AUM | Asset Under Management |
8. | BAS | Breach and Attack Simulation |
9. | BASL | BSE Administration and Supervision Limited |
10. | BOLT | BSE’s on-line Trading System |
11. | BSE | Bombay Stock Exchange |
12. | BYOD | Bring Your Own Device |
13. | C&C | Command and Control |
14. | CART | Continuous Automated Red Teaming |
15. | CCI | Cyber Capability Index |
16. | CCMP | Cyber Crisis Management Plan |
17. | CEH | Certified Ethical Hacker |
18. | CEO | Chief Executive Officer |
19. | CERT-In | Indian Computer Emergency Response Team |
20. | CII | Critical Information Infrastructure |
21. | CIO | Chief Information Officer |
22. | CIS | Center for Internet Security |
23. | CISM | Certified Information Security Manager |
24. | CISO | Chief Information Security Officer |
25. | COTS | Commercial Off The Shelf |
26. | CSCRF | Cybersecurity and Cyber Resilience Framework |
27. | CSIRT-Fin | Computer Security Incident Response Team – Finance sector |
28. | CSK | Cyber Swachhta Kendra |
29. | CSP | Cloud Service Provider |
30. | CTCL | Computer to Computer Link |
31. | CTI | Cyber Threat Intelligence |
32. | CTO | Chief Technology Officer |
33. | CVE | Common Vulnerabilities and Exposures |
34. | CWE | Common Weakness Enumeration |
35. | DB | Database |
36. | DC | Domain Controller |
37. | DDoS | Distributed Denial-of-Service |
38. | DEV | Development |
39. | DKIM | Domain Keys Identified Mail |
40. | DLP | Data Loss Prevention |
41. | DMARC | Domain-based Message Authentication Reporting & Conformance |
42. | DNS | Domain Name System |
43. | DR | Disaster Recovery |
44. | EDR | Endpoint Detection and Response |
45. | EPP | Endpoint Protection Platforms |
46. | EPSS | Exploit Prediction Scoring System |
47. | FDE | Full-disk Encryption |
48. | FPO | Follow-on Public Offer |
49. | FSB | Financial Stability Board |
50. | HPSC-CS | High Powered Steering Committee on Cyber Security |
51. | GoI | Government of India |
52. | IaaS | Infrastructure as a Service |
53. | IBT | Internet Based Trading |
54. | IDS | Intrusion Detection System |
55. | IOAs | Indicators of Attack |
56. | IOCs | Indicators of Compromise |
57. | IOSCO | International Organization of Securities Commissions |
58. | IP | Internet Protocol |
59. | IPO | Initial Public Offer |
60. | IPS | Intrusion Prevention System |
61. | IS | Information Security |
62. | ISACA | Information Systems Audit and Control Association |
63. | ISMS | Information Security Management System |
64. | ISO | International Organization for Standardization |
65. | IT | Information Technology |
66. | KRA | KYC (Know Your Client) Registration Agency |
67. | MASVS | Mobile Application Security Verification Standard |
68. | MD | Managing Director |
69. | MeitY | Ministry of Electronic and Information Technology |
70. | MFA | Multi-Factor Authentication |
71. | MII | Market Infrastructure Institution |
72. | MTTC | Mean Time to Contain |
73. | MTTD | Mean Time to Detect |
74. | MTTR | Mean Time to Respond |
75. | NCIIPC | National Critical Information Infrastructure Protection Centre |
76. | NDR | Near Disaster Recovery |
77. | NEAT | National Exchange for Automated Trading |
78. | NIST | National Institute of Standards and Technology |
79. | NSE | National Stock Exchange |
80. | OS | Operating System |
81. | OT | Operational Technology |
82. | OTP | One Time Password |
83. | OWASP | Open Web Application Security Project |
84. | PaaS | Platform as a Service |
85. | PDC | Primary Data Centre |
86. | PII | Personal Identifiable Information |
87. | PIM | Privileged Identity Management |
88. | POLP | Principle of Least Privilege |
89. | PQC | Post Quantum Cryptography |
90. | QA | Quality Assurance |
91. | QKD | Quantum Key Distribution |
92. | QRTA | Qualified Registrar to an Issue and Share Transfer Agent |
93. | RAT | Remote Access Trojan |
94. | RBA | Risk Based Authentication |
95. | RBI | Reserve Bank of India |
96. | RCA | Root Cause Analysis |
