SEBI’s Cybersecurity and Cyber Resilience Framework: Key Insights

On August 20^th, 2024, through a circular, the Securities and Exchange Board of India (SEBI) issued a new Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities, replacing earlier circulars and guidelines for regulated entities. The framework was developed with the objective of tackling evolving cyber threats, aligning with industry standards, promoting effective audits, and fostering compliance among regulated entities. 

Scope and Applicability

The CSCRF applies to a wide range of SEBI regulated entities including Alternative Investment Funds, Bankers to an Issue, Self-Certified Syndicate Banks, Clearing Corporations, Credit Rating Agencies, Custodians, Debenture Trustees, Depositories, Investment Advisors, Mutual Funds, Asset Management Companies, etc.

The CSCRF classifies regulated entities based on specific thresholds including span of operations, trade volume and number of clients into the following five categories:

• Market Infrastructure Institutions (MII)
• Qualified Regulated Entities
• Mid-size Regulated Entities
• Small-size Regulated Entities
• Self-Certification Regulated Entities

This categorisation of a regulated entity shall be decided based on the specified threshold at the beginning of the financial year on the basis of data from the previous financial year.

Implementation Timeline

According to the CSCRF, the implementation timeline for the adoption of the new standards and controls is as follows:

• For RE categories where cybersecurity circulars already exist: by January 1^st, 2025.
• For REs receiving the CSCRF for the first time: by April 1^st, 2025.

Some Key Provisions

1. Cyber Resilience & Governance: Regulated Entities, especially MIIs, Qualified Regulated Entities and Mid-size Entities must establish a comprehensive cybersecurity policy approved by their Board or Partners and implement a cyber risk management framework. MIIs and Qualified Regulated entities must conduct Cyber Capability Index (CCI) assessments. The cyber resilience framework isbuilt around five key goals namely, anticipate, withstand, contain, recover and evolve.
2. Identification of Risks: Regulated Entities are required to classify critical systems, conduct periodic risk assessments, and prioritize risk responses based on threats and vulnerabilities.
3. Protection Measures: The framework mandates policies for authentication, network segmentation, data encryption, separation of production and non-production environments, periodic audits, Vulnerability Assessment and Penetration Testing (VAPT), and API and endpoint security. ISO 27001 certification is mandatory for MIIs and Qualified Regulated Entities.
4. Detection Mechanisms: The NSE and BSE must set up Security Operation Centres (SOCs) for continuous security monitoring. All Regulated Entities are expected to establish security monitoring mechanisms through SOCs.
5. Incident Response: Regulated Entities must establish incident response plans, report incidents to SEBI, and conduct Root Cause Analysis (RCA) or forensic investigations as needed.
6. Recovery & Adaptation: Regulated Entities must have a recovery plan for cybersecurity incidents and continually evolve their cybersecurity strategies based on identified vulnerabilities.
7. Compliance & Auditing: Regulated Entities must report compliance in standardized formats. 

Conclusion

In conclusion, SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) provides a comprehensive roadmap for regulated entities to enhance their cybersecurity posture, ensuring preparedness against evolving cyber threats. By mandating governance, risk identification, protective measures, continuous monitoring, incident response, and recovery protocols, the CSCRF strengthens the overall cyber resilience and security systems. With phased implementation timelines, SEBI aims to ensure uniform adoption and compliance across all categories of regulated entities.

If you’re an organization dealing with copious amounts of data, do visit www.tsaaro.com.

News of the Week

1. Game Freak Confirms Major Data Leak 

On 10^th October 2024, Game Freak, the developer behind Pokémon, confirmed a data breach in August after stolen data surfaced online. Dubbed “TeraLeak” the breach compromised the names and email addresses of over 2,600 employees and partners. While it is widely speculated, the company’s statement did not confirm if the leak included game-related files or upcoming projects. While the company apologized and is notifying those affected, Game Freak is enhancing its security measures.

https://www.thehindu.com/sci-tech/technology/internet/pok%C3%A9mon-developer-game-freak-confirms-data-leak-that-exposed-beta-designs-source-codes-and-details-on-upcoming-titles/article68752216.ece

2. Internet Archive Suffers Major Data Breach and DDoS Attack

The Internet Archive experienced a significant data breach, exposing the personal information of 31 million users, including email addresses and encrypted passwords. The breach occurred due to an exploited JavaScript library, with the account “SN_BlackMeta”. The attack also included a DDoS, temporarily taking the platform offline. The Internet Archive is now back online in a read-only state as it strengthens security against future attacks.

https://www.ndtv.com/world-news/internet-archive-hit-by-catastrophic-attack-31-million-passwords-stolen-6763970

3. CISCO Investigates Potential Data Breach

Renowned hacking group IntelBroker, along with EnergyWeaponUser and zjj, allegedly breached Cisco in June 2024, stealing confidential developer data. The compromised information reportedly includes source code, credentials, certificates, and customer data, with screenshots shared as proof on a hacker forum. Cisco is investigating the breach, which mirrors previous attacks on major companies like AMD, Apple, and T-Mobile, likely through third-party service vulnerabilities.

https://www.ndtvprofit.com/technology/cisco-data-up-for-sale-on-breachforums-company-investigating

4. Singapore’s Guidelines on Securing AI Systems Released by CSA

On October 15, 2024, Singapore’s Cyber Security Agency (CSA) released Guidelines and a Companion Guide on securing AI systems throughout their lifecycle. The guidelines emphasize AI security by design and by default, addressing risks like supply chain attacks, unauthorized access, and adversarial methods. They provide recommendations on AI system planning, development, deployment, operation, and end-of-life, with practical controls for securing AI inputs, preventing attacks, and monitoring system behaviour.

https://www.csa.gov.sg/News-Events/Press-Releases/2024/launch-of-guidelines-and-companion-guide-on-securing-artificial-intelligence-systems

5. EU Council Adopts Cyber Resilience Act

The EU Council on 10^th October 2024 adopted the Cyber Resilience Act, establishing comprehensive cybersecurity requirements for hardware and software products, including IoT devices like smart home cameras, fridges, and TVs. The regulation mandates EU-wide compliance via the CE marking, ensuring products meet stringent security standards throughout their lifecycle. It applies to all network-connected devices, with exceptions for sectors like medical devices and cars. Consumers will benefit from clearer cybersecurity information when choosing digital products. The regulation will take full effect 36 months after its publication, with certain provisions applying earlier.

https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products