IND SEBI Cybersecurity Framework

On Jul. 4, IND SEBI consulted on cyber resilience framework.

  • IND SEBI consulted on consolidated cybersecurity and cyber resilience framework (CSCRF) for regulated entities, which supersedes previous circulars re cyber security.
  • Follows previous relevant circulars #34920, #139227, #168072, #66262 and #51729.
  • Also follows other previous relevant circulars #139940, #50137 as well as #138400.
  • Framework
  • Provides a common structure for multiple approaches to prevent cyber-risks/incidents.
  • Apply to (specified) regulated entities (RE), market infrastructure institutions (MIIs).
  • Based on 5 concurrent functions, including identify, protect, detect, respond, recover.
  • REs shall identify critical assets; formulate a cybersecurity and cyber resilience policy.
  • Implement strong log retention policy, password policy, access policy; use layering of full-disk encryption (FDE) with file-based encryption (FE) for data protection.
  • Vulnerability assessment and penetration testing (VAPT) to detect vulnerabilities.
  • Establish appropriate security mechanism for continuous monitoring of security events.
  • REs shall also formulate an up-to-date cyber crisis management plan (CCMP).
  • Comprehensive response and recovery plan shall be documented and be triggered for the timely restoration of systems affected by the cyber incident; inform related parties.
  • Effectiveness
  • Consultation is open for comments, which should be submitted by Jul. 25, 2023.
  • Jul. 21, 2023 Deadline Extension
  • On Jul. 21, 2023, IND SEBI extended the comment period deadline for the consultation paper on consolidated cybersecurity and cyber resilience framework to Aug. 4, 2023.
  • Comments must be submitted in the specified format either via email or by post.
  • Aug. 2024 Finalized Circular
  • On Aug. 20, 2024, IND SEBI finalized circular introducing CSCRF for regulated entities.
  • This framework supersedes existing SEBI cybersecurity circulars, guidelines, advisories and letters, the list of which is given as part of the framework attached as annexure-1.
  • A glide-path for adoption of the framework will be provided; for six categories of REs where cybersecurity and cyber resilience circular already exists, by Jan. 1, 2025.
  • For other REs where CSCRF is being issued for the first time, by Apr. 1, 2025.

Regulators IND SEBI
Entity Types B/D; Bank; IA; Inv Co
Reference Cir SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, 8/20/2024; PR 7/21/2023; CP, 7/4/2023
Functions Audit; BCS; Compliance; Cyber; Financial; Legal; Operations; Reporting; Risk; Technology
Countries India
Category
State
Products Banking; Fund Mgt; Securities
Regions AP
Rule Type Final
Rule Date 7/4/2023
Effective Date 1/1/2025
Rule Id 178322
Linked to Rule :168072
Reg. Last Update 8/20/2024
Report Section International

Last substantive update on 08/23/2024