97. | RDP | Remote Desktop Protocol |
98. | RE | Regulated Entity[1] |
99. | RPO | Recovery Point Objective |
100. | RTO | Recovery Time Objective |
101. | SaaS | Software as a Service |
102. | SANS | SysAdmin, Audit, Network and Security |
103. | SBOM | Software Bill of Materials |
104. | SCOT | Standing Committee on Technology |
105. | SIEM | Security Information and Event Management |
106. | SIT | System Integration Test |
107. | SLA | Service Level Agreement |
108. | SMB | Server Message Block |
109. | SME | Small and Medium Enterprises |
110. | SOAR | Security Orchestration, Automation, and Response |
111. | SOC | Security Operations Centre |
112. | SOP | Standard Operating Procedure |
113. | SPF | Sender Policy Framework |
114. | SSDLC | Secure Software Development Life Cycle |
115. | SSVC | Stakeholder-Specific Vulnerability Categorization |
116. | STQC | Standardisation Testing and Quality Certification |
117. | TLP | Traffic Light Protocol |
118. | UAT | User Acceptance Test |
119. | UCC | Unique Client Code |
120. | UEBA | User Entity and Behavior Analytics |
121. | URL | Uniform Resource Locator |
122. | VAPT | Vulnerability Assessment & Penetration Testing |
123. | VBA | Visual Basic for Application |
124. | VPN | Virtual Private Network |
125. | WAF | Web Application Firewall |
126. | XDR | Extended Detection and Response |
[1] Entities within SEBI’s purview, refer to Securities Contracts (Regulation) Act 1956, SEBI Act 1992, and Depositories Act 1996.
Definitions
1. CIA triad :
a. Confidentiality: Property that information is neither made available nor disclosed to unauthorised individuals, entities, processes or systems.
b. Integrity: Property of accuracy and completeness.
c. Availability: Property of being accessible and usable on demand by an authorised entity.
2. Critical Systems –
Entities shall identify and classify their critical IT systems. Following systems shall be included in critical systems (both on premise and cloud):
a. Any system, if compromised, that will have an adverse impact on core and critical business operations.
b. Stores/ transmits data as per regulatory requirements.
c. Devices/ network through which critical systems are connected (through trusted channels).
d. Internet facing applications/ systems.
e. Client facing application/ systems.
f. All the ancillary systems used for accessing/ communicating with critical systems either for operations or for maintenance.
3. Cyber Capability Index (CCI) –
CCI is an index applicable for MIIs and Qualified REs which is calculated based on certain parameters as specified in this framework. The purpose of CCI is to ascertain the cyber resilience capabilities of MIIs and Qualified REs and their maturity in terms of implementation of cybersecurity measures.
4. Cyber Event –
Any observable occurrence in an information system. Cyber events sometimes provide indication that a cybersecurity incident is occurring. – FSB Cyber Lexicon
5. Cyber Resilience –
The ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing, and rapidly recovering from cyber incidents. – FSB Cyber Lexicon
6. Cyber Threat –
A circumstance with the potential to exploit one or more vulnerabilities that adversely affects cybersecurity. – FSB Cyber Lexicon
7. Cybersecurity Incident (Incident)–
Any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes in data, information without authorisation. – CERT-In Cybersecurity directions10
8. Hosted Service –
Any IT/ SaaS provider rendering IT services/ SaaS solutions hosted on IT infrastructure either owned or controlled and managed by the service provider shall be broadly construed as hosted services. Hosted services have to fulfil the following technical specifications:
1. Data center that hosts IT services/ SaaS solutions shall be ANSI/ TIA-942 rated-4 standard certified or equivalent (e.g. Tier 4) with complete fault tolerance and redundancy for every component.
