ken-co

A Boutique Governance, Risk, and Technology Consulting Firm
Digitization | Analytics | Risk  | GRC | SOX | ISO | SOC | Forensic Audit | Privacy Law

 

A Boutique Governance, Risk, and Technology Consulting Firm
Digitization | Analytics | Risk  | GRC | SOX | ISO | SOC | Forensic Audit | Privacy Law 

Menu

Understanding Cyber Resilience: The Five Core Goals

Introduction

In today’s digital landscape, cyber resilience is about more than just preventing attacks – it’s about ensuring that organizations can effectively recover and adapt after incidents. SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) introduces five key goals to ensure that regulated entities can navigate the complexities of modern cyber threats.

Anticipate

SEBI Requirements:

  • Continuous monitoring using Security Information and Event
    Management (SIEM) tools is mandatory for MIIs and QREs. Smaller
    entities can rely on Market SOCs for threat intelligence and
    monitoring.
  • Regular risk assessments and vulnerability scans for all levels, with
    MIIs required to perform them more frequently.
  • Collaboration with external cybersecurity bodies and use of threat
    intelligence feeds to stay ahead of emerging risks, especially for MIIs and QREs.
 

Example:

  • A Stock Exchange (MII) deploys an AI-based threat detection system to monitor unusual activities across trading platforms, enabling it to detect potential threats in real time before they cause significant harm.
  • Small brokers can leverage the Market SOCs established by NSE and BSE to access threat intelligence and early-warning systems.

Withstand

SEBI Requirements:

  • Entities like MIIs and QREs must implement network segmentation
    to isolate critical systems and ensure continuity during an attack.

  • Data encryption and multi-factor authentication(MFA) for sensitive systems and accounts are mandatory for MIIs and larger REs.

  • Regular penetration testing and Red teaming exercises (simulated cyber attacks) are a critical requirement for MIIs, while QREs must
    conduct VAPT (Vulnerability Assessment & Penetration Testing) at
    least once a year.
 

Example:

A Mutual Fund Company (QRE) ensures that its online trading platforms continue to operate even during a cyberattack by using network segmentation to isolate critical trading systems. The firm also implements MFA to ensure that only authorised personnel can access sensitive areas during the attack.

Contain

SEBI Requirements:

  • Entities must have incident response plans to isolate affected systems immediately and prevent the attack from spreading.
  • For MIIs, dedicated cybersecurity response teams must be in place to contain incidents quickly.
  • Smaller entities can rely on Market SOCs to provide swift incident response capabilities and containment strategies.

 

Example:

  • A Depository (MII) experiences an attempted breach of its document management system. The organization cybersecurity response team quickly isolates the affected servers, preventing the breach from spreading to the trading and settlement systems.
  • For smaller portfolio managers, the Market SOCs can handle the containment process, reducing the response time.

Recover

SEBI Requirements:

  • MIIs and QREs must maintain detailed disaster recovery plans with
    defined Recovery Time Objectives (RTO) and Recovery Point
    Objectives (RPO) to minimize downtime.
  • Regular disaster recovery drills should be conducted, with MIIs
    required to perform these exercises more frequently.
  • Smaller entities, including Small REs, are encouraged to leverage
    Market SOCs to support their recovery operations if in-house
    recovery capabilities are limited.

 

Example:

  • After a ransomware attack, a Clearing Corporation (MII) executes its
    disaster recovery plan, declare the incident as ‘Disaster’ based on the business impact analysis and shall restore its trading platforms within the RTO of 2 hours . The maximum RPO permitted shall be 15 minutes for all Registered Entities.
  • Similarly, a Small Brokerage Firm with limited internal resources relies on the Market SOC for immediate recovery support, ensuring minimal operational disruption.

Evolve

SEBI Requirements:

  • MIIs and QREs must regularly review their cybersecurity policies and procedures, integrating lessons learned from past incidents and
    updