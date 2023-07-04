Under the proposed framework, which will follow a graded approach, some guidelines will be applicable to all REs, some to select REs and some to market infrastructure institutions (MIIs).

Regulated entities such as brokers may be held solely accountable for the cyber-security and compliance risks posed by their third-party vendors, going by a new framework proposed by the Securities and Exchange Board of India (Sebi).

To improve the cybersecurity and cyber resilience of market intermediaries, market infrastructure institutions, and other regulated entities, the market regulator has released a consultation paper.

Also read: Sebi notes CA’s 'staggering disclaimer' on over Rs 55 lakh due to investors

The paper outlines a consolidated cybersecurity and cyber resilience framework (CSCRF) which will seek to address five functions—identify, protect, detect, respond and recover. Ensuring the cyber-resilience and compliance of third-party vendors will fall under the identify function.

Under the proposed framework, which will follow a graded approach, some guidelines will be applicable to all REs, some to select REs and some to market infrastructure institutions (MIIs).

Under the Identify function, the REs will also need to identify critical systems, formulate a comprehensive cybersecurity and cyber resilience policy and do scenario-based testing for assessing risk, among other things.

Under the Protect function, REs will be required to implement network segmentation techniques to restrict access to sensitive information, hosts, and services; conduct a periodic audit by a CERT-In empanelled auditor to audit the implementation and compliance to standards mentioned in this new framework; and do vulnerability assessment and penetration testing (VAPT) to test the IT environment, among other things.

Under the Detect function, REs will need to establish security mechanisms through Security Operation Centre (SOC) for continuous monitoring of security events and timely detection of anomalous activities and MIIs will need to include red-teaming exercises, among other things. Red teaming involves simulating a cyber attack to assess an entity’s security framework.

Also read: Amended LODR Regulations: Has SEBI cast its net too wide?

Under the Respond function, all REs will need to have a Cyber Crisis Management Plan (CCMP) and investigate alerts from detection systems for root-cause analysis, among other things.

Under the Recover function, REs will need to have a well-documented response and recovery plan for cyber incidents and need to inform of actions taken during the recovery process to all related stakeholders, among other things.