As threats in the digital platforms are advancing, it is very important for organisations to secure their network and data. To this effect, SEBI has realised this necessity and developed an enhanced Cybersecurity and Cyber Resilience Framework (CSCRF) for Market Infrastructure Institutions (MIIs) in 2024. It is also important to note that this framework is intended to strengthen the cybersecurity safeguard measures of entities regulated by the SEBI and be ready to meet new challenges.
This blog will discuss the main concepts of SEBI’s 2024 Cybersecurity Framework which will be presented with comprehensible definitions, useful tips, and basic information that each MII should be aware of. Whether you’re responsible for compliance or simply interested in the latest cybersecurity trends, this guide will help you navigate the complexities of the new framework.
1. Understanding the 2024 SEBI Cybersecurity Framework:
The new framework is expected to improve the cybersecurity and stability of MIIs by establishing strict standards and procedures. It requires the creation of a Cyber Security Operation Center (C-SOC), annual penetration tests, multi-factor authentication (MFAs), and other crucial countermeasures against cyber threats.
The framework is built on two core principles: cybersecurity and cyber resilience. While cybersecurity focuses on protecting systems from attacks, cyber resilience emphasises the ability to withstand and recover from such incidents.
2. Core Objectives of the CSCRF:
SEBI’s framework has several overarching goals:
- Anticipate Threats: MIIs must proactively identify and assess potential cybersecurity risks. This includes conducting regular risk assessments and scenario-based testing to evaluate both internal and external threats.
- Withstand and Contain: In the event of a cybersecurity incident, MIIs should have robust incident response and containment strategies to minimise the impact.
- Recover Quickly: The framework emphasises the importance of rapid recovery from cyber incidents. MIIs are required to have a comprehensive recovery plan to restore systems and operations swiftly.
- Evolve Continuously: Cyber threats are ever-changing, and so should be the defences. The framework encourages MIIs to continuously update and evolve their cybersecurity strategies to stay ahead of potential risks.
3. Key Components of SEBI’s 2024 Framework:
The framework is divided into four key components:
- Objectives and Standards: This section defines the purpose that each of the security controls needs to meet in order to be compliant with the framework.
- Guidelines: Here, SEBI provides recommended measures and mandatory requirements for adhering to the standards. They include all aspects of management, from governance and risk management to technical controls such as network segmentation and encryption.
- Structured Formats for Compliance: To streamline the compliance process, SEBI has introduced standardised reporting formats. This assists MIIs to be more consistent and accurate in their compliance processes hence protecting and enhancing the integrity of the market.
- Annexures and References: Additional materials and references are provided to support the framework, offering further clarity on implementation.
4. The Importance of a Cyber Security Operation Center (C-SOC):
Among all the requirements outlined in the 2024 framework, one cannot fail to notice the provision of C-SOC or the Cyber Security Operation Center. This facility is important to continuously scrutinise events and have the capability to identify abnormalities easily. MIIs can establish its own SOC, join the group SOC or outsource services from a third party.
Smaller entities are required to on-board onto a Market SOC. BSE and NSE have to establish Market SOCs that are supposed to give regular reports on the performance of these systems to SEBI.
5. Vulnerability Assessments and Penetration Testing (VAPT):
Regular Vulnerability Assessments and Penetration Testing (VAPT) are essential components of the CSCRF. These tests help identify vulnerabilities across critical systems, allowing MIIs to address weaknesses before they can be exploited.
SEBI mandates that MIIs conduct VAPT in collaboration with CERT-In empaneled auditors. The results of these assessments must be used to improve cybersecurity measures continuously.
6. Incident Response and Cyber Crisis Management Plan (CCMP):
In the unfortunate event of a cyber attack, having a well-defined Incident Response Plan (IRP) is critical. The 2024 framework requires MIIs to develop and maintain a Cyber Crisis Management Plan (CCMP) that includes root cause analysis, forensic investigations, and timely incident reporting.
All incidents must be reported through the SEBI incident reporting portal, ensuring transparency and accountability. This structured approach not only helps contain the damage but also prevents future incidents by addressing underlying vulnerabilities.
7. The Path to Compliance: Deadlines and Requirements:
It is very important to point out that the requirement of compliance with the CSCRF relates to all entities that fall under the regulatory power of SEBI. Current categories of REs are also required to implement it to its effectiveness by the 1st of January 2025 while other categories should implement it by the 1st of April 2025.
SEBI has also given a transition path to ensure ease of compliance which includes a detailed compliance check-list and guidelines for auditors. These tools are aimed at assisting the compliance process and guaranteeing all the parties remain at safe levels of cybersecurity.
How 2bInnovations Can Help You Navigate SEBI’s Framework:
At 2bSecurity, we understand the complexities of SEBI’s 2024 Cybersecurity Framework and are here to assist MIIs in achieving compliance. Our expert team offers comprehensive support in performing thorough vulnerability assessments, setting up C-SOCs, and implementing multi-factor authentication measures.
We sustain the vigilance of security incidents, timely reporting of occurrences and compliance to SEBI’s new guidelines. With this collaboration, you have the opportunity to increase the effectiveness of your protection measures, strengthen your infrastructure against new threats, and maintain a competitive edge in the modern world.
Conclusion
SEBI’s Cybersecurity and Cyber Resilience Framework for 2024 is a welcome development towards enhancing the cybersecurity of the financial ecosystem in India. Through understanding and following the above framework, MIIs can avoid a lapse in operations, secure and protect sensitive data, and prevent business disruption due to new and emerging cyber threats.
This is especially important given this rapidly evolving seascape of advertising. We at 2bSecurity are here to make it easy for you to sail through this. Feel free to get in touch with us to know how our team can help you with your cybersecurity needs.