Saturday, October 12, 2024
HomeCyber Security BlogsSEBI's 2024 Cybersecurity Framework Updates

SEBI’s 2024 Cybersecurity Framework Updates

Since 2015, the Securities and Exchange Board of India (SEBI) has been developing strong cybersecurity frameworks for the Indian financial securities market. They focus on market intermediaries like stock brokers, depositories, mutual funds, and portfolio managers. 

But now it is high time to fight against increasing cyber attacks on SEBI and other financial organizations dealing in the field. In 2022, SEBI filed an FIR against a cybersecurity incident on their email system. They later strengthen their security configurations and track their detection and prevention systems, realizing the need for more secure systems. 

To deal with advancing cyber threats, SEBI started planning a new framework to extend cybersecurity regulations in Feb 2024. 

Going forward, every fintech organization needs to follow SEBI’s rules. Failing to comply with their cybersecurity framework could lead to heavy fines and penalties, making it crucial to stay on top of these requirements.

So, let’s explore new updates, how they can impact your business, and how you can comply with them with the help of cybersecurity experts.

Key Takeaways (What to Expect)

  • Requirement for a Cyber Security Operations Center (C-SOC)
  • Mandatory Regular Vulnerability Assessments
  • Implementation of Multi-Factor Authentication (MFA)
  • Detailed Incident Response Plans

SEBI’s Cybersecurity Framework Overview

SEBI has expanded the existing Cybersecurity and Cyber Resilience Framework (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113) to cover all regulated entities (REs). This new framework allows businesses to respond to cyber risks, threats, and incidents. 

SEBI developed the CSCRF in collaboration with various stakeholders, including Market Infrastructure Institutions (MIIs), REs, industry associations, and government bodies like CERT-In. The framework got SEBI’s High Powered Steering Committee on Cybersecurity (HPSC-CS) approval.

The CSCRF offers a consistent approach to cybersecurity and resilience, following global standards like ISO 27000, CIS Controls Version 8, and NIST SP 800-53. This ensures that all SEBI-regulated entities have a strong and complete cybersecurity system in place.

The framework consists of four parts:

  • Objectives and Standards – This section details the goals for each security measure and the essential rules for compliance.
  • Guidelines – This section offers actions to meet the standards, including mandatory requirements.
  • Compliance Formats – This section gives templates to make compliance reporting easier.
  • Annexures and References – This section provides additional resources and references to help with the framework.

All regulated entities must adhere to the applicable standards and mandatory guidelines in the CSCRF.

The Key Updates- Ultimate Goal of the CSCRF

The CSCRF focuses on two main areas: cybersecurity and cyber resilience. Here’s what each goal means.

Cybersecurity Framework

Cyber Resilience: Anticipate | Governance

  • Regulated entities (REs) must set up clear roles and responsibilities for managing cybersecurity risks.
  • They must create and enforce a cybersecurity policy approved by their Board or leaders.
  • MIIs, Qualified REs, and mid-sized REs should develop a framework for managing cyber risks, including regular assessments.
  • MIIs must have third-party evaluations of their cyber resilience every six months. Qualified REs should self-assess annually.
  • REs are responsible for the security of third-party services and must comply with SEBI and government regulations.

Cyber Resilience: Anticipate | Identify

  • REs must identify and classify critical systems based on their importance and sensitivity.
  • They need to conduct regular risk assessments of their IT environment, including potential future risks.
  • They should analyze threats, vulnerabilities, and impacts to prioritize their response.

Cyber Resilience: Anticipate | Protect

  • REs must document and apply policies for authentication and access and for log collection and retention.
  • They should use network segmentation to protect sensitive information and systems.
  • Full-Disk Encryption (FDE) and File-Based Encryption (FE) should be used to protect data.
  • Development and testing should occur in separate environments for critical systems.
  • Regular audits by CERT-In empanelled auditors are required to ensure compliance.
  • Conduct Vulnerability Assessment and Penetration Testing (VAPT) to find weaknesses.
  • Security solutions for APIs and endpoints should include rate limiting and proper authentication.
  • MIIs and Qualified REs must have ISO 27001 certification for their Information Security Management System (ISMS).

