SEBI Introduces New Cybersecurity Framework for Regulated Entities
The Securities and Exchange Board of India (SEBI) has unveiled a comprehensive cybersecurity framework aimed at enhancing the security posture of regulated entities. Set to be implemented in a phased manner starting January 2025, the new norms require all regulated entities to establish robust security monitoring mechanisms.
A key feature of the framework is the introduction of a Cyber Capability Index (CCI), designed to regularly assess and monitor the cybersecurity maturity and resilience of market infrastructure institutions and select regulated entities. The Cybersecurity and Cyber Resilience Framework (CSCRF) was developed following extensive consultations with stakeholders in response to the increasing frequency of cyberattacks.
This new framework will replace existing cybersecurity guidelines, consolidating SEBI’s approach to cybersecurity across the entities it regulates. For smaller regulated entities, SEBI has directed the NSE and BSE to establish market Security Operation Centres (SOCs) that will provide tailored cybersecurity solutions, helping these entities achieve cyber resilience despite limited resources.
Entities will have the option to fulfill their security monitoring obligations through their own SOC, a group SOC, a market SOC, or a third-party managed SOC. The implementation of the framework will be divided into two phases, with the first group of entities required to comply by January 1, 2025, and the second by April 1, 2025.
Following these deadlines, entities will be required to conduct cybersecurity audits in line with the CSCRF and submit reports to the relevant authorities within specified timelines. The CSCRF outlines requirements across various areas, including IT services, SaaS solutions, data classification, and software audits, to ensure a comprehensive approach to cybersecurity.