Beginning in January, investment and financial firms that fall under the Securities and Exchange Board of India (SEBI) will face some of the most comprehensive cybersecurity regulations on the planet.
SEBI’s 205-page Cybersecurity and Cyber Resilience Framework (CSCRF) for Regulated Entities (REs) was published in August and will take effect on Jan. 1, 2025 for organizations that are already under existing SEBI cybersecurity circulars, and April 1, 2025 for those that will be covered by CSCRF for the first time.
The document is a well thought-out blueprint for strong cybersecurity – and requires investment firms, asset managers and other REs to adopt stringent controls and practices that culminate in in-depth auditing and reporting requirements.
Also read: Mandatory Dark Web Monitoring for Indian Companies: SEBI Bolsters Cybersecurity Measures
From Broad Goals and Functions to Specific Practices
The framework is based on the five cyber resiliency goals adopted from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In): Anticipate, Withstand, Contain, Recover, and Evolve.
Those broad goals are linked to six cybersecurity functions: Governance, Identify, Protect, Detect, Respond, and Recover. By focusing on both prevention and resilience, the framework mandates that organizations should not only secure their infrastructure but also ensure swift recovery from potential cyber incidents.
The Anticipate function within SEBI’s framework emphasizes the need for “informed preparedness,” effectively positioning CTI as a vital tool. By providing real-time insights into threat actors, tactics, and trends, CTI allows organizations to proactively address emerging risks.
SEBI mandates that organizations conduct regular risk assessments, threat monitoring, and vulnerability scans, aligning with the intelligence-driven approach recommended for REs to maintain a state of continuous vigilance
From there, the framework gets very in-depth and specific, and most organizations will need help meet the guidelines.
For example, in the area of threat intelligence, the standards require investment organizations to implement dark web monitoring for brand intelligence and customer protection, including takedown services and monitoring for data and credential leaks, and processes for managing and incorporating vulnerability and threat alerts and advisories through Cyber Threat Intelligence Platforms (see image below).
CERT-In and the National Critical Information Infrastructure Protection Centre (NCIIPC) promise some support, but REs may need the services of an AI-powered comprehensive threat intelligence vendor like Cyble to fully meet the requirements.
CSCRF Requirements
The CSCRF document outlines in-depth goals for each area before launching even deeper into specifics.
After conducting ongoing risk assessments to identify critical systems, the area of Protection, for example, includes eight broad cybersecurity controls that the document addresses in-depth later on. These include:
- Authentication and access policy, along with log collection and a documented retention policy
- Network segmentation techniques to restrict access to sensitive information, hosts, and services
- Layering of Full-disk Encryption (FDE) along with File-based Encryption (FE) for data protection
- Separate production and non-production environments for the development of all software/ applications for critical systems and feature enhancements
- Periodic audits by a CERT-In empaneled IS auditing organization assess implementation and compliance
- Vulnerability Assessment and Penetration Testing (VAPT) to detect vulnerabilities in the IT environment for all critical systems, infrastructure components and other IT systems, based on a comprehensive VAPT scope
- Application Programming Interface (API) security and Endpoint security solutions “shall be implemented with rate limiting, throttling, and proper authentication and authorisation mechanisms”
- Mandatory ISO 27001 certification for Market Infrastructure Institutions (MIIs) and Qualified Res
Other Critical Requirements in SEBI’s Framework: Why CTI is Key
- Governance and Risk Management: SEBI’s guidelines require each RE to maintain a Cybersecurity and Cyber Resilience policy approved by senior management. As cyber threat landscapes evolve, CTI informs these policies by providing insight into sector-specific threats, aiding in more accurate risk evaluation and priority setting.
- Continuous Monitoring and Detection: The framework underscores the importance of Security Operations Centers (SOC) and continuous monitoring. By incorporating CTI feeds into SOC workflows, organizations gain insights into active threats and are better positioned to detect anomalies and respond swiftly. SEBI also mandates periodic red teaming exercises, which benefit significantly from CTI data to simulate real-world attack scenarios accurately(2024-0118-Policy-SEBI_C…).
- Incident Response and Recovery: SEBI’s emphasis on a comprehensive Incident Response Management plan highlights CTI’s role in responding to and recovering from attacks. With intelligence on threat actors and their techniques, organizations can develop proactive response strategies, minimizing the impact of incidents and ensuring rapid recovery.
Benefits of Integrating CTI for SEBI-Regulated Entities
- Enhanced Threat Awareness: Regular updates on global threat trends enable organizations to anticipate and mitigate cyber risks more effectively.
- Operational Efficiency: By prioritizing threats based on CTI insights, teams can focus on high-risk issues, optimizing resource allocation.
- Improved Compliance: Integrating CTI helps meet SEBI’s compliance requirements, particularly in areas like real-time threat detection, reporting, and auditing.
Reporting, Response and Beyond
The reporting requirements alone may be a challenge for some – see a sample VAPT report below:
The framework is meant to be an ongoing, adaptive process. The document states that response should always be followed by further evolution of security controls:
“Adaptive and evolving controls to tackle identified vulnerabilities and to reduce attack surfaces shall be created and incorporated into the RE’s cybersecurity and cyber resilience strategy.”
Closing Notes and Recommendations
In the wake of SEBI’s updated CSCRF, CTI has become essential for security teams across India’s financial sector. By proactively aligning security operations with SEBI’s guidelines and leveraging CTI for informed threat response, organizations can achieve both compliance and resilience. In a landscape where threats are growing more sophisticated and frequent, CTI offers the intelligence edge necessary to defend against emerging risks, ensuring robust protection for critical financial infrastructure.
CSCRF won’t be easy for some organizations to implement, but the end result could be a secure securities industry that’s the envy of the world. And to further help financial institutions gain this edge CTI platforms like Cyble can be a game changer.
