India\u2019s financial sector has always been an attractive target for cyberattackers. RBI\u2019s Financial Stability Report claims that the financial sector faced 20,000 cyberattacks in the last 2 decades, resulting in losses of $20 billion<\/a>. Recently, cryptocurrency platform WazirX<\/a> faced the biggest cyberattack on an Indian exchange, with hackers stealing more than $230 million worth of investor holdings.<\/span><\/p>\n This precarious climate comes at a time when technological developments in securities markets are moving at a rapid pace. Therefore, maintaining a robust cybersecurity posture becomes necessary to protect investor interests. To that end, SEBI recently released the <\/span>Cybersecurity & Cyber Resilience Framework (CSCRF)<\/b> on August 20, 2024, featuring various mandates for its <\/span>regulated entities (REs)<\/b>.<\/span><\/p>\n The framework was created through a collaborative process with various stakeholders like several Market Infrastructure Institutions (MIIs) and Regulated Entities (REs), Indian Computer Emergency Response Team (CERT-In), National Critical Information Infrastructure Protection Centre, Industry Standard Forum (ISF), information security auditors and Cloud Service Providers (CSPs). The guidelines are based taking into account international standards like ISO 27000, CIS Controls Version 8, NIST SP 800-53, BIS Financial Stability Institute Guidelines and CPMI-IOSCO principles.<\/span><\/p>\n This blog gives a general overview of the CSCRF, highlighting certain important mandates in the framework and how solutions in iValue\u2019s cybersecurity suite can help you adhere to the requirements and in turn, create a better cybersecurity posture for your organization.\u00a0<\/span><\/p>\n We start with the 5 cyber resilience goals prescribed by the CSCRF:<\/span><\/p>\n These goals can be linked to one or more of these 6 cybersecurity functions: <\/span>Governance, Identify, Detect, Protect, Respond<\/b> & <\/span>Recover<\/b>. Most of these functions will come under the <\/span>Anticipate <\/b>goal, as prevention is always preferable to the cure when it comes to cyberattacks.<\/span><\/p>\n This goal dictates that the leadership in organizations like yours is responsible for nurturing a risk-aware, cybersecurity conscious culture. To that end, there is a mandate to prepare a cybersecurity <\/span>risk management <\/b>framework to access, mitigate & monitor risks, and define processes to address them using the learnings. This includes assessing risk in your supply chains – for example, you require a Software Bill of Materials (SBOM) from all your vendors to account for any third-party or open source components. You can read more about that <\/span>in our blog: Securing Customer Communications & Portfolio Data: Achieving SEBI Compliance for Portfolio Managers & Investment Advisors<\/a><\/span><\/p>\n An ideal risk management framework should involve these facets:<\/span><\/p>\n We use state-of-the-art risk assessment tools like <\/span>Nessus<\/span> & <\/span>Tenable<\/span> to perform continuous vulnerability scans that identify potential vulnerabilities across your IT environment and provide detailed reports for mitigation.<\/span><\/p>\n In this peg, data, personnel, devices, systems and facilities that enable you to achieve your business purposes are identified & managed according to your risk strategy. It is crucial to identify your <\/span>critical systems<\/b> at this phase, since this will require most fortification. Our data classification solutions with industry leaders like <\/span>Forcepoint<\/span> and <\/span>Digital Guardian<\/span> help streamline this process for you.\u00a0<\/span><\/p>\n This is the page that has the most mandates in CSCRF, as it involves protecting all the potential attack vectors that an attacker could target. This includes:<\/span><\/p>\n CSCRF requires the incorporation of the <\/span>principle of least privilege<\/b> and <\/span>zero trust<\/b> to ensure users in your organization get access only to data relevant to them, for a fixed period of time. Our Identity Governance & Administration solutions like <\/span>Opentext NetIQ <\/span>and <\/span>RSA SecurID <\/span>seamlessly control & monitor user access.