In a significant move to strengthen cybersecurity within India’s financial markets, the Securities and Exchange Board of India (SEBI) has rolled out a new cybersecurity framework, mandating that all SEBI-registered entities implement a Security Operations Center (SOC) by April 1, 2025. This framework, released on August 20, 2024, aims to bolster the cyber resilience of entities operating in the securities market, ensuring that they can effectively counter evolving cyber threats in an increasingly digitized world.
SEBI’s new cybersecurity framework is built around five core objectives: anticipate, withstand, contain, recover, and evolve. These goals are aligned with six critical functions: governance, identify, protect, detect, respond, and recover. Together, these pillars form the backbone of a robust cybersecurity strategy, helping entities not just to defend against cyber threats but also to adapt to the evolving landscape of cyber risks.
The introduction of the framework comes after SEBI’s earlier announcement on June 27, 2024, where it indicated that a new cyber-resilience framework would soon be unveiled. The framework includes detailed guidelines on compliance, scenario-based cyber resilience testing, and audit guidelines to ensure effective implementation.
At the heart of SEBI’s cybersecurity framework is the requirement for all SEBI-registered entities to establish a Security Operations Center (SOC). These SOCs can be operated by the entity itself, its group, or outsourced to a third party. The SOCs will provide continuous monitoring of security events, allowing for timely detection and response to any anomalies that may indicate a cyber threat.
SEBI has also recognized that not all entities possess the financial resources or technical expertise to set up an independent SOC. To address this, leading stock exchanges like the National Stock Exchange (NSE) and Bombay Stock Exchange (BSE) have been tasked with setting up Market Security Operations Centers (M-SOCs). These M-SOCs will offer cybersecurity services to smaller registered entities (REs) that may not be equipped to build their SOCs, ensuring they also benefit from a high level of cyber resilience.
The primary motivation behind SEBI’s latest cybersecurity framework is the growing reliance on technology in the securities market. While digital advancements have led to greater efficiency, access, and affordability, they have also introduced significant vulnerabilities, making the market’s IT infrastructure and data more susceptible to cyber threats. In recent years, cyberattacks on financial institutions have surged globally, prompting regulators to take decisive action.
SEBI has been proactive in this regard, issuing multiple cybersecurity guidelines since 2015. The latest framework seeks to harmonize existing regulations while establishing new standards for entities that were not previously covered. The ultimate goal is to ensure uniformity in the cybersecurity approach across all registered entities and build a comprehensive mechanism to address cyber risks, incidents, and threats.
The implementation of SEBI’s cybersecurity framework will occur in phases, with registered entities falling into two categories. Entities that already have existing cybersecurity and cyber-resilience guidelines will need to comply with the new framework by January 1, 2025. These include six categories of registered entities, such as stock exchanges, clearing corporations, and depositories.
For entities that are being brought under cybersecurity regulations for the first time, the framework must be fully implemented by April 1, 2025. This approach allows entities adequate time to adapt and comply with the new requirements, ensuring a smooth transition without disrupting market operations.
A key innovation in SEBI’s framework is the introduction of the Cyber Capability Index (CCI). This index will apply to Market Infrastructure Institutions (MIIs) and Qualified Registered Entities (REs) and is designed to help these entities monitor and assess their cyber resilience on an ongoing basis. The CCI will serve as a benchmark for cybersecurity maturity, providing insights into the effectiveness of an entity’s cyber defenses and highlighting areas that require improvement.
By using the CCI, entities will be able to track their progress and make informed decisions about their cybersecurity investments, ensuring that they remain ahead of emerging threats. The periodic assessment will also encourage entities to evolve their cybersecurity strategies and adapt to the ever-changing threat landscape.
SEBI’s latest cybersecurity framework represents a forward-thinking approach to safeguarding India’s financial markets. As cyber threats become more sophisticated, financial institutions must stay ahead by deploying advanced security measures, such as SOCs, to protect their infrastructure and customer data.
With the framework’s clear objectives, structured guidelines, and phased implementation, SEBI aims to create a secure digital environment for all market participants. The mandatory establishment of SOCs, combined with the introduction of M-SOCs for smaller entities, ensures that all participants, regardless of size, have access to the tools and expertise required to counter cyber risks effectively.
As the April 2025 deadline approaches, SEBI-registered entities will need to step up their efforts to comply with the framework’s guidelines. For those entities already operating in a highly regulated environment, the framework reinforces existing cybersecurity practices, while for others, it provides a roadmap to achieving cyber resilience.
SEBI’s commitment to building a safer, more secure securities market highlights the growing importance of cybersecurity in today’s digital economy. By fostering a culture of vigilance and resilience, SEBI is ensuring that India’s financial institutions are well-equipped to face the cyber challenges of tomorrow.