SEBI Cybersecurity Regulations for securing financial sector from digital dangers
Today, the financial industry is one of the most solicited sectors for cyberattacks given the financial sector’s high connectivity within the digital ecosystem. In wake of uptick in ransomware, phishing, data breaches and sophisticated threats, Securities and Exchange Board of India (SEBI) has risen to the occasion of building a robust cybersecurity framework.
This blog explains SEBI’s role in improving cybersecurity for India’s financial sector, let’s deep dive into it.
Cybersecurity Journey: A Timeline of Key Initiatives
- 2015: SEBI has formulated a Cyber Security and Resilience Framework for Market Infrastructure Institutions (MIIs), which includes, stock exchanges, clearing corporations, and depositories.
- 2017: Expanded guidelines to include mutual funds and portfolio managers.
- 2018: Compulsory cybersecurity audits and breach disclosure within 6 hours of detection.
- 2022: Developed guidelines for Application Programming Interfaces (APIs) to cope with fintech risks.
- 2023–2024: Advanced its cybersecurity framework by adopting Zero Trust Architecture (ZTA) components and adopting global best practices, such as NIST and ISO 27001.
Key Highlights of Cybersecurity Framework
- Cybersecurity Governance and Risk Management
According to the act participants must put in place a governance structure to address cybersecurity, including appointment of a Chief Information Security Officer (CISO) and setting up of a Information security Committee.
Board-Level Oversight: Cyber risks are no longer an ad hoc topic at the board level, but are now a routine item discussed at board level, guaranteeing deep top-level oversight and thus, responsibility.
Risk Registers: Organizations are obliged to keep and extend risk registers containing potential cyber risks as well as their corresponding reduction ones. - Incident Reporting and Response
SEBI’s guidelines fastest incident reporting. Market entities must:
Submit cybersecurity incidents to SEBI and CERT-In within 6 hours.
Perform deep post-incident analyses in order to determine the ultimate cause and build better controls. - Regular Audits and Testing
SEBI mandates to do annual IT Security audits by certified external auditors. VAPT should be conducted twice a year.
Red Teaming Exercises to simulate Real world attack scenarios and test the resilience of systems. - Third-Party Risk Management
In 2023,rules get more stringent for third-party vendors, making sure that they possess cybersecurity standards. This ensures strong contractual provisions, periodic audits, and the ability to end when terms of the contract are not met. - Focus on Data Protection
In view of the growing dependence on cloud services, SEBI has issued guidelines on:
Data Encryption Standards: Data at rest and in transit TLS 1.3 and AES-256 encryption. - Cloud Security Assessments
To guarantee that market participants who use the cloud conduct cyclical security audits and secure systems.
Tools and Technologies Empowering SEBI’s Cybersecurity Framework
SIEM (Security Information and Event Management) Solutions.
SEBI is promoting use of such SIEM tools as Splunk, IBM QRadar, and ArcSight by market participants to monitor and analyze security events in real time. - Threat Intelligence Platforms
With integrating platforms such as Recorded Future and Anomali, SEBI monitors global and regional cyber-attack patterns and helps proactively respond to emerging threats. - PenTest Tools
Network Security Scanner — Tenable Nessus
Vulnerability Assessment — Qualys
Proxy — Burp Suite is a recognised tool. - Advanced Authentication Mechanisms
Multi-factor authentication (MFA), biometrics, and tokenization are a must for market intermediaries to protect logins to trading platforms. - Artificial Intelligence (AI) in Threat Detection
Incorporating artificial intelligence based tools, abnormalities in trading patterns, insider activities and phishing attacks are detected. On the one hand, anomaly detection models, for example, can pinpoint a departure from normal user behavior. - Blockchain for Security
The use of blockchain is being investigated to provide security and unalterable transactions in securities trading. It provides an additional layer of trust and transparency.
Recent Cybersecurity Challenges and SEBI’s Interventions
- API Vulnerabilities in Fintech
With the rapid rise of trading apps, unsecured APIs have become a major concern. A fintech platform suffered a data breach in June 2023 as a result of an exposed API endpoint. SEBI reacted by imposing stricter security requirements for APIs, such as encryption, rate limiting and penetration tests. - Ransomware Attacks
The October 2023 ransomware attack against a major stockbroker crippled trading for 3 days. SEBI’s prompt action encompassed working with CERT-In and requiring all the brokers to: - Insider Threats
SEBI has identified insider threats as a growing risk. In reaction, it has required behavioral analytic tools and regular staff checking for some special roles. - Global Collaboration: Teaching from Best Practices
SEBI’s framework matches best practice at an international level which helps keep India’s markets competitive and safe.
ISO 27001 Compliance: A mandatory requirement for stock exchanges and MIIs.
NIST Cybersecurity Framework: NIST elements including Identify, Protect, Detect, Respond and Recover are incorporated as SEBI policies. - International Intel Sharing:
Collaboration with counterparts such as the Financial Stability Board (FSB) and IOSCO (International Organization of Securities Commissions) help SEBI to be prepared against new threats.
Next Step in Cybersecurity in Indian Economical Domain
SEBI continues to evolve its Act. Here’s what lies ahead:
- Zero Trust Architecture (ZTA):
ZTA assumes a complete lack of trust for any user, device, or network, until it can be validated. SEBI plans to promote ZTA adoption among market participants. - Quantum-Resistant Encryption:
With the advent of quantum computing, SEBI is considering quantum-resistant cryptographic protocols. - Cyber Insurance Adoption:
SEBI is promoting entities for cyber insurance investments, which limit the financial consequences of a possible cyber breach. - Strengthening Cloud Security:
As the use of cloud services has been increasing, SEBI is prepared to publish a full set of guidelines for secure cloud setups.
Thank You all for Reading. Hope you liked it!
To connect with me connect on LinkedIn and for more visit medium.
Written By: Urvi Chheda