Cyber Resilience: Anticipate | Detect

  • REs must set up a Security Operations Centre (SOC) for continuous monitoring and detection of security issues.
  • The Bombay Stock Exchange (BSE) and National Stock Exchange (NSE) must establish a Market SOC.
  • Small REs and self-certified REs must join the Market SOC.
  • MIIs and Qualified REs should assess their SOC’s performance every six months. Other REs need annual assessments.
  • BSE and NSE must report their SOC performance to SEBI.
  • MIIs and Qualified REs must also perform red teaming exercises.

Cyber Resilience: Withstand & Contain | Respond

  • Report all cybersecurity incidents to SEBI immediately.
  • REs must have a detailed Incident Response Management plan and Standard Operating Procedures (SOPs).
  • They need to maintain an up-to-date Cyber Crisis Management Plan (CCMP).
  • After an incident, conduct a Root Cause Analysis (RCA) to find out what went wrong.
  • If RCA is inconclusive, perform a forensic analysis for a thorough investigation.

Cyber Resilience: Recover

  • Develop and document a recovery plan for cybersecurity incidents.
  • Activate the plan quickly to restore systems.
  • Follow the recovery steps outlined in the CSCRF.
  • Keep stakeholders informed about recovery actions.

Cyber Resilience: Evolve

  • Continuously update controls to address new vulnerabilities and reduce attack surfaces.
  • Report compliance with CSCRF requirements using standardized formats.
  • Existing RE categories must comply by January 1, 2025. New RE categories must comply by April 1, 2025.
  • Use provided checklists and guidelines for consistent auditing practices.

These new additions will surely help organizations to withstand new advancing cyber threats. In this era, having strong cyber security is not enough, we must also have cyber resilience in place for making our systems future-proof with new solutions. 

The Need of the Hour- CSCRF 

The main goal of the Cybersecurity and Cyber Resilience Framework (CSCRF) is to boost cybersecurity for entities regulated by SEBI. Here’s how it works:

  1. Handle Changing Cyber Threats: Cyber threats keep changing as technology advances. The CSCRF helps SEBI-regulated entities stay ahead of these threats and handle them effectively.
  2. Match Global Standards: The CSCRF uses best practices from around the world. This helps Indian entities meet global standards and improve their cybersecurity.
  3. Simplify Auditing: The CSCRF provides clear guidelines. This makes it easier for entities to check their own compliance and manage risks.
  4. Ensure Strong Compliance: The framework sets specific rules for SEBI-regulated entities. This promotes accountability and transparency, data protection, and operations from threats.

How Can IEMLabs Help Businesses Comply with SEBI’s New Regulations?

Understanding and complying with the new SEBI regulations is challenging, but IEMLabs helps you with quick setup and implement cybersecurity strategy. Our cybersecurity experts will help you evaluate your business proposition and offer tailored solutions to fight against the toughest cybersecurity challenges.

From vulnerability assessment to implementing multi-factor authentication measures, we cover it all. We help businesses conduct continuous monitoring and eliminate potential threats by adhering to industry-leading standards, including SEBI’s Cybersecurity Framework updates in the framework and guidelines. 

By collaborating with our experts, you can improve your cybersecurity landscape, meet compliance standards by adhering to new guidelines, and future-safe your businesses from advancing cyber threats. 

FAQs

What is the new SEBI cybersecurity framework? 

The new SEBI cybersecurity framework is a guide to help organizations boost their defenses against hackers. It provides a clear plan for managing cybersecurity risks.

What are the 3 parts of the new SEBI cybersecurity framework? 

The new framework has three main parts: Core, Implementation Tiers, and Profiles.

What are the key requirements of SEBI Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113? 

This SEBI Circular requires Market Infrastructure Institutions (MIIs) and regulated entities (REs) to improve their cybersecurity. They must set up a Cyber Security Operation Center (C-SOC), perform regular vulnerability assessments, use multi-factor authentication, and have a strong incident response plan.

Also Read:

India: Capital markets regulator SEBI files FIR in cybersecurity incident as email accounts of 11 officials hacked

Indian Crypto Law Rules and Regulations

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with ssyoutube.com
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us