<\/span><\/p>\n Furthermore, access to critical systems requires the use of multi-factor authentication (MFA). Our partnership with <\/span>Yubikey<\/span> ensures a strong authentication factor in the form of a physical key.<\/span><\/p>\n This has to be done keeping in mind OWASP guidelines, with emphasis on secure-by-design API development, rate limiting, zero-trust access management and clarified API discovery in terms of knowing how many APIs are exposed and how many are being used. Our integration with <\/span>Google Apigee API<\/span> ensures seamless adherence to these guidelines.<\/span><\/p>\n CSCRF mandates protection of <\/span>data-at-rest<\/b> and <\/span>data-in-transit<\/b>, with encryption being key to this. Data-at-rest is protected through:<\/span><\/p>\n Data-in-transit is protected through asymmetric encryption in the form of TLS.<\/span><\/p>\n This mandates the incorporation of a <\/span>24x7x365 Security Operations Centre (SOC)<\/b> to monitor, prevent, predict, detect, investigate and respond to cyber threats. Undertaking of periodic audits like <\/span>Vulnerability Assessment & Penetration Testing (VAPT)<\/b> comes under this.<\/span><\/p>\n Being cognizant of the fact that setting up an in-house SOC could be difficult for smaller REs, CSCRF gives three options: your <\/span>own\/group SOC<\/b>, a <\/span>market SOC<\/b>, and <\/span>third-party managed SOC<\/b>, like the <\/span>state-of-the-art solution we have at iValue<\/span>.<\/span><\/p>\n This involves the construction of solid incident response plans & procedures to respond to known cybersecurity incidents. Incident response can be broken down into 4 broad phases:<\/span><\/p>\n Our Incident Response & Management solutions include <\/span>Google Simplify<\/span> and <\/span>Splunk Phantom<\/span>, which coordinate & automate incident response and ensure timely resolution of cybersecurity incidents.<\/span><\/p>\n This ensures that recovery processes & procedures are executed & maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents. Our forensic tools with partners like <\/span>EnCase<\/span> help in root cause analysis and aid in remediation of incidents.<\/span><\/p>\n One of the main pillars of CSCRF is the ability to adapt & improve your security posture to stay ahead of threats. Security awareness training could be crucial to this, something we facilitate through our partnerships with <\/span>KnowBe4<\/span> and <\/span>Progist<\/span>.\u00a0<\/span><\/p>\n These are the general guidelines provided by CSCRF, but one thing to consider is that you will have different requirements based on which of these 5 categorizations you fall under: <\/span>MIIs, qualified REs, mid-size REs, small-size REs<\/b> and <\/span>self-certification REs<\/b>. For example, MIIs and qualified REs have to measure their SOC\u2019s functional efficacy every 6 months, while for the rest, it is yearly.<\/span><\/p>\n So, if you\u2019re in doubt about which classification you fit in and what exact requirements apply for your organization, <\/span>click here<\/span><\/a> to set up a meeting with us so we can streamline it for you.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":" Overview of SEBI\u2019s Cybersecurity & Cyber Resilience Framework (CSCRF) India\u2019s financial sector has always been an attractive target for cyberattackers. RBI\u2019s Financial Stability Report claims that the financial sector faced 20,000 cyberattacks in the last 2 decades, resulting in losses of $20 billion. Recently, cryptocurrency platform WazirX faced the biggest cyberattack on an Indian exchange, …<\/p>\n\n
\n
\n
\n
Cyber Resilience Goal: Anticipate | Cybersecurity Function: Governance<\/b><\/h2>\n
\n
\n
\n
\n
\n
Cyber Resilience Goal: Anticipate | Cybersecurity Function: Identify<\/b><\/h2>\n
Cyber Resilience Goal: Anticipate | Cybersecurity Function: Protect<\/b><\/h2>\n
Securing Access\u00a0<\/span><\/i><\/h3>\n
Securing your APIs<\/span><\/i><\/h3>\n
Securing your data<\/span><\/i><\/h3>\n
\n
Cyber Resilience Goal: Anticipate | Cybersecurity Function: Detect<\/b><\/h2>\n
Cyber Resilience Goals: Withstand & Contain | Cybersecurity Function: Respond<\/b><\/h2>\n
\n
\n
\n
Cyber Resilience Goal: Recover | Cybersecurity Function: Recover<\/b><\/h2>\n
Cyber Resilience Goal: Evolve<\/b><\/h3>\n