SEBI Introduces New Cybersecurity and Cyber Resilience Framework for REs

The Securities and Exchange Board of India (SEBI) has released a comprehensive circular detailing the new Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs). This framework will replace the existing SEBI cybersecurity circulars, guidelines, and advisories.

The primary goal of the CSCRF is to address the evolving landscape of cyber threats, align with industry standards, facilitate efficient audits, and ensure compliance by SEBI-regulated entities. The framework establishes standardized reporting formats for REs, enabling streamlined compliance and oversight, SEBI stated.

The CSCRF is based on international standards and incorporates five key cyber resiliency goals: anticipate, withstand, contain, recover, and evolve. These goals are adapted from the Cyber Crisis Management Plan (CCMP) developed by the Indian Computer Emergency Response Team (CERT-In), aiming to combat cyber-attacks and cyber terrorism. The framework outlines a structured approach to implementing various cybersecurity and cyber resilience measures to enhance understanding and compliance.

The CSCRF follows a graded approach, classifying REs into five categories based on their operations and thresholds, such as the number of clients, trading volumes, and assets under management. The categories are:

1. Market Infrastructure Institutions (MIIs)

2. Qualified REs

3. Mid-size REs

4. Small-size REs

5. Self-certification REs

This classification ensures that even smaller entities are equipped with adequate cybersecurity measures to achieve resilience against cyber incidents and attacks.

To further bolster cybersecurity efforts, the CSCRF introduces the Cyber Capability Index (CCI) for MIIs and Qualified REs. This index will enable these entities to monitor and assess their cybersecurity progress and resilience on a periodic basis, fostering a culture of continuous improvement in their cybersecurity posture.