SEBI introduces Framework for Adoption of Cloud Services by Regulated Entities
- Blog|Advisory|Company Law|
- 6 Min Read
- By Taxmann
- |
- Last Updated on 25 April, 2024
Table of Contents
1. Background
2. Objective
4. Applicability of cloud framework
5. Scope of the Cloud computing
6. What is the Transition Period for Regulated Entities?
7. Principles to be followed by REs
8. Conclusion
SEBI vide circular no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033, dated March 6, 2023 has introduced a cloud framework that sets baseline standards for security and regulatory compliances. The main objective of the framework for adoption of cloud services by SEBI regulated entities (REs) is to identify and address the critical risks associated with cloud computing and to establish mandatory control measures that REs must implement before adopting cloud services.
1. Background
Cloud computing is becoming increasingly popular for delivering IT services, thanks to its scalability, ease of deployment, and lower maintenance costs. However, it also introduces new cyber security risks and challenges that businesses need to be aware of.
To help regulated entities (REs) navigate these risks, SEBI vide circular no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033, dated March 6, 2023 has introduced a cloud framework that sets baseline standards for security and regulatory compliances. This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and is designed to help REs implement secure and compliant cloud adoption practices.
2. Objective
The main objective of the framework for adoption of cloud services by SEBI regulated entities (REs) is to identify and address the critical risks associated with cloud computing and to establish mandatory control measures that REs must implement before adopting cloud services.
By following the guidelines outlined in the framework, REs can establish a robust risk management approach for cloud adoption, which includes assessing risks, implementing appropriate controls, monitoring compliance, and ensuring regulatory compliance.
3. What is Cloud Computing?
Cloud computing refers to the delivery of computing services over the internet or a network of remote dedicated servers. These services include storing, managing, and processing data, as well as running applications and other software.
The National Institute of Standards and Technology (NIST) defines “cloud computing” as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
4. Applicability of Cloud Framework
The framework shall be applicable to the following REs:
- StockExchanges
- ClearingCorporations
- Depositories
- Stock Brokers through Exchanges
- Depository Participants throughDepositories
- Asset Management Companies (AMCs)/ Mutual Funds(MFs)
- Qualified Registrars to an Issue and Share TransferAgents
- KYC Registration Agencies(KRAs)
The framework shall come into force with immediate effect for all new or proposed cloud on-boarding assignments/projects of the REs.
5. Scope of Cloud Computing
As per NIST, cloud computing has four types of deployment models viz public cloud, community cloud, private cloud and hybrid cloud.
5.1 Private Cloud
The cloud infrastructure for a single organization can be owned, managed, and operated by the organization itself or a third party, and can be located on or off- premises. It is exclusively used by a single organization with multiple consumers, such as different business units.
5.2 Community Cloud
Community cloud model is the model in which the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns, such as mission, security requirements, policy, and compliance considerations.
5.3 Public Cloud
Public cloud is a cloud infrastructure that is available for use by the general public and is owned, managed, and operated by organizations such as businesses, governments, or academic institutions. The public cloud is hosted on the premises of the cloud provider.
5.4 Hybrid Cloud
A combination of two or more distinct cloud infrastructures (private, community, or public) that are bound together by standardized or proprietary technology, allowing for data and application portability.
6. What is the Transition Period for Regulated Entities?
The transition Period for Regulated Entities is as follows:
- For the REs which are not utilizing any cloud services currently, the framework shall be applicable/come into force from the date of issuance
- For REs currently utilizing cloud services, SEBI has allowed a grace period of up to 12 months to comply with the framework, during which they must provide milestone-based updates to demonstrate their progress towards full compliance. Additionally, such REs shall provide regular milestone-based updates as follows:
S. No. | Timeline | Milestone |
1 | Within one (1) month of issuance of framework | REs shall provide details of the cloud services, if any, currently deployed by them. |
2 | Within three (3) months of issuance of framework | The REs shall submit a roadmap (including details of major activities, timelines, etc.) for the implementation of the framework |
3 | From three (3) to twelve (12) months of issuance of framework | Quarterly progress report as per the roadmap submitted by the RE. |
4 | After twelve (12) months of issuance of framework | Compliance with respect to the framework to be reported regularly |
7. Principles to be followed by REs
The cloud framework is a principle-based framework which covers Governance, Risk and Compliance (GRC), selection of Cloud Service Providers (CSPs), data ownership and data localization, due- diligence by REs, security controls, legal and regulatory obligations, Disaster Recover (DR) & Business Continuity Planning (BCP), and vendor lock-in risk.