2. IT infrastructure shall atleast be of equivalent standard of MeitY Empanelment of Cloud Service offerings of Cloud Service Providers (CSPs) and audited by a STQC empanelled cloud audit organisation or equivalent established international agency.
3. Summary of VAPT reports shall be made available to the REs and to the SEBI on demand.
4. If the data center is operated from outside the legal boundaries of India, then a copy of REs’ data in human/ application readable form shall be maintained within the legal boundaries of India.
5. Hosted service provider shall ensure that there is no “Kill Switch” available in the Application, which would remotely disable the functioning of the solution.
6. There shall be an explicit and unambiguous delineation/ demarcation of responsibilities with respect to all activities (including but not limited to technical, managerial, governance related, etc.) of the hosted services between the RE and Hosted service provider. The aforementioned delineation of responsibilities shall be added explicitly in the agreement (as an annexure) signed between the RE and the CSP. For details refer to “Framework for adoption of cloud services for SEBI Regulated Entities”.
9. ISO 27001 certification –
ISO 27001 certification is a globally recognized standard for Information Security Management Systems (ISMS) published by the International Organization for Standardization (ISO). It helps organizations become risk-aware, proactively identify, and address weaknesses and promote a holistic approach to information security.
10. IT and Cybersecurity Data
IT and Cybersecurity Data includes the following data (but not limited to):
a. Logs and metadata related to IT systems and their operations. However, such data should not contain the following:
i. Any Regulatory Data, and
ii. Sensitive data such as internal network architecture, vulnerability details, details of admin/ privileged users of REs, password hashes, system configuration, etc.
b. Further, it should not be ordinarily possible to generate Regulatory Data from IT and Cybersecurity Data.
11. Major Change/ Major Release
CSCRF has mandated VAPT after every major release. The following changes (including but not limited to) are broadly considered as major release(s) or major change(s):
a. Implementation of a new SEBI circular.
b. Changes in core versions of software (e.g., .net, SQL, Oracle, Java, etc.)
c. Any changes in policy of login and/ or password management.
d. Significant system modifications that alter how data is exchanged with stock exchanges (e.g., file format changes, message protocol changes, etc.).
e. Introduction of new security protocols (e.g., switching from SSL to TLS 1.3).
f. Expansion into new financial markets (e.g., adding currency trading).
g. Implementation of new processes/ schema changes.
12. Market Infrastructure Institutions (MIIs) –
Stock Exchanges, Depositories and Clearing Corporations or any other institutions as specified by SEBI are collectively referred to as Market Infrastructure
Institutions (MIIs). For applicability and inclusion of REs as MIIs, refer to section 2
(“Thresholds for REs’ categorization”) of CSCRF.
Box Item 1: REs under MIIs category for compliance with CSCRF
In the context of CSCRF, following REs are constituted as MIIs:
1. Stock Exchanges 4. KRAs
2. Depositories 5. QRTAs
3. Clearing Corporations
All the circulars issued by SEBI on cybersecurity for MIIs shall be uniformly applicable to all the above REs.
13. Principle of Least Privilege (PoLP) –
Principle of Least Privilege (PoLP) is an information security concept which maintains that a user or entity shall only have access to the specific data, resources and applications needed to complete its required task.
14. Red team exercise –
An exercise, reflecting real-world conditions that is conducted as a simulated adversarial attempt to compromise organizational missions or business processes and to provide a comprehensive assessment of the security capabilities of an organization and its systems.
15. Regulated Entity (RE) –
The term ‘Regulated Entity’ refers to SEBI registered/ recognised intermediaries (for example stock brokers, mutual funds, KYC Registration Agencies, QRTAs, etc.) and Market Infrastructure Institutions (Stock Exchanges, Depositories and Clearing Corporations) regulated by SEBI.
