Overview of SEBI’s Cybersecurity & Cyber Resilience Framework (CSCRF)

India’s financial sector has always been an attractive target for cyberattackers. RBI’s Financial Stability Report claims that the financial sector faced 20,000 cyberattacks in the last 2 decades, resulting in losses of $20 billion. Recently, cryptocurrency platform WazirX faced the biggest cyberattack on an Indian exchange, with hackers stealing more than $230 million worth of investor holdings.

This precarious climate comes at a time when technological developments in securities markets are moving at a rapid pace. Therefore, maintaining a robust cybersecurity posture becomes necessary to protect investor interests. To that end, SEBI recently released the Cybersecurity & Cyber Resilience Framework (CSCRF) on August 20, 2024, featuring various mandates for its regulated entities (REs).

The framework was created through a collaborative process with various stakeholders like several Market Infrastructure Institutions (MIIs) and Regulated Entities (REs), Indian Computer Emergency Response Team (CERT-In), National Critical Information Infrastructure Protection Centre, Industry Standard Forum (ISF), information security auditors and Cloud Service Providers (CSPs). The guidelines are based taking into account international standards like ISO 27000, CIS Controls Version 8, NIST SP 800-53, BIS Financial Stability Institute Guidelines and CPMI-IOSCO principles.

This blog gives a general overview of the CSCRF, highlighting certain important mandates in the framework and how solutions in iValue’s cybersecurity suite can help you adhere to the requirements and in turn, create a better cybersecurity posture for your organization. 

We start with the 5 cyber resilience goals prescribed by the CSCRF:

• Anticipate involves maintaining a state of preparedness to avoid business function compromises from cyberattacks

• Withstand involves the continuation of essential business functions in the event of a successful attack

• Contain involves isolating trusted systems from untrusted systems in the event of a successful attack

• Restore involves restoring business functions to the maximum extent subsequent to a successful attack
• Evolve involves upgrading your organization’s cybersecurity capabilities to minimize the negative impact from actual or predicted attacks

These goals can be linked to one or more of these 6 cybersecurity functions: Governance, Identify, Detect, Protect, Respond & Recover. Most of these functions will come under the Anticipate goal, as prevention is always preferable to the cure when it comes to cyberattacks.

Cyber Resilience Goal: Anticipate | Cybersecurity Function: Governance

This goal dictates that the leadership in organizations like yours is responsible for nurturing a risk-aware, cybersecurity conscious culture. To that end, there is a mandate to prepare a cybersecurity risk management framework to access, mitigate & monitor risks, and define processes to address them using the learnings. This includes assessing risk in your supply chains – for example, you require a Software Bill of Materials (SBOM) from all your vendors to account for any third-party or open source components. You can read more about that in our blog: Securing Customer Communications & Portfolio Data: Achieving SEBI Compliance for Portfolio Managers & Investment Advisors

An ideal risk management framework should involve these facets:

• Identify: Determining threats & vulnerabilities that could compromise your organization.

• Analyze: Assessing risk through the likelihood of occurrence and the expected negative impact.

• Evaluate: Evaluating against threshold of acceptable risk.

• Prioritize: Mitigating high risk observations on priority.

• Respond: Crafting an effective Incident Response & Management Plan.
• Monitor: Continuous monitoring to ensure levels are always below pre-determined level of acceptable risk.

We use state-of-the-art risk assessment tools like Nessus & Tenable to perform continuous vulnerability scans that identify potential vulnerabilities across your IT environment and provide detailed reports for mitigation.

Cyber Resilience Goal: Anticipate | Cybersecurity Function: Identify

In this peg, data, personnel, devices, systems and facilities that enable you to achieve your business purposes are identified & managed according to your risk strategy. It is crucial to identify your critical systems at this phase, since this will require most fortification. Our data classification solutions with industry leaders like Forcepoint and Digital Guardian help streamline this process for you. 

Cyber Resilience Goal: Anticipate | Cybersecurity Function: Protect

This is the page that has the most mandates in CSCRF, as it involves protecting all the potential attack vectors that an attacker could target. This includes:

Securing Access 

CSCRF requires the incorporation of the principle of least privilege and zero trust to ensure users in your organization get access only to data relevant to them, for a fixed period of time. Our Identity Governance & Administration solutions like Opentext NetIQ and RSA SecurID seamlessly control & monitor user access.

Furthermore, access to critical systems requires the use of multi-factor authentication (MFA). Our partnership with Yubikey ensures a strong authentication factor in the form of a physical key.

Securing your APIs

This has to be done keeping in mind OWASP guidelines, with emphasis on secure-by-design API development, rate limiting, zero-trust access management and clarified API discovery in terms of knowing how many APIs are exposed and how many are being used. Our integration with Google Apigee API ensures seamless adherence to these guidelines.

Securing your data

CSCRF mandates protection of data-at-rest and data-in-transit, with encryption being key to this. Data-at-rest is protected through:

• Full-disk encryption which secures entire disks with a single key, provided by our partners Thales & Entrust
• File-based encryptions which secure individual files instead of the entire disk, provided by our partners Ultimaco & Fortanix

Data-in-transit is protected through asymmetric encryption in the form of TLS.

Cyber Resilience Goal: Anticipate | Cybersecurity Function: Detect

This mandates the incorporation of a 24x7x365 Security Operations Centre (SOC) to monitor, prevent, predict, detect, investigate and respond to cyber threats. Undertaking of periodic audits like Vulnerability Assessment & Penetration Testing (VAPT) comes under this.

Being cognizant of the fact that setting up an in-house SOC could be difficult for smaller REs, CSCRF gives three options: your own/group SOC, a market SOC, and third-party managed SOC, like the state-of-the-art solution we have at iValue.

Cyber Resilience Goals: Withstand & Contain | Cybersecurity Function: Respond

This involves the construction of solid incident response plans & procedures to respond to known cybersecurity incidents. Incident response can be broken down into 4 broad phases:

• Preparation: Focused on preventative measures and response templates.

• Detection & Analysis: This involves collection of logs, identification of IOAs, setting a baseline for normal behavior, and correlating events to check deviations in behavior.

• Containment, Eradication & Recovery: Containment involves mitigating the incident before it overwhelms your resources and causes more damage. Eradication & recovery ensure all the affected systems get isolated from your network, post which remediation steps are undertaken.
• Post-incident activity: Evaluating the incident that has occurred, and taking learnings from it to ensure it doesn’t happen again.

Our Incident Response & Management solutions include Google Simplify and Splunk Phantom, which coordinate & automate incident response and ensure timely resolution of cybersecurity incidents.

Cyber Resilience Goal: Recover | Cybersecurity Function: Recover

This ensures that recovery processes & procedures are executed & maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents. Our forensic tools with partners like EnCase help in root cause analysis and aid in remediation of incidents.

Cyber Resilience Goal: Evolve

One of the main pillars of CSCRF is the ability to adapt & improve your security posture to stay ahead of threats. Security awareness training could be crucial to this, something we facilitate through our partnerships with KnowBe4 and Progist. 

These are the general guidelines provided by CSCRF, but one thing to consider is that you will have different requirements based on which of these 5 categorizations you fall under: MIIs, qualified REs, mid-size REs, small-size REs and self-certification REs. For example, MIIs and qualified REs have to measure their SOC’s functional efficacy every 6 months, while for the rest, it is yearly.

So, if you’re in doubt about which classification you fit in and what exact requirements apply for your organization, click here to set up a meeting with us so we can streamline it for you.