SEBI’S Cyber Shield: Assessing the Strength of the CSCRF Framework

[By Anoushka Das, Dhaval Bothra & Arya Vansh Kamrah]

The authors are students of SLS Pune.

 

Introduction

The Securities and Exchange Board of India (SEBI) has recently released its circular dated August 20, 2024, detailing a cyber security framework for its Regulated Entities (REs) in light of the rapid increase in technological developments in the securities market. The integration of technology into the securities market poses a double-edged sword, which may expose the players in the market to cyber risks and cyber incidents. While the integration of technology brings efficiency and innovation, it simultaneously exposes market participants to potential cyber threats, including data breaches, ransomware attacks, and fraudulent activities. SEBI, after due consultation with the stakeholders, has prudently formulated a framework via its circular to meet its six cyber security goals for combating cybercrime, i.e., governance, identification, protection, detection, response, and evolution. SEBI has outlined a robust scheme designed to safeguard stakeholders from the complex and evolving cybersecurity threats facing the securities market. 

Key Highlights of the Framework

Under this framework, SEBI has categorized the REs into five categories based on the extent of operations, trade volume, number of clients, etc.  In pursuance of SEBI’s focus on cybersecurity and cyber resilience, the market regulator has framed the following guidelines in accordance with its cybersecurity functions: 

1. Governance: SEBI has mandated that all REs continuously allocate and communicate clear roles and responsibilities related to cybersecurity risk management. Additionally, it has introduced the Cyber Capability Index (CCI) as a tool to assess and monitor the cybersecurity progress of Market Infrastructure Institutions and Qualified REs 
2. Identification:  REs are mandated to identify and classify critical systems according to their operational importance and sensitivity. This includes periodic IT risk assessments and prioritizing responses based on current threats and vulnerabilities. 
3. Protection: REs must ensure that a robust authentication and access policy is in place with due log collection and documentation. Moreover, SEBI has enumerated a list of guidelines, including audits, vulnerability assessment and penetration testing, and security solutions that need to be mandatorily implemented.  
4. Detection: The REs are mandated to institute a Security Operations Centre (SOC), either internally or via third parties, and ensure that the functional efficacy of the same is measured on a half-yearly or yearly basis based on the category it belongs to.  
5. Response: The REs must compulsorily formulate a Cyber Crisis Management Plan (CCMP), and in the event of any incident, a Root Cause Analysis (RCA) must be conducted to understand the root cause of the incident.  
6. Recovery: SEBI in its circular has provided an indicative recovery plan based on which REs must document a comprehensive plan for response and recovery from cyberattacks.  
7. Evolution: SEBI has mandated that the REs must formulate “adaptive and evolving” controls to tackle vulnerabilities. The circular takes cognizance of the ever-evolving nature of technology and its role in the securities market and undertakes to evolve with the changing times by making updates to the circular as and when the need arises. This forward-looking approach leaves enough room for the framework to evolve while making a sufficient attempt at tackling the pre-existing problems.  

Implementation of the CSCRF

SEBI has phased the implementation of CSCRF compliance based on the categories in which the REs fall. The implementation date for the six categories of REs that already have circulars in place is January 1, 2025, while for REs to which the CSCRF measures are being extended for the first time, the implementation date is April 1, 2025. The market regulator has considered the challenges that first-time compliance imposes on regulators and has allowed a relaxed timeline to accommodate these difficulties. 

A robust monitoring mechanism further underscores the efficacy of the framework. The CSCRF has divided the compliance reporting between two authorities. For Security Brokers and Depository Participants classified as Qualified REs, the reporting authority will be the relevant stock exchange or depository. For MIIs and the remaining Qualified REs, SEBI will serve as the reporting authority. While CSCRF does not provide for obligations of the REs in case of non-compliance of the implementation dates, SEBI has power under the SEBI Act, 1992, to impose penalties on REs that fail to comply with its directives and frameworks. 

Analysing the Impact of the Framework

The REs are now burdened with the additional responsibility of adhering to the cybersecurity measures outlined in the circular. On one hand, the compliance requirements and strengthened governance structures may bolster investor confidence in the securities market. Complying with the CSCRF framework can help the REs align with international cybersecurity standards and enhance their reputation and credibility in the global market. The rigorous standards may drive innovation in cybersecurity technology and solutions as REs look for efficient methods to fulfil compliance without compromising productivity.  

However, on the other hand, the framework is likely to compel the REs to overhaul their internal systems, procedures and infrastructure to meet the new cybersecurity standards. The additional list of compliances would result in significant expenses for the REs. Smaller REs could face considerable challenges in complying with the CSCRF standards. This may further lead to a competitive disadvantage and an increased dependency on larger institutions for cybersecurity and cyber resilience support. Moreover, the lack of regulation regarding external SOCs leads to a regulatory gap and creates uncertainty with respect to the obligations of REs that opt for third-party SOCs, in case of non-compliance with CSCRF standards.  

