SEBI Issues New ‘Cybersecurity and Cyber Resilience Framework’ for Regulated Entities

Circular No. SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113; Dated: 20.08.2024

SEBI has issued a new ‘Cybersecurity and Cyber Resilience framework’ for Regulated Entities (REs). The framework is broadly based on two approaches: cybersecurity and cyber resilience. The cybersecurity approach covers various aspects, from governance measures to operational controls, and the cyber resilience goals include anticipating, withstanding, containing, recovering, and evolving. This framework will supersede the previous cybersecurity circulars and guidelines for SEBI-regulated entities.

As per the new framework, REs must establish, communicate and enforce cybersecurity risk management roles, responsibilities, and authorities to foster accountability and continuous improvement. REs must identify and classify critical systems based on their sensitivity and criticality for business operations, services and data management. The Board/Partners/Proprietor of RE must approve the list of critical systems.

Further, REs must design and implement network segmentation techniques to restrict access to sensitive information, hosts and services. REs must establish appropriate security mechanisms through the Security Operations Centre (SOC) to continuously monitor security events and detect anomalous activities in a timely manner.

All REs must formulate and maintain an up-to-date Cyber Crisis Management Plan (CCMP). In the event of an incident, Root Cause Analysis (RCA) must be conducted to identify the causes leading to the incident. Also, adaptive and evolving controls to tackle identified vulnerabilities and reduce attack surfaces must be incorporated into the RE’s cybersecurity and cyber resilience strategy.

Click Here To Read The Full Circular