SEBI’s Principle-based Framework for Cloud Adoption

The Securities and Exchange Board of India (SEBI) recently introduced its Principle-based Framework for Cloud Adoption. This framework provides guidelines to ensure safe usage of cloud services by registered entities (REs) and cloud service providers (CSPs) in the securities industry. The framework is aimed at promoting the adoption of cloud computing while ensuring compliance with regulatory requirements.

Governance, Risk, and Compliance

The SEBI framework provides instructions on governance, risk, and compliance. The registered entities must be responsible for monitoring and controlling cloud activities and services. They must also have a governance framework in place to ensure the CSPs’ compliance with the framework. The framework requires REs to have a risk management plan in place to identify, assess, and mitigate risks associated with cloud computing.

Choosing CSPs

The SEBI framework requires registered entities to choose only Ministry of Electronics and Information Technology-approved CSPs. The entities must perform due diligence to ensure that the CSPs comply with the regulatory framework. The due diligence process should include an assessment of the CSPs’ financial stability, the security measures they have in place, and their ability to meet the entities’ specific requirements.

Data Ownership and Localization

The framework requires data to remain within India’s legal boundaries and encrypted at all times. The registered entities must ensure that data residency requirements are met when selecting CSPs. The CSPs must comply with data localization requirements and ensure that data is stored and processed within the country’s borders.

Security Controls

The SEBI framework requires registered entities to implement appropriate security controls to protect data in the cloud. The entities must ensure that data is protected against unauthorized access, disclosure, and alteration. The CSPs must also have appropriate security controls in place to protect data in transit and at rest. The framework also requires the entities to perform regular vulnerability assessments and penetration testing to ensure that the security controls are effective.

Legal and Regulatory Obligations

The SEBI framework requires the registered entities to comply with all legal and regulatory obligations. The entities must ensure that the data they store in the cloud complies with all applicable laws and regulations. The CSPs must also comply with all legal and regulatory requirements related to cloud computing.

Vendor Lock-in Risks

The SEBI framework requires registered entities to have a clear agreement that protects everyone’s interests. The agreement should include provisions to protect against vendor lock-in risks, such as termination of services, transfer of data, and migration of services to another CSP. The entities must also ensure that they have access to all data and systems in the cloud, regardless of the CSP.