Get Your Free Risk Report Today
  1. Home
  2. /
  3. Resources
  4. /
  5. Blogs
  6. /
  7. How SEBI CSCRF Safeguards...

How SEBI CSCRF Safeguards Indian Financial Entities Like KRAs & CRAs

The Rising Participation of Indian Retail Investors

 

In recent times, we are seeing a trend of Indians increasingly investing in securities. SEBI reports that retail investor participation reached around 45% of total market volume in 2023, up from 30% in 2020. The rapid democratization of technology throughout the country has led to greater participation in the market.

Key Entities in the Financial Market: KRAs and CRAs

 

Two types of entities that play crucial roles in this ecosystem are KYC registration agencies (KRAs) and credit rating agencies (CRAs). KRAs are institution-facing – they verify the identity of investors and maintain a centralized database of KYC records that can be accessed by various financial institutions. Meanwhile, CRAs are investor-facing – they evaluate the creditworthiness of debt instruments and give investors insight on potential investments. Both deal with extremely sensitive data, and therefore, maintaining data integrity & security becomes a crucial part of operations.

The heightened state of the industry has also led to heightened levels of risk in the form of cyberattacks. The 2023 ZScaler ThreatLabz Report claims that India faced a 37% increase in data breaches in the financial services sector last year, and the situation could become worse if there are no countermeasures to combat attackers.

SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) Overview

 

To that end, SEBI recently released the Cybersecurity and Cyber Resilience Framework (CSCRF) on August 20, 2024, to safeguard investors, companies and overall financial markets from the crippling effects of cyberattacks. The framework applies for all of SEBI’s regulated entities, including KRAs and CRAs.

Adhering to all the myriad requirements of the framework can be extremely challenging at first, mainly because most components are time-sensitive. For example, you have to produce a Software Bill of Materials (SBOM) for all your software vendors within 6 months of the framework being introduced. Many requirements like this demand immediate attention on your part, but the great part about CSCRF is that its holistic approach to cybersecurity enables your organization to have a vastly superior cybersecurity posture. It aids in securing your most valuable asset – your data.

Two elements of the framework that help with securing data are the mandated guidelines for encryption and access control respectively. These form the crux of CSCRF’s third cyber resiliency goal to anticipate, complemented by the cybersecurity control to protect, which is all about safeguarding critical assets & systems from unauthorized access, use and disclosure. This blog focuses on the various CSCRF requirements for this particular peg, and how iValue’s diverse range of solutions can help you seamlessly comply with all of them.

CSCRF Encryption Requirements for KRAs and CRAs

 

We begin this by stating that KRAs and CRAs have several different requirements in CSCRF. Due to KRAs facilitating access to extremely sensitive customer data, they have the same requirements as Market Infrastructure Institutions (MIIs), which are the most stringent in this framework. On the other hand, CRAs have the same requirements as self-certified REs, which have lesser mandates in comparison to other REs. Many elements of the framework are universal across all REs, but we’ll be sure to point out whenever there is any divergence.

Let’s start with encryption. CSCRF mandates that all REs encrypt data-at-rest and data-in-transit using industry standard algorithms like RSA and AES. In addition, KRAs are also supposed to do the same for data-in-use. But before all this, you must identify the data in your organization that warrants encryption. Encrypting all your data is infeasible and may open up additional attack vectors, so it is critical to do an assessment before you go about choosing vendors for the same.

Based on that assessment, you will have to choose an encryption strategy that has both Full Disk Encryption (FDE) and File-Based Encryption (FBE). FDE encrypts all the data on a disk drive, while FBE encrypts specific files or directories in that disk. Additionally, all the encryption keys resulting from this have to be properly stored and managed, which you can read more about in our blog: Strengthening Data Protection to Meet SEBI’s Encryption Mandates

Access Control Measures Under CSCRF

 

Now, let’s move on to all the access control measures required by CSCRF. We begin with requirements for both KRAs and CRAs:

