India\u2019s financial markets are currently in a supercharged state. With increasing participation from retail investors, the National Stock Exchange (NSE) reported daily trading volumes averaging around \u20b945,000 cr in equities. A lot of these transactions involve sensitive data like payment details, transaction histories and personal identifiers, making it attractive for malicious actors attempting to gain unauthorized access. This is reflected by the Indian financial sector facing more than 13 lakh cyberattacks between January to October 2023, according to the RBI.\u00a0<\/span><\/p>\n If these attackers do happen to gain access, there could be serious ramifications, leading to both a loss in revenue and customer confidence. Therefore, there is a clear incentive for financial organizations like yours to have strong security measures to guarantee privacy, availability & integrity of financial data.<\/span><\/p>\n One key measure is <\/span>encryption<\/b>, which is a crucial part of the Cybersecurity & Cyber Resilience Framework (CSCRF) issued by SEBI on August 20, 2024. CSCRF has numerous mandates for SEBI\u2019s Regulated Entities (REs) – this blog will focus specifically on the framework\u2019s encryption-centric requirements. Interestingly enough, there is not much mention of encryption in the released framework, because most of the groundwork for the same was laid out last year in a SEBI circular titled \u2018Framework for Adoption of Cloud Services by SEBI Regulated Entities\u2019 on March 6, 2023.<\/span><\/p>\n Encryption secures data by converting it into ciphertext that is indecipherable for unauthorized persons. This is done using cryptographic keys, which are are random strings of bits generated to encrypt and decrypt. CSCRF dictates that all REs secure their <\/span>data-at-rest<\/b> and <\/span>data-in-transit<\/b>, with the further mandate of securing data-in-use for only Market Infrastructure Institutions (MIIs) and Qualified REs,<\/span><\/p>\n CSCRF dictates that data-at-rest encryption has to be done with strong encryption algorithms, featuring a mix of data object encryption, file level encryption and tokenization in addition to the encryption provided at platform level.<\/span><\/p>\n So, what type of encryption works best for your data? The answer will be extremely clear after undertaking a thorough risk assessment that identifies your most sensitive data. It is important to note that encrypting all your data is infeasible and may open up additional attack vectors, so this first step is crucial.<\/span><\/p>\n One categorization for types of encryption can be based on the <\/span>cryptography<\/b>:<\/span><\/p>\n Another categorisation is based on what you\u2019re encrypting. In this comes <\/span>full disk encryption (FDE)<\/b> and <\/span>file based encryption (FBE)<\/b>. FDE encrypts all the data in a complete drive, while FBE encrypts specific files or directories. CSCRF mandates using a mix of both, and that particular mix will be dependent on the classification of your sensitive data. Here are some key differences between the two:<\/span><\/p>\n Ultimately, despite the encryption mix you choose, a lot of different cryptographic keys will be generated. And for data-at-rest to be safely stored, key management procedures must be followed.\u00a0<\/span><\/p>\n To that end, CSCRF demands implementation of a dedicated <\/span>hardware security module (HSM)<\/b> that has complete control of key management, including generating, storing, exchanging and managing keys. Key rotation and stringent access restrictions are essential for success. It is critical to identify the right personnel in charge of the keys, as well as the right methodologies for storing them – any compromise to each will render the entire encryption process useless. Additionally, your HSM should be designed in fault tolerance mode to ensure that potential failure of the system doesn\u2019t have any impact on data retrieval and processing.<\/span><\/p>\n (Note: CSCRF mandates that REs retain complete ownership of their encryption keys, so if you choose us as an encryption partner, we will take care of all the processes while the keys secretly reside in your systems.)<\/span><\/p>\n This includes data in your cloud. CSCRF mandates a mix of session encryption and data object encryption in addition to the encryption provided at the platform level, whenever sensitive data is in transit.<\/span><\/p>\n Here are some things to keep in mind for the same:<\/span><\/p>\n Additionally, for MIIs and qualified REs, data-in-use must be secured using confidential computing solutions.\u00a0<\/span><\/p>\n That\u2019s a lot of requirements to keep in mind for encryption, which is in itself a small but important cog in the CSCRF machine. The last thing you want is to incorporate a bunch of different solutions that makes it extremely difficult to keep track of it all.<\/span><\/p>\n To that end, we suggest you opt for <\/span>iValue\u2019s state-of-the-art suite<\/b> that gives you full visibility into all your CSCRF requirements.<\/span><\/p>\n Here are the solutions in our suite that fit your CSCRF encryption requirements:<\/span><\/p>\n These solutions work in sync to help fortify your data, and a centralized dashboard gives you complete oversight at all times. If that\u2019s something that interests you, <\/span>click here<\/span> to set up a meeting so we can go about finding your ideal encryption mix!\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":" Introduction to SEBI\u2019s Encryption Mandates India\u2019s financial markets are currently in a supercharged state. With increasing participation from retail investors, the National Stock Exchange (NSE) reported daily trading volumes averaging around \u20b945,000 cr in equities. A lot of these transactions involve sensitive data like payment details, transaction histories and personal identifiers, making it attractive for …<\/p>\nThe Importance of Encryption in Financial Data Protection<\/h2>\n
Securing Data-at-rest<\/b><\/h3>\n
\n
\n\n
\n FDE<\/b><\/td>\n FBE<\/b><\/td>\n<\/tr>\n \n It encrypts the entire disk, including your OS, with a single key.<\/span><\/td>\n It encrypts individual files or folders, with a unique key for each file.<\/span><\/td>\n<\/tr>\n \n It is comparatively less secure than FBE, because the entire disk can be decrypted with a single key.<\/span><\/td>\n It is comparatively more secure to FDE, since each file has a separate key.<\/span><\/td>\n<\/tr>\n \n It takes longer to implement, since you are dealing with larger amounts of data.<\/span><\/td>\n Once the files and directories are decided, it is faster to implement due to the relatively lesser load.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Key Management and Hardware Security Module (HSM) for CSCRF Compliance<\/h2>\n
Securing data-in-transit<\/b><\/h3>\n
\n
Simplifying CSCRF Encryption Compliance with iValue<\/h2>\n
\n