The Securities and Exchange Board of India (Sebi) has recently issued a consultation paper on the ‘Consolidated Cyber Security and Cyber Resilience Framework (CSCRF) for Sebi Regulated Entities.’ The proposed framework aims to strengthen cyber security and enhance cyber resilience in the operations of regulated entities.
The Five Functions of Cyber Security
The CSCRF is designed based on the five concurrent and continuous functions of cyber security: Identify, Protect, Detect, Respond, and Recover. These functions, defined by the National Institute of Standards and Technology (NIST), provide a comprehensive approach to cyber security. The framework incorporates globally recognized standards such as NIST Special Publication 800-53 Revision 5, COBIT 5, and CIS controls for cyber security controls, outcomes, and guidance.
Identification and Classification of Critical Assets
Under the proposed framework, all regulated entities are required to identify and classify critical assets based on their sensitivity and criticality for business operations, services, and data management. The list of critical systems will be approved by the board, partner, or proprietor, who will be held accountable for all aspects related to third-party services, including confidentiality, integrity, availability, and non-repudiation.
Cyber Crisis Management Plan (CCMP)
One of the key components of the CSCRF is the formulation of an up-to-date Cyber Crisis Management Plan (CCMP). This plan ensures that regulated entities are prepared to effectively respond to cyber incidents and minimize their impact. The consultation paper highlights the importance of continuous updates to the CCMP to keep it relevant and effective in addressing evolving cyber threats.
Incident Response Management Plans and SOPs
Regulated entities will be required to establish comprehensive incident response management plans and the respective Standard Operating Procedures (SOPs). These plans and procedures play a critical role in enabling entities to handle cyber incidents promptly and efficiently. By having well-defined processes and protocols in place, organizations can mitigate the impact of cyber threats and minimize disruption to their operations.
Collaborative Approach and Feedback
Sebi encourages regulated entities to provide feedback on the proposed framework. This collaborative approach ensures that the framework remains effective in combating emerging cyber risks. Regulated entities can contribute their insights and expertise, helping to shape a robust and comprehensive framework that addresses the specific challenges faced by the industry.