16. Regulatory Data –
Regulatory Data includes the following (but not limited to):
a. Data related to core and critical activities of the RE, as well as any supporting/ ancillary data impacting core and critical activities.
b. Data w.r.t to communication between investors and REs through applications (e.g., Chat communication, messages, emails etc.).
c. Data that is required by the laws/ regulations/ circulars, etc. issued by SEBI and Govt. of India from time to time.
d. Data that is deemed necessary or sensitive by the RE/ SEBI/ central or state government.
e. The Regulatory Data shall be stored in an easily accessible, legible and usable form, within the legal boundaries of India. However, for the investors whose country of incorporation is outside India, the REs shall keep the data, available and easily accessible in legible and usable form, within the legal boundaries of India. Further, if the copy retained within India is not in readable format, the REs must maintain an application/system to read/ analyse the saved data.
17. Risk –
As defined by OWASP , Risk = Likelihood × Impact; where Likelihood = Threat × Vulnerabilities. Likelihood is a measure of how likely a vulnerability is to be discovered and exploited by an attacker. Impact is the magnitude of harm that can be expected as a result from the consequences of threat exploitation.
18. Risk-based Authentication (RBA) –
Risk-based authentication is a non-static authentication mechanism that takes into account the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. It checks and applies varying levels of stringency to authentication processes based on the likelihood that access to a given system could result in it being compromised.
19. Root Cause Analysis (RCA) –
A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.
20. Secure Software Development Life Cycle (SSDLC) –
Secure Software Development Life Cycle (SSDLC) involves integrating security testing at every stage of software development, from design, to development, to deployment and beyond.
21. Software Bill of Materials (SBOM) –
A formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product.
22. Trusted Channels –
A protected communication link established between the cryptographic module and a sender or receiver (including another cryptographic module) to securely communicate and verify the validity of plaintext CSPs, keys, authentication data, and other sensitive data. It is also called a secure channel.
1. Introduction
Technology adoption by SEBI Regulated Entities (REs) has increased manifolds in the recent years. With the fast pace of technological developments in securities market, maintaining robust cybersecurity and cyber resilience to protect the operations of REs from cyber-risks and cyber incidents has become necessary. SEBI has issued cybersecurity and cyber resilience frameworks for various REs since 2015. After taking into consideration latest trends and evolving standards, Cybersecurity and Cyber Resilience Framework (CSCRF) has been formulated to consolidate and strengthen the prevention, preparedness, and response capabilities against cyber-risks and cyber incidents.
1.1. CSCRF is based on five cyber resiliency goals namely Anticipate, Withstand, Contain, Recover, and Evolve.
i. ANTICIPATE – Maintain a state of informed preparedness in order to forestall compromises of mission/ business functions from adversary attacks.
ii. WITHSTAND – Continue essential mission/business functions despite successful execution of an attack by an adversary.
iii. CONTAIN – Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyber-attacks.
iv. RECOVER – Restore mission/ business functions to the maximum extent possible, subsequent to successful execution of an attack by an adversary.
v. EVOLVE – To change mission/ business functions and/or the supporting cyber capabilities, so as to minimize adverse impacts from actual or predicted adversary attacks.
The cyber resiliency goals have been mapped to cybersecurity functions in CSCRF. The framework is broadly based on two approaches: cybersecurity and cyber resilience. Cybersecurity approach covers various aspects from governance to operational controls (including Identify, Detect, Protect, Respond, and Recover) and the cyber resilience goals include Anticipate, Withstand, Contain, Recover, and Evolve.
2. Thresholds for REs’ categorization
The applicability of various standards and guidelines of CSCRF is based on different categories of REs. CSCRF follows a graded approach and classifies REs in the following five broad categories:
i. Market Infrastructure Institutions (MIIs)
ii. Qualified REs
iii. Mid-size REs
iv. Small-size REs
v. Self-certification REs
The category of REs shall be decided at the beginning of the financial year based on the data of the previous financial year. Once the category of RE is decided, RE shall remain in the same category throughout the financial year irrespective of any changes in the parameters during the financial year. The category shall be validated by the respective reporting authority at the time of compliance submission. Further, the criteria given and their thresholds for different categories will continue to be updated as and when required.