These principles serve as general guidelines to set the standards for REs to comply with while adopting cloud services. The principles are stated as below –
7.1 Governance, Risk and Compliance Sub-Framework (GRC)
The REs must establish an effective GRC sub-framework for cloud computing to formulate a cloud strategy suitable for their circumstances/needs. This includes having a governance model/strategy approved by their Board, comprehensive risk management approach, compliance with legal/regulatory requirements, and a grievance redressal mechanism. Roles and responsibilities must be assigned for smooth functioning.
7.2 Selection of Cloud Service Providers
When selecting a Cloud Service Provider (CSP), a regulatory entity (RE) must ensure that all data storage and processing related to the RE is conducted within the data centres of CSPs empanelled by MeitY with valid audit status. For PaaS1 and SaaS2 services, the RE must choose CSPs that utilize the infrastructure/platform of MeitY empanelled CSPs.
7.3 Data Ownership and Data Localization
The RE shall retain the complete ownership of all its data and logs, encryption keys, and other related information that is stored in the cloud. The CSP shall only work in a fiduciary capacity and the RE, SEBI and any other authorized government authorized shall always have the right to access any or all of the data at any given point of time.
Further, to ensure that the RE and SEBI’s right to access the data is not affected by the adoption of cloud services, the storage and processing of data should be done according to specific conditions.
7.4 Responsibility of the Regulated Entity
Clear and unambiguous responsibilities must be established for all activities related to the cloud services provided by the CSP to the RE. These responsibilities should encompass technical, managerial, and governance-related tasks. Joint or shared ownership of any function, task, or activity between the RE and CSP is strictly prohibited.
7.5 Due Diligence by the Regulated Entity
The RE must conduct due diligence on CSPs beforehand and on a periodic basis to ensure that legal, regulatory, business objectives, etc. of the RE are not hampered. The due diligence should be risk-based depending on the criticality of the data, services, and operations planned to be on boarded on cloud.
7.6 Security Controls
RE must perform the assessment of CSPs to ensure that adequate security controls are in place. This includes verifying that CSP has a vulnerability management process in place to mitigate vulnerabilities in all components of the services that the CSP is responsible for (i.e. managed by the CSP).
7.7 Contractual and Regulatory Obligations
A clear and enforceable cloud service provider engagement agreement must be in place to protect the RE’s interests, risk management needs, and ability to comply with supervisory expectations. The agreement must include provisions for audit, and information access rights for the RE and SEBI for the purpose of performing due diligence and carrying out supervisory reviews.
7.8 BCP, Disaster Recovery & Cyber Resilience
The RE must assess its BCP framework to ensure compliance with the cloud framework as well as other guidelines/circulars issued by SEBI. RE must also assess the CSP’s capabilities, preparedness and readiness with respect to cyber resilience. This can be periodically assessed by conducting DR drills (in accordance with circulars/guidelines issued by SEBI) by involving necessary stakeholders.
Furthermore, RE must develop a viable and effective contingency plan to cope with situations involving a disruption or shutdown of cloud services.
7.9 Vendor Lock-In and Concentration Risk Management
Before entering into a contract with a cloud service provider (CSP), regulated entities (RE) must assess their exposure to CSP lock-in and concentration risks. This assessment should also be done periodically. To mitigate CSP concentration risks, REs should explore cloud-ready and CSP-agnostic solutions that enable them to migrate solutions as and when necessary with minimal changes.
8. Conclusion
The framework will enable REs to improve their overall IT resilience and reduce cybersecurity risks, while ensuring regulatory compliance. By adhering to the guidelines outlined in the framework, REs can minimize the risks associated with cloud adoption and make informed decisions about implementing cloud services.
With the SEBI cloud framework, REs in the securities market can confidently embrace the benefits of cloud computing while maintaining a secure and compliant IT infrastructure.
- Platform as a service (PaaS) is a cloud computing model where a third-party provider delivers hardware and software tools to users over the internet.
- Software as a service (SaaS) is a way of delivering applications remotely over the internet instead of locally on machines (known as “on-premise” software). SaaS applications are also known as Web-based software. On-demand software.
Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.
Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.
The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:
- The statutory material is obtained only from the authorized and reliable sources
- All the latest developments in the judicial and legislative fields are covered
- Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
- Every content published by Taxmann is complete, accurate and lucid
- All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
- The golden rules of grammar, style and consistency are thoroughly followed
- Font and size that’s easy to read and remain consistent across all imprint and digital publications are applied