SEBI issues new cybersecurity framework


India-based regulator for the Securities and Exchange Board of India (SEBI) has announced the release of a new cybersecurity framework for all regulated entities

India-based regulator for the Securities and Exchange Board of India (SEBI) has announced the release of a new cybersecurity framework for all regulated entities. As part of the newly introduced framework, SEBI demands all regulated entities to adopt security monitoring processes, with the norms being set to be implemented gradually as of January 2025.

In addition, to monitor and assess cybersecurity maturity and resilience, a Cyber Capability Index (CCI) for market infrastructure institutions and qualified regulated entities is set to be issued. SEBI’s plans for mitigating cyber attacks The decision to release the Cybersecurity and Cyber Resilience Framework (CSCRF), which was developed following consultation with stakeholders, can be attributed to the current environment in India, where cyber attacks are increasing, making the overall financial landscape vulnerable. At the same time, the newly issued framework is set to replace the existing cybersecurity circulars and guidelines for the entities regulated by SEBI.

When it comes to small regulated entities, the authority underlined that stock exchanges NSE and BSE intend to publish market Security Operation Centres (SOCs) to support them in meeting the requirements imposed by the new framework. Moreover, it is mentioned that these SOCs are set to offer cybersecurity solutions customised to the needs of small entities, which plans to ensure that they achieve cyber resilience regardless of resources. Also, all regulated entities need to establish suitable security monitoring mechanisms via SOCs. SEBI underlined that the onboarding of SOC can be conducted via a regulated entity’s SOC or market SOC, as well as through any other third-party managed one for constant monitoring of security episodes and timely detection of odd activities. Additionally, SEBI aims to implement the framework in two phases, with the first one focusing on entities ensuring compliance by January 2025 and the second one by April 2025.

After the provided deadlines, regulated entities are assumed to undergo cybersecurity audits considering the CSCRF and submit reports to the authorities within the stipulated timelines. .


Aug 23, 2024 14:06
Original link