{"id":23082,"date":"2024-09-30T10:18:32","date_gmt":"2024-09-30T04:48:32","guid":{"rendered":"https:\/\/ivaluegroup.com\/en-in\/?p=23082"},"modified":"2025-04-25T13:11:41","modified_gmt":"2025-04-25T07:41:41","slug":"how-sebi-cscrf-safeguards-indian-financial-entities-like-kras-cras","status":"publish","type":"post","link":"https:\/\/ivaluegroup.com\/en-in\/resources\/blogs\/how-sebi-cscrf-safeguards-indian-financial-entities-like-kras-cras\/","title":{"rendered":"How SEBI CSCRF Safeguards Indian Financial Entities Like KRAs & CRAs"},"content":{"rendered":"

The Rising Participation of Indian Retail Investors<\/h2>\n

 <\/p>\n

In recent times, we are seeing a trend of Indians increasingly investing in securities. SEBI reports that retail investor participation reached around 45% of total market volume in 2023<\/a>, up from 30% in 2020. The rapid democratization of technology throughout the country has led to greater participation in the market.<\/span><\/p>\n

Key Entities in the Financial Market: KRAs and CRAs<\/h2>\n

 <\/p>\n

Two types of entities that play crucial roles in this ecosystem are KYC registration agencies<\/strong> (KRAs) and credit rating agencies<\/strong> (CRAs). KRAs are institution-facing – they verify the identity of investors and maintain a centralized database of KYC records that can be accessed by various financial institutions. Meanwhile, CRAs are investor-facing – they evaluate the creditworthiness of debt instruments and give investors insight on potential investments. Both deal with extremely sensitive data, and therefore, maintaining data integrity & security becomes a crucial part of operations.<\/span><\/p>\n

The heightened state of the industry has also led to heightened levels of risk in the form of cyberattacks. The 2023 ZScaler ThreatLabz Report<\/a> claims that India faced a 37% increase in data breaches in the financial services sector<\/strong> last year, and the situation could become worse if there are no countermeasures to combat attackers.<\/span><\/p>\n

SEBI\u2019s Cybersecurity and Cyber Resilience Framework (CSCRF) Overview<\/h2>\n

 <\/p>\n

To that end, SEBI recently released the Cybersecurity and Cyber Resilience Framework (CSCRF)<\/strong> on August 20, 2024, to safeguard investors, companies and overall financial markets from the crippling effects of cyberattacks. The framework applies for all of SEBI\u2019s regulated entities, including KRAs and CRAs.<\/span><\/p>\n

Adhering to all the myriad requirements of the framework can be extremely challenging at first, mainly because most components are time-sensitive. For example, you have to produce a Software Bill of Materials (SBOM)<\/strong> for all your software vendors within 6 months of the framework being introduced. Many requirements like this demand immediate attention on your part, but the great part about CSCRF is that its holistic approach to cybersecurity enables your organization to have a vastly superior cybersecurity posture. It aids in securing your most valuable asset – <\/span>your data.<\/b><\/p>\n

Two elements of the framework that help with securing data are the mandated guidelines for <\/span>encryption <\/b>and <\/span>access control <\/b>respectively<\/span>. <\/b>These form the crux of CSCRF\u2019s third cyber resiliency goal to <\/span>anticipate<\/b>, complemented by the cybersecurity control to <\/span>protect<\/b>, which is all about safeguarding critical assets & systems from unauthorized access, use and disclosure. This blog focuses on the various CSCRF requirements for this particular peg, and how iValue\u2019s diverse range of solutions can help you seamlessly comply with all of them.<\/span><\/p>\n

CSCRF Encryption Requirements for KRAs and CRAs<\/h2>\n

 <\/p>\n

We begin this by stating that KRAs and CRAs have several different requirements in CSCRF. Due to KRAs facilitating access to extremely sensitive customer data, they have the same requirements as Market Infrastructure Institutions (MIIs), which are the most stringent in this framework. On the other hand, CRAs have the same requirements as self-certified REs, which have lesser mandates in comparison to other REs. Many elements of the framework are universal across all REs, but we\u2019ll be sure to point out whenever there is any divergence.<\/span><\/p>\n

Let\u2019s start with <\/span>encryption<\/b>. CSCRF mandates that all REs encrypt <\/span>data-at-rest<\/b> and <\/span>data-in-transit<\/b> using industry standard algorithms like RSA and AES. In addition, KRAs are also supposed to do the same for <\/span>data-in-use<\/b>. But before all this, you must identify the data in your organization that warrants encryption. Encrypting all your data is infeasible and may open up additional attack vectors, so it is critical to do an assessment before you go about choosing vendors for the same.<\/span><\/p>\n

Access Control Measures Under CSCRF<\/h2>\n

 <\/p>\n

Now, let\u2019s move on to all the <\/span>access control <\/b>measures required by CSCRF. We begin with requirements for both KRAs and CRAs:<\/span><\/p>\n

Based on that assessment, you will have to choose an encryption strategy that has both <\/span>Full Disk Encryption (FDE) <\/b>and <\/span>File-Based Encryption (FBE). <\/b>FDE encrypts all the data on a disk drive, while FBE encrypts specific files or directories in that disk. Additionally, all the encryption keys resulting from this have to be properly stored and managed, which you can read more about in our blog: Strengthening Data Protection to Meet SEBI\u2019s Encryption Mandates<\/a><\/span><\/p>\n