November 10, 2024
The Cyber Security & Cyber Resilience Framework, effective from January 1, 2025, is designed to ensure that intermediaries, such as brokers, investment advisors, custodians, and other entities, are compliant with cybersecurity regulations and secure in their operations. The framework supersedes older guidelines and ensures a comprehensive approach to cybersecurity, focusing on governance, risk management, and continuous improvement. It applies to various types of intermediaries, categorized by their size (qualified, mid, or small) and operational nature (e.g., brokers, depositories), with specific guidelines tailored to each category.
Key Components of the Framework:
Categorization of Intermediaries:
Intermediaries are categorized based on size and operations, determining which standards and guidelines are applicable. Qualified, mid-sized, and small intermediaries are required to follow different sets of rules, with exemptions for smaller entities in some areas.
Here is the process for determining the size of an entity.
Is it a DP?
|
|-- Yes --> Institutional DP --> Qualified REs
| |-> Non-Institutional DP --> Mid-size REs
|
|-- No --> Categorize based on clients:
|-- more than 50,000 --> Qualified REs
|-- 50,000 to 5,000 --> Mid-size REs
|-- 10,000 to 50,000 --> Small-size REs
|-- Less than 10,000 --> Algo/IBT? --> |-- Yes --> Small-size REs
|-- No --> Self-Certified REs
IT Committee & Governance:
All intermediaries must establish an IT Committee, which includes at least one external expert on cybersecurity. This committee will oversee the organization’s adherence to cybersecurity standards and best practices. Standard Operating Procedures (SOPs) will guide IT operations to maintain consistency and security.
Cybersecurity Standards:
Seven core principles guide the implementation of cybersecurity standards: governance, identification, protection, detection, response, recovery, and ongoing evolution. Specific sub-standards for each category will provide detailed guidance for compliance.
Framework Review:
The Cyber Security & Cyber Resilience Framework is a comprehensive review of earlier policies, effective from August 2024. It replaces previous circulars and aims to be future-proof by continuously evolving.
Cybersecurity Audit:
Annual cybersecurity audits are mandatory for mid and small entities, with self-declarations allowed for smaller intermediaries. Audits must be performed by certified vendors, and the results should be submitted to relevant authorities.
Employee Training & Awareness:
Cybersecurity training is mandatory for employees, with annual reviews of the training program. Regular awareness programs for customers are also required to ensure that all stakeholders are informed about the latest security threats and practices.
Data Protection & Security:
Intermediaries must implement strong data protection and security practices, including inventory tracking and encryption for critical systems. Access policies for remote operations and Privileged Identity Management (PIM) are required to safeguard sensitive data.
Incident Reporting & Response:
In case of a cyber incident, entities must report to regulators within 24 hours and provide detailed incident information within 6 months. Regular reporting to exchanges, depositories, and regulators is also mandatory to ensure transparency.
Compliance & Designated Officer:
Each entity must appoint a designated cybersecurity officer responsible for ensuring compliance with the framework. Regular reviews of the cybersecurity framework and risk management policies must be conducted, and senior management must approve all policies and procedures.
Best Practices & Testing:
Mid and qualified entities must implement best practices from ISO standards and other relevant frameworks, including scenario-based testing. All entities must continuously update contingency plans and cybersecurity playbooks to prepare for potential incidents.
Security Infrastructure:
Intermediaries must establish a Security Operations Center (SOC) to monitor and respond to security events. Physical security measures (e.g., water, temperature, smoke detection) and log management for critical systems must also be in place. Third-party vendor agreements should include cybersecurity clauses to ensure that external vendors adhere to the same security standards.
Password Policy & PIM Implementation:
A robust password policy will be enforced, including Privileged Identity Management (PIM) to control access to sensitive systems. All credentials must be stored using strong hashing algorithms to ensure security.
Patch & Capacity Management:
Regular patch management will be implemented to ensure systems are secure from vulnerabilities. Capacity management practices will ensure that IT resources meet the organization's demands, optimizing performance and minimizing the risk of failures.
Physical & Endpoint Security:
Physical security controls, including monitoring of water, temperature, and smoke, will be enforced. To protect against cyber threats, Intrusion Prevention Systems (IPS) or Next-Generation IPS (NG IPS) will be deployed across endpoints, providing an additional layer of defense.
Root Cause Analysis & Recovery Time Objectives (RTO):
After any major incident, a Root Cause Analysis will be conducted to determine the cause and improve systems. Clear Recovery Time Objectives (RTO) will be set for critical systems to minimize downtime in the event of a disaster or system failure.
Disclaimer: This summary is provided for informational purposes only. For full details, please refer to the SEBI Circular: SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024. This circular contains all the relevant guidelines, including the seven core standards (GV - Governance, ID - Identity, PR - Protect, DE - Detect, RS - Respond, RC - Recover, EV - Evolve) and specifies that 46 standards are not applicable to self and small REs, and 9 standards are not applicable to mid-sized REs.
Comentarios