Sebi comes out with new cyber security framework for regulated entities, ET CISO
Markets watchdog Sebi on Tuesday issued a new cyber security framework wherein all regulated entities are required to have appropriate security monitoring mechanisms, and the fresh norms will be implemented in a graded manner starting from January 2025. Besides, a Cyber Capability Index (CCI) for market infrastructure institutions and qualified regulated entities will be introduced to monitor and assess their cybersecurity maturity and resilience on a regular basis.
The Cybersecurity and Cyber Resilience Framework (CSCRF), formulated after consultations with stakeholders, comes at a time when there are rising instances of cyber attacks.
The framework will supersede the existing cybersecurity circulars and guidelines for the entities regulated by Sebi, according to a circular.
For small regulated entities, Sebi said that stock exchanges NSE and BSE will establish market Security Operation Centres (SOCs) to assist them in meeting the requirements under the new framework.
These SOCs will provide cybersecurity solutions tailored to the needs of small entities, ensuring that they achieve cyber resiliency despite limited resources, the regulator said.
All regulated entities are to establish appropriate security monitoring mechanisms through SOCs.
The onboarding of SOC can be done through a regulated entity’s own/ group SOC or market SOC or any other third-party managed SOC for continuous monitoring of security events and timely detection of anomalous activities, as per the circular.
With a glide path, the framework will be implemented in two phases — one set of entities has to ensure compliance by January 1, 2025, and another set by April 1, 2025.
Post the given deadlines, the entities are expected to conduct cybersecurity audits as per the CSCRF and submit reports to the appropriate authorities within the stipulated timelines.
“CSCRF contains provisions with respect to various areas such as requirements of IT services, Software as a Service (SaaS) solutions, hosted services, classification of data, audit for software solutions/applications/products used by regulated entities etc,” the circular said.