The Need for SEBI Compliance in Securing Customer Data and Communications
India’s growth story is reflected in the emergence of its financial markets. The total market capitalization of India’s stock market exceeded $5 trillion recently, and a key reason for this is the democratization of access to these markets. In FY24, non-institutional investors accounted for more than half of the stock market’s cash volumes, and two key players integral in facilitating that are portfolio managers and investment advisors.
Not only are they flag bearers of this emerging industry, they are also custodians of extremely sensitive customer data. Both deal with developing and implementing investment strategies based on clients’ particular financial goals and risk tolerance, which requires the use of state-of-the-art software that is also secure. They also have to constantly allocate assets by moving them around, and that requires secure communications. In a world where Indian companies face the second highest number of weekly attacks per organization at 3,201 attacks per week – the worldwide average is 1,636 – it is imperative for organizations like yours to protect your sensitive data. Failure to do that can lead to erosion of customer confidence, and that could significantly affect your bottom line.
Understanding SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF)
To aid you in improving your organizational cybersecurity posture, SEBI recently released the Cybersecurity and Cyber Resilience Framework (CSCRF) on August 20, 2024. The framework has certain mandates for all its Regulated Entities (REs), including portfolio managers and investment advisors. This blog will focus on the guidelines mandated by CSCRF when it comes to securing your software and securing your communications.
Let’s start by mentioning that not all REs will have the same guidelines. The requirements specific to your organization depend on which one of these five REs you fall under, in descending order of requirements: Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, Small-size REs and Self-certification REs.
For investment advisors, individual IAs are exempt from CSCRF requirements, while non-individual IAs are categorized as small-size REs.
For portfolio managers, the criteria for categorization is the value of Assets Under Management (AUM):
Self-certification REs | Small-size REs | Mid-size REs |
Less than ₹1000 cr. | ₹1000 cr. and above, but less than ₹3000 cr. | ₹3000 cr. and above |
Now that you’ve figured out which RE classification your organization comes under, let’s start with the mandates for…
How Portfolio Managers & Advisors Can Secure Their Software
A key factor towards achieving this goal is the CSCRF mandate of Secure Software Development Life Cycle (SSDLC), which is all about integrating security testing at every stage of software development, from design to development to deployment and beyond.
Here are the SSDLC requirements mandated for all REs:
- It starts with formulating a business requirement document with mentions of security requirements, logging, session management, audit trail, data integrity, security event tracking, exception handling, etc.
- During development, threat modeling and application security testing has to be conducted for secure rollout of software & applications.
- For application security, one must follow security guidelines and other protection measures given by OWASP, like OWASP-ASVS.
- For layered security, the principle of defence-in-depth has to be incorporated.
- Before introducing new technologies to your critical systems, your security team has to assess security concerns and achieve a fair level of maturity with these technologies before incorporating them into your infrastructure.
Here are additional SSDLC requirements mandated for all REs except small-size and self-certification REs:
- Regression testing has to be applied whenever new or modified systems are implemented, with the scope of these tests covering security controls, business logic, system performance under various stressful conditions, etc.
- For all major releases, vulnerability assessment and penetration testing (VAPT) has to be conducted beforehand to assess risk & vulnerabilities arising from recent additions or modifications to the application or software. You can read more about CSCRF’s VAPT requirements in our blog “Cybersecurity for Stock Brokers & Custodians: Meeting SEBI’s CSCRF Mandates”.
Furthermore, there is a realization that software developers and vendors often create new products by using existing open source & commercial software components. However, recent security breaches at third party vendors like Apache and Solarwinds have mandated the requirement of a Software Bill of Materials (SBOM), a formal record containing details & supply chain relationship of various components used in building that particular software.
All REs have to retain SBOMs for their existing critical systems before February 20, 2025, so click here for us to help you out with that if you haven’t started. Additionally, SBOMs have to be obtained for all new software products/SaaS to be used in critical systems.
A typical SBOM includes all these elements:
- License information
- Name of supplier
- All primary components with their respective transitive dependencies
- Encryption used
- Cryptographic hash of components
- Frequency of updates
- Known unknowns where SBOM does not include the full dependency graphs
- Access Control Methods
- Methods for accommodating occasional incidental errors
With SBOMs, you become more aware of all the myriad elements involved in your software, thus having more information to make better security decisions. It also helps mitigate supply chain risks that are proving to be a big issue for many organizations.
Securing Communications: Encryption & Safe Transmission
SEBI defines a secure channel as ‘a protected communications link established between a cryptographic module and the sender/receiver to securely communicate and verify the validation of plaintext CSPs, keys, authentication data and other sensitive data.’
CSCRF mandates the protection of data-at-rest and data-in-transit for all REs. Like we mentioned earlier, encryption used is a key element of the SBOM requirements, as it is the driver for securing all the data in that particular software. You can read more about how encryption can be used for data-at-rest here.
Similarly, encryption plays a key role in securing communications and protecting your data in transit. Here are the CSCRF requirements for the same:
- When an application transmitting sensitive data communicates over the Internet with the REs systems (ex. IBT communication from client’s web browser), it should be done over a secure, encrypted channel using a strong transport encryption mechanism like Transport Layer Security (TLS). The asymmetric public key cryptography used in TLS helps prevent Man in the Middle (MITM) attacks.
- For applications carrying sensitive data served as web pages over the Internet, a valid, properly configured TLS certificate on that web server is mandatory. This is shown through the HTTP(S) padlock sign on your browser.
- Use secure protocols like FTP(S), SSH and VPN tunnels.
iValue’s state-of-the-art cybersecurity suite can help secure your software, secure your communications and adhere to all the myriad requirements mandated by SEBI.
Here are the solutions we provide to help secure your software and applications:
- Risk assessment tools like Nessus and Tenable that perform vulnerability scans and provide detailed reports for mitigation.
- An advanced SSDLC solution that provides threat modeling to identify potential threats & attack vectors, secure coding standards, code review & static analysis, and dynamic application security testing (DAST).
- Web Application Security Testing through solutions like Tenable, Opentext Fortify and Levo, which help identify vulnerabilities in web applications.
- The required experience and processes to take you through the SBOM mandate for all your vendors.
Additionally, we provide a wide variety of encryption solutions, from symmetric to asymmetric and full disk encryption to file based encryption, through partnerships with industry leaders like Thales and Ultimaco. We can also help you obtain TLS certificates to secure your communication through the Internet. You can read more about our encryption solutions here.
We close it by saying that if you fall under SEBI’s REs, the next year could get pretty hectic with all the various requirements. If you need a partner to streamline that for you while you focus on what you do best, click here to set up a meeting with us.