The circular is a progressive step in addressing the cybersecurity issues prevalent in the market. However, the effectiveness of the circular can only be adjudged upon observing the cooperation of the REs and the diligent monitoring of market players against the established standards once implementation begins. 

Recommendations

The CSCRF aims to ensure uniformity of cybersecurity guidelines for all REs. However, the framework may not fully address the unique challenges faced by different categories, potentially leading to compliance issues and security gaps. For example, while the CSCRF’s cybersecurity controls are crucial for market safety, they are resource-intensive, especially for smaller REs, which may struggle with the significant investments in time, money, and personnel required to implement these measures, like ISO 27005. This strain could hinder their ability to meet compliance obligations, increasing the risk of security vulnerabilities. Conversely, Market Infrastructure Institutions (MIIs), with their central role and complex systems, require even more advanced measures, such as sophisticated threat detection, detailed incident response plans, and robust third-party risk management.  

Additionally, SEBI needs to address ambiguity over liability in the case of a third-party SOC. Many smaller REs might opt for third-party SOCs to monitor, detect, and respond to cybersecurity threats, as building in-house SOCs could be financially and operationally burdensome. While outsourcing to third-party SOCs offers these entities access to advanced cybersecurity tools and expertise, it introduces a grey area around accountability and liability. For example, if a data breach occurs because the third-party SOC failed to detect or respond in time, is the third-party vendor held accountable, or does the responsibility fall back entirely on the RE? The absence of clear guidelines about how liability is shared between REs and their third-party SOC vendors could lead to significant legal and operational uncertainties. REs may be left vulnerable to penalties, reputational damage, and financial losses if there is a lack of clarity on accountability. This ambiguity could also deter smaller entities from adopting third-party SOC services due to the fear of being held responsible for failures outside their control, potentially limiting the adoption of effective cybersecurity measures. Without addressing these distinct needs, the framework may fall short of its intended goals.  

By tailoring these guidelines, SEBI can ensure that the framework is both effective and practical for all REs, regardless of their size or complexity. For example, the CSCRF’s mandate for the NSE and BSE to establish Market Security Operations Centers (M-SOCs) by January 1, 2025, is a positive move. These M-SOCs are intended to offer cybersecurity solutions to smaller REs that might not have the resources to create their own SOCs. This initiative highlights how customized guidelines can address the specific needs and limitations of different RE categories, ultimately making the CSCRF more effective for all players in the financial sector.  

Therefore, SEBI could categorize REs based on their size, operational complexity, and risk exposure, and then tailor the cybersecurity requirements accordingly. This could be similar to the approach of the United States of America’s Federal Financial Institutions Examination Council (FFIEC), which allows for a more proportional application of cybersecurity measures. 

Potential Tiered Approach

1. Tier 1 (High-Risk): This category would encompass larger REs with extensive operations, significant market impact, and critical infrastructure. These entities would be required to adhere to the full spectrum of CSCRF controls, including advanced threat detection systems, comprehensive risk management frameworks, and robust incident response mechanisms. Given their pivotal role in the financial ecosystem, these REs must meet the highest standards of cybersecurity to mitigate risks that could have far-reaching consequences. 
2. Tier 2 (Medium-Risk): Medium-sized REs, which have moderate operational complexity and a substantial but not critical market presence, would be required to implement a focused subset of the CSCRF controls. The emphasis would be on the most critical areas, such as essential data protection measures, baseline security controls, and regular vulnerability assessments. This approach balances the need for robust security with the resources available to these REs, ensuring that they can maintain security without being overwhelmed by compliance requirements. 
3. Tier 3 (Low-Risk): Smaller REs with limited operations and a lower risk profile would fall into this category. These entities would be subject to a simplified set of compliance requirements, concentrating on foundational cybersecurity practices such as basic access controls, employee training, and essential incident reporting. This lighter compliance load would help these REs manage their cybersecurity obligations without diverting excessive resources from their core business activities. 

The tiered approach would provide a more dynamic and risk-based framework for categorizing REs and determining their compliance requirements, compared to the existing 6-category categorization. This would allow SEBI to ensure that the CSCRF remains effective and practical for all REs, regardless of their size or complexity. 

Conclusion

SEBI’s CSCRF represents a significant step forward in safeguarding India’s securities market from cyber threats. While it aims to enhance protection across various REs, the framework’s standard requirements could be challenging during implementation. Looking forward, a tiered approach based on the size and risk profile of each RE could improve the framework’s practicality and effectiveness. As the cybersecurity landscape continues to evolve, ongoing adjustments and refinements will be essential to ensure that the CSCRF remains adaptable and adequately addresses the needs of all market participants.