The Securities and Exchange Board of India (Sebi) on Tuesday proposed a consolidated framework for cybersecurity, laying down a common structure for various regulated entities like stock exchanges, brokers, asset management companies and portfolio managers, among others.
In a consultation paper, titled Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF), the markets regulator said that the new framework would supersede nearly 15 circulars issued separately for various segments since 2015.
Sebi noted that the new consolidated framework has been based on five concurrent and continuous functions of cybersecurity, namely: identify, protect, detect, respond, and recover.
Under the proposed framework, Market Infrastructure Institutions (MIIs) like stock exchanges and depository participants will be required to conduct a cyber-audit twice a year while all other regulated entities will have to do it once each year. The watchdog also laid down timelines for other levels of assessment and review of cyber resilience.
The draft guidelines specify baseline cybersecurity measures which will be applicable on all entities, supplementary measures applicable only on specified entities, and a set of additional guidelines for MIIs.
The regulator noted that it had also developed a cyber capability index (CCI) to rate the preparedness and resilience of the cybersecurity framework of the MIIs.
The proposed norms also set a standard for compliance from these entities with regards to identification of vulnerabilities, cyber threats, cloud assets, etc. These standards will have to be followed by third party service providers and outsourcing staff too.
“With these technological developments in the securities market, maintaining robust cybersecurity and cyber resilience to protect the organisations operating in the securities market from cyber-risks/incidents has become indispensable,” Sebi noted in the paper.
The regulator has invited comments on the proposal by July 25.