The Indian market regulator, SEBI, has now come out with a new Cybersecurity and Cyber Resilience Framework to further strengthen security among the regulated entities, considering the rising cyber threats. The framework mandates all its entities to build up state-of-the-art Security Operation Centres for the continuous monitoring of security events, as well as for the timely identification of anomalies.
Elements of the framework:
Cyber Capability Index (CCI): SEBI will introduce the Cyber Capability Index (CCI) for the market infrastructure institutions and other eligible entities. The CCI will assess and monitor cybersecurity maturity and resilience to ensure if the organizations meet the required standards over time.
Security Monitoring and SOCs: There is a requirement that regulated entities shall ensure there are in place appropriate security monitoring mechanisms through SOCs. These SOCs shall be their own, group-based, market-based, or third-party managed. The goal here is to ensure continuous monitoring and rapid response against any suspicious activities.
Support for Small Entities: Realizing that this would be a somewhat difficult ask for the smaller among them, SEBI has now stated that the National Stock Exchange and the Bombay Stock Exchange will create the market Security Operation Centres in a public-private partnership model to help small entities. These will provide actionable cybersecurity solutions, thus enabling the smaller players the opportunity to achieve cyber resilience despite their limitations.
Phased Implementation: The implementation of CSCRF will be enforced in a pattern. It is expected from the first set of entities to become compliant by January 1, 2025, and from the second set by April 1, 2025. This allows gradual adjustments for organizations towards the new requirements.
Cybersecurity Audits: The bodies shall carry out cybersecurity audits based on the requirements provided under the CSCRF, after the deadlines. Onward, the audit reports shall be submitted to the authorities concerned within the timelines established so as to keep on being in compliance.
Replaces the Preceding Guidelines: The CSCRF will overwrite all the previous guidelines on cybersecurity provided by SEBI. This framework is an integrated framework with elaborative provisions for IT services, SaaS solutions, hosted services, data classification, and audits of software solutions used by regulated entities.
This underlines the moving requirement for cybersecurity in the financial sector, especially now that digital transactions are at an all-time high. Essential Infosecis at the forefront, fully prepared to help organizations in their compliance with these new standards and in the ability to build a resilient cybersecurity framework.