The Cybersecurity and Cyber Resilience Framework (CSCRF), developed by SEBI, aims to protect India’s financial markets from escalating cyber threats. With the growing use of digital technology, financial entities are increasingly vulnerable to cyber-attacks, which can disrupt operations, cause financial losses, and erode trust. The CSCRF provides a structured and graded approach to enhance cybersecurity measures for SEBI-regulated entities (REs), ensuring they can safeguard their infrastructure, detect threats, and recover from incidents.
SEBI classifies REs into five categories based on size and market significance: Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, Small-size REs, and Self-Certified REs. This categorization ensures that cybersecurity requirements are appropriate for each entity’s operational complexity, with larger institutions like MIIs facing more rigorous controls due to the critical nature of their activities.
The framework centers around five Cyber Resilience Goals: Anticipate, Withstand, Contain, Recover, and Evolve. These goals guide REs in identifying potential threats, maintaining functionality during attacks, isolating incidents, restoring operations swiftly, and continuously adapting to new threats. SEBI mandates proactive measures, such as risk management frameworks, network segmentation, zero-trust architecture, automated incident containment, and disaster recovery plans, to achieve these goals.
CSCRF aligns with globally recognized standards such as ISO 27001, NIST, and CIS Controls, requiring REs to implement strong governance, identity management, data security, and incident response processes. A key aspect is the Zero Trust Model, which continuously verifies users and devices to prevent unauthorized access. The framework also mandates regular Vulnerability Assessment and Penetration Testing (VAPT) to identify and address weaknesses in REs’ systems.
Additionally, SEBI’s CSCRF takes a forward-looking approach by encouraging entities to prepare for Post-Quantum Cryptography (PQC). This future-proofing measure addresses potential threats from quantum computing, ensuring that encryption methods remain secure as technology advances.
In summary, SEBI’s CSCRF is a comprehensive and flexible cybersecurity framework that provides financial institutions with the tools and guidelines needed to protect their operations, data, and clients. It emphasizes continuous improvement, resilience, and preparedness, ensuring that India’s financial markets remain secure amid evolving cyber threats.
