admissions@cyberlawacademy.com | +91-XXXXXXXXXX
SEBI WebsiteLegal Services
Cyber Focus - Part 5 of 8

Cyber Security Framework for Market Intermediaries

Master SEBI's Cyber Security and Cyber Resilience Framework (CSCRF) - SOC requirements, incident reporting obligations, business continuity planning, and compliance for market intermediaries.

90-120 minutes 5 Sections 10 Quiz Questions

5.1 SEBI Cyber Security Framework Overview

SEBI's Cyber Security and Cyber Resilience Framework (CSCRF) mandates comprehensive cyber security measures for all market intermediaries, recognizing that cyber threats pose systemic risks to financial markets.

Regulatory Foundation

The framework has evolved through multiple SEBI circulars:

  • 2015 Circular: Initial cyber security framework for stock exchanges and depositories
  • 2018 Circular: Extended to all market intermediaries including brokers
  • 2022 Circular: Enhanced requirements - SOC, VAPT, incident response
  • 2024 Updates: Strengthened reporting and recovery time objectives

Applicability

CategoryEntitiesFramework Tier
Market InfrastructureStock Exchanges, Clearing Corporations, DepositoriesTier 1 (Highest)
Large IntermediariesTop brokers by volume, large MFs, custodiansTier 2
Medium IntermediariesMid-size brokers, RTAs, Merchant BankersTier 3
Small IntermediariesSmall brokers, Investment Advisers, RAsTier 4
Graded Approach

SEBI follows a graded approach - requirements scale based on entity size and systemic importance. Tier 1 entities face most stringent requirements; Tier 4 has proportionate compliance.

5.2 Security Operations Center (SOC)

The SOC requirement is central to CSCRF. Market intermediaries must establish or outsource SOC capabilities for 24x7 security monitoring.

SOC Requirements

SOC Mandate
All Tier 1 and Tier 2 intermediaries must have dedicated SOC. Tier 3/4 may outsource to SEBI-empaneled managed SOC providers.

SOC Functions

  1. Continuous Monitoring: 24x7 monitoring of all network traffic and systems
  2. Threat Detection: Real-time detection of security events and anomalies
  3. Incident Response: First responder for security incidents
  4. Log Analysis: Centralized log management and correlation
  5. Vulnerability Management: Track and remediate vulnerabilities

Technical Controls

ControlRequirementTier Applicability
SIEMSecurity Information and Event ManagementTier 1-3
EDREndpoint Detection and ResponseTier 1-2
WAFWeb Application FirewallAll Tiers
DLPData Loss PreventionTier 1-2
MFAMulti-Factor AuthenticationAll Tiers
Compliance Advisory

When advising intermediaries on SOC compliance, assess: (1) In-house capability vs. outsourcing economics, (2) SEBI-empaneled SOC provider selection, (3) SLA terms for outsourced SOC - ensure RTO/RPO commitments align with SEBI requirements.

5.3 Incident Reporting to SEBI

Timely incident reporting is mandatory. Failure to report or delayed reporting attracts penalties and regulatory scrutiny.

Reportable Incidents

  • Data Breach: Unauthorized access to client/transaction data
  • System Compromise: Malware infection, ransomware attack
  • Service Disruption: DDoS attacks affecting trading systems
  • Unauthorized Trading: Fraudulent orders through compromised systems
  • Website Defacement: Unauthorized modification of public-facing systems

Reporting Timelines

Report TypeTimelineRecipient
Initial ReportWithin 6 hours of detectionSEBI + CERT-In
Detailed ReportWithin 48 hoursSEBI
Root Cause AnalysisWithin 14 daysSEBI
Quarterly SummaryWithin 15 days of quarter endSEBI
Critical Timeline

The 6-hour initial reporting window begins from DETECTION, not from containment or investigation completion. Report immediately with available information; details can follow in subsequent reports.

Report Contents

Incident Report Format
Reports must include: (1) Nature and type of incident, (2) Systems affected, (3) Data compromised, (4) Client impact assessment, (5) Containment measures, (6) Recovery timeline, (7) Preventive measures planned.

5.4 Business Continuity Requirements

Business Continuity Planning (BCP) and Disaster Recovery (DR) are mandatory components of CSCRF, ensuring market stability during cyber incidents.

BCP Components

  1. Business Impact Analysis: Identify critical processes and acceptable downtime
  2. Risk Assessment: Evaluate cyber threat scenarios
  3. Recovery Strategy: Define RTO/RPO for each system
  4. DR Site: Geographically separated disaster recovery facility
  5. Testing: Regular BCP/DR drills and exercises

Recovery Time Objectives

Entity TypeCritical Systems RTODR Site Requirement
Stock Exchanges4 hoursSynchronous replication, 100km+ distance
Clearing Corporations4 hoursSynchronous replication, 100km+ distance
Depositories4 hoursNear-synchronous, same day recovery
Large Brokers (Tier 2)Same trading dayAsynchronous acceptable
Other IntermediariesNext trading dayPeriodic backup sufficient
DR Testing

SEBI mandates annual DR drills for Tier 1-2 entities. Document drill results, gaps identified, and remediation plans. Incomplete or failed drills must be reported to SEBI with corrective action timelines.

Cyber Insurance

While not mandatory, SEBI recommends cyber insurance covering:

  • First-party losses: Business interruption, data recovery costs
  • Third-party claims: Client claims for data breach
  • Regulatory costs: Investigation and penalty costs
  • Crisis management: PR, forensics, legal costs

5.5 Audit and Compliance Requirements

Regular audits and assessments validate CSCRF compliance. Both internal and external audits are mandated.

VAPT Requirements

Vulnerability Assessment & Penetration Testing
VAPT must be conducted by CERT-In empaneled auditors. Frequency: Quarterly for internet-facing systems; Annually for internal systems.

Audit Framework

Audit TypeFrequencyAuditor Requirement
VAPTQuarterly/AnnualCERT-In empaneled
Cyber Security AuditAnnualCERT-In empaneled
SOC AuditAnnualQualified IS Auditor
Internal AuditHalf-yearlyInternal or external
DR DrillAnnual minimumInternal with external verification

Board Oversight

  • Board-level IT Committee: Mandatory for Tier 1-2 entities
  • CISO Appointment: Chief Information Security Officer designation required
  • Board Reporting: Quarterly cyber security status to board
  • Policy Approval: Board must approve cyber security policy annually
Compliance Documentation

Maintain comprehensive documentation: (1) CSCRF compliance matrix, (2) Audit reports and remediation tracking, (3) Incident reports and RCA, (4) BCP/DR test results, (5) Training records. SEBI may call for records during inspection.

Key Takeaways

  • Tiered framework: Requirements scale based on entity size and systemic importance
  • SOC mandatory: Tier 1-2 need dedicated SOC; Tier 3-4 can outsource
  • 6-hour reporting: Initial incident report within 6 hours of detection
  • 4-hour RTO: Critical systems for exchanges and clearing corporations
  • CERT-In empaneled: VAPT and cyber audits must use CERT-In empaneled auditors
  • Board oversight: IT Committee, CISO appointment, quarterly reporting mandatory

Part 5 Assessment

Test Your Understanding

10 questions on SEBI Cyber Security Framework, SOC, and incident reporting

0/10
Questions Correct