Entity-wise categorization and corresponding thresholds shall be as follows:
1. Alternative Investment Fund (AIF)
Table 3: Criteria and thresholds for AIFs categorization
| Sr. No. | Criteria | Self-certification REs | Small-size REs | Mid-size REs | Qualified REs |
| 1 | AUM | Less than Rs.100 crores | Rs. 100 crores and above but less than Rs. 500 crores | Rs. 500 crores and above but less than Rs. 1000 crores | Rs. 1000 crores and above |
2. Banker to an Issue and Self-Certified Syndicate Banks (SCSBs)
Banker to Issue and Self-Certified Syndicate Banks shall submit a certificate of compliance with CSCRF to SEBI on the cybersecurity guidelines issued by RBI. Wherever the bank is a listed entity, the above-mentioned certificate of compliance shall also be intimated to Stock Exchanges.
3. Client-based and Proprietary stock brokers Table 4: Criteria and thresholds for Client-based and proprietary stock brokers’ categorization
Sr. No . | Criteria | Selfcertification REs | Small-size REs | Mid-size REs | Qualified REs[1] |
| 1 | Active Client-base as per UCC | Less than or equal to 10 ,000 active clients and not providing IBT or Algo trading facility | More than. 10,000 and up to 50,000 | More than 50,000 and up to 5,00,000 | More than 5,00,000 |
| Less than or equal to 10,000 active clients and providing IBT facility /Algo trading facility |
[1] As per SEBI circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/24 dated February 06, 2023, enhanced obligations and responsibilities have been casted upon Qualified Stock Brokers (QSBs) defined based on their size of operations, trading volumes, amount of client funds handled by them etc. Hence, such QSBs shall be categorized as Qualified REs.
4. Collective Investment Scheme (CIS)
CIS shall be under Self-certification REs category.
5. Credit Rating Agency (CRA)
CRAs shall be under Self-certification REs category.
6. Custodians
Table 5: Criteria and thresholds for Custodians categorization
Sr. No. | Criteria | Small-size REs | Mid-size REs | Qualified REs |
| 1 | AUC | Less than Rs. 1 Lakh crores | Rs. 1 Lakh crores and above but less than Rs. 10 Lakh crores | Rs. 10 Lakh crores and above |
7. Debenture Trustee (DT)
DTs which have not added any new issuer of listed debt security as client in the last three financial years shall be excluded from submission of compliance with CSCRF. Remaining DTs shall be under the Self-certification REs category.
8. Depository Participants (DPs)
Table 6: Criteria and thresholds for DPs categorization
| Sr. No. | Criteria | Small-size REs | Mid-size REs | Qualified REs |
| 1 | Type of DP | N.A. | Non-institutional DP | Institutional DP |
9. Designated Depository Participants (DDPs)
To get approval as a DDP, an entity, inter alia, is required to have valid SEBI registration as a Depository Participant (DP) as well as a Custodian. Therefore, categorization of highest category among DPs and Custodians shall be applicable to DDPs for submission of compliance with CSCRF.
10. Foreign Portfolio Investors (FPIs)
FPIs shall be excluded from submission of compliance with CSCRF.
11. Foreign Venture Capital Investors (FVCI)
FVCI shall be excluded from submission of compliance with CSCRF.