  • Access is determined by the principle of least privilege, which provides access on a need-to-use basis for a defined purpose, over a defined period. This is enabled through strong and secure authentication.
  • This authentication policy is implemented with a defined complexity requirement  for user passwords.
  • All critical systems accessible over the Internet must have both multi-factor security (VPNs, firewall controls, etc.) and multi-factor authentication (passwords and OTPs, along with a strong factor like biometrics or physical keys like our solution with industry leaders YubiKey). MFA must be incorporated for all accounts that access systems from non-trusted environments to trusted environments. 
  • LANs and wireless networks have to be secured with the aforementioned access controls.
  • Account lock policies after a certain amount of failure attempts have to be implemented for all your accounts.
  • Records have to be logged and maintained for access to critical systems, especially for users with access to shared accounts. The logs to be collected include system logs, application logs, network logs, database logs, event logs, performance logs and security logs. These have to be stored in a secure location for a time period no less than 2 years.
  • Existing user accounts and access rights have to be periodically reviewed to detect dormant accounts, unknown accounts, accounts with excessive privileges and more. Delegated access & unused tokens have to be reviewed and cleaned on a quarterly basis. 
  • ‘End of life’ mechanisms must be adopted to deactivate access privileges for users who leave your organization or have their privileges withdrawn.
  • Your organization must formulate data-disposal and data retention policies to identify value & lifetime of various parcels of data, including suitable policies for disposal of storage media & systems. 

These additional requirements are mandated only for KRAs:

  • The principle of least privilege mentioned in the requirements for all REs must be part of a holistic zero trust security model for KRAs, which assumes access to critical systems is denied by default and only allowed after proper authentication and authorization. While the principle of least privilege is more focused on minimizing access rights, zero trust is driven by continuous verification & authentication. 
  • To monitor and protect sensitive data, a Data Loss Prevention (DLP) solution must be incorporated.
  • A Privileged Identity Management (PIM) solution has to be implemented to keep track of privileged users, with controls like restricting the number of privileged users, not allowing users to access logs where their activities are tracked, limiting remote access and conducting periodic reviews of all activities from these accounts. 
  • Additional password controls are mandated, including change of password upon first login and storage of passwords in your infrastructure using strong hashing algorithms.
  • Network segmentation has to be conducted to restrict access to sensitive data, with segment-to-segment access provided on the principle of least privilege. The same access controls apply for all APIs.
  • Email protection must include strong password protection, MFA, spam filtering, email encryption, a secure email gateway and permissible attachment types.
  • Your organization has to monitor & regulate the use of Internet based services like social media sites and cloud-based storage services within your critical IT infrastructure.
  • There has to be an up-to-date centralized inventory of authorized devices connected  to your network and authorized devices enabling it.
  • Additionally, since KRAs involve a huge number of identity requests, measures must be executed to secure Domain Controllers, with users having separate accounts for this and their day-to-day operations.

Centralized Management of Cybersecurity Solutions

We realize these are a lot of requirements, with the bulk of them having to be incorporated within a time limit of 6 months post CSCRF. However, you should not let the pressures of this lead you to incorporate dozens of different solutions that have to be monitored all at once.

Instead, gain complete and comprehensive oversight over your CSCRF data integrity & security demands by opting for iValue’s state-of-the-art security suite, which includes solutions like:

  • Full-disk encryption through our partnerships with Thales and Entrust
  • File-based encryption through our partnerships with Ultimaco and Fortanix
  • Keeping track and protecting all your encryption technologies through a Data Security Posture Management Solution like our solutions with Forcepoint and Varonis
  • Enforcement of strong authentication through solutions like Yubikey
  • Opentext NetIQ and RSA SecureID help you manage user access rights and identity policies
  • Forcepoint DLP to completely secure your sensitive data (only required for KRAs)
  • PIM solutions from CyberArk to reduce risk of unauthorized privileged access (only required for KRAs)

Through this suite, all the encryption and access control requirements mandated by CSCRF are synchronized and effortlessly managed through a centralized dashboard. Implementation can be done very quickly for iValue’s solutions, allowing you to be well on track with your impending CSCRF deadlines.

Authored by

Similar Posts

Scroll to Top