12. Investment Advisors (IAs)/ Research Analysts (RAs)
a. Investment Advisors (IAs)
| Individual IAs | Non-individual IAs |
| Individual IAs shall be excluded from submission of compliance with CSCRF. | Non-individual IAs shall be categorized as Small-size REs. |
b. Research Analysts (RAs)
Table 8: Criteria and thresholds for RAs categorization
| All RAs who are not registered in other category of REs | Institutional RAs who are registered in other category of REs |
| All RAs who are not registered in other categories of REs shall be excluded from submission of compliance with CSCRF. However, SEBI SaaS circular titled “Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions” dated November 03, 2020 is applicable to RAs under which a declaration shall be submitted in respect of SaaS for managing their governance, risk compliance functions, and to improve their cybersecurity posture. | Institutional RAs who are registered with SEBI in other category of REs shall be classified as Qualified REs/ Mid-size REs/ Small size REs based on their categorization in their respective other REs/ group entity category.
|
13. KYC Registration Agencies (KRAs)
KRAs shall be treated at par with MIIs category for the applicability of the CSCRF.
14. Limited Purpose Clearing Corporation (LPCC)
LPCC shall be excluded from submission of compliance with CSCRF.
15. Merchant Bankers (MBs)
Table 9: Criteria and thresholds for MBs categorization
| Sr. No. | Merchant Banker | Category for CSCRF |
| 1 | An entity or its parent/ subsidiary/ associatecompany which is a part of a conglomerate/ Systemically Important Financial Institutions | Qualified REs |
| 2 | MBs which are engaged in any activity pertaining to issue management inter alia Public Issues (IPOs, FPOs, IPOs by SME), Public Offers by REITs/InvITs, Buy-Back of Securities, Delisting of Equity Shares, Open Offer under SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 2011 | Mid-size REs |
| 3 | All other MBs which are not covered in clause 1 & 2 of this table above. | Small-size REs |
16. Mutual Funds (MFs)/ Asset Management Companies (AMCs)
Table 10: Criteria and thresholds for MFs/ AMCs categorization
| Sr. No. | Criteria | Small-size REs | Mid-size REs | Qualified REs |
| 1 | AUM | Less than Rs. 10,000 crores | Rs. 10,000 crores and above but less than Rs. 1 lakh crore | Rs. 1 lakh crores and above |
17. Portfolio Managers
Table 11: Criteria and thresholds for Portfolio Managers categorization
| Sr. No. | Criteria | Self-certification REs | Small-size REs | Mid-size REs | Qualified REs |
| 1 | AUM | Less than Rs. 1000 crores | Rs. 1000 crores and above but less than Rs. 3000 crores | Rs. 3000 crores and above | N.A. |
18. Qualified Depository Participants (QDPs)
QDPs shall be excluded from CSCRF compliance.
19. Real Estate Investment Trust (REIT)/ Infrastructure Investment Trust (InvIT)
REITs/ InvITs shall be excluded from submission of compliance with CSCRF.
20. Registrar to an Issue and Share Transfer Agents (RTA)
Table 12: Criteria and thresholds for RTA categorization
| Sr. No. | Criteria | Small-size REs | Mid-size REs | Qualified REs | MIIs |
| 1 | Servicing number of folios | 10,000 and above but less than 1 crore | 1 crore and above but less than 2 crore | N.A. | QRTAs |
a. RTAs servicing less than 10,000 folios shall be excluded from submission of compliance with CSCRF.
21. Vault Managers
Vault Managers shall be excluded from submission of compliance with CSCRF.
22. Venture Capital Funds (VCFs) –
Table 13: Criteria and thresholds for VCFs categorization
| Sr. No. | Criteria | Selfcertification REs | Small-size REs | Mid-size REs | Qualified REs |
| 1 | Sum of corpus of all schemes of the VCF | Less than Rs. 100 crores | Rs. 100 crores and above but less than Rs. 500 crores | Rs. 500 crores and above but less than Rs. 1000 crores | Rs. 1000 crores and above |
In case an RE is registered under more than one category of REs, then the provision of highest category under which such an RE falls shall be applicable to that RE.
3. IT Committee for REs
3.1. In order to address various technology related issues of REs, SEBI has issued circulars for composition of technical committees for MIIs, and MFs/ AMCs summarized as below:
Table 14: SEBI circular for REs and composition of their technical committees
4. CSCRF Compliance, Audit Report Submission, and Timelines:
This section provides details regarding submission of compliance with the CSCRF including ISO audit, VAPT, Cyber audit, etc. and the corresponding applicable timelines.
4.1. Compliance with the Standards/ Guidelines
Unless specified otherwise, the compliance reporting for CSCRF shall be done by the REs to their respective authority(ies) as per the existing mechanism, for example, MIIs shall submit the compliance with CSCRF to SEBI, stock brokers shall submit the compliance with CSCRF to stock exchanges, depository participants to shall submit the compliance with CSCRF to depositories, etc. Further, the compliance with the applicable standards and mandatory guidelines mentioned in CSCRF shall be as follows:
Table 15: Applicability and periodicity of standards mentioned in CSCRF
Sr. No. | Standard/ Guidelines and Clause | Applicability | Periodicity |
1. | Cyber resilience third-party assessment using CCI (GV.OV.S4) | MIIs | Half-yearly |
Cyber resilience selfassessment using CCI (GV.OV.S4) | Qualified REs | Annually | |
2. | Submission of CCI selfassessment evidence by MIIs and Qualified REs (GV.OV.S4) | MIIs and Qualified REs | Within 15 days of completion of CCI assessment (based on the applicability defined above in point 1 and 2) |
3. | REs Cybersecurity and cyber resilience policy review (GV.PO.S2) | All REs | Annually |
4. | REs Cybersecurity risk management policy (GV.PO.S4) | All REs | Annually |
5. | IT Committee for REs meeting periodicity (Guidelines for GV.PO – Guideline 9) | All REs except small-size, and self-certification REs | Quarterly |
6. | REs’ risk assessment (threat-based) (ID.RA.S2) | MIIs | Half-yearly |
Qualified, Midsize REs | Annually | ||
7. | User access rights, delegated access and | MIIs and Qualified REs | Quarterly |
Sr. No. | Standard/ Guidelines and Clause | Applicability | Periodicity |
unused tokens review (PR.AA.S5) | Other REs | Half-yearly | |
8. | Review of privileged users’ activities (PR.AA.S11) | MIIs and Qualified REs | Quarterly |
Other REs | Half-yearly | ||
9. | Cybersecurity training program (PR.AT.S1) | All REs | Annually |
10. | Review of RE’s systems managed by third-party service providers (GV.SC.S4) | MIIs and Qualified REs | Half-yearly |
Other REs | Annually | ||
11. | Functional Efficacy of SOC (DE.CM.S1 – Guideline 4) | MIIs and Qualified REs | Half-yearly |
Other REs who are utilizing third- party managed SOC or Market SOC services | Annually | ||
12. | Red Teaming exercise (DE.DP.S4) | MIIs and Qualified REs | Half-yearly |
13. | Threat hunting (DE.DP.S5) | MIIs and Qualified REs | Quarterly |
14. | Cybersecurity scenariobased drill exercise for testing adequacy and effectiveness of recovery plan (RC.RP.S3) | MIIs and Qualified REs | Half-yearly |
Other REs | Annually | ||
15. | Review of periodically and update their contingency plan, continuity of operations plan (COOP) (RS.MA.S3) | MIIs and Qualified REs | Half-yearly |
Mid-size and small-size REs | Annually | ||
16. | Evaluation of cyber resilience posture (EV.ST.S5) | Mid-size and Small-size REs | Annually |
Note: During cyber audit, auditors shall also validate the adherence to the above-mentioned periodicities.
4.2. ISO Audit and Certification
4.2.1. It is mandated (as per standard PR.IP.S16) that MIIs and Qualified REs shall obtain ISO 27001 (latest version) certification. Accordingly, all MIIs and Qualified REs shall obtain ISO 27001 within 1 year of issuance of CSCRF. The evidence of certification shall be submitted along with the cyber audit report to the authority(ies) as given below:
Table 16: Reporting authority for ISO certification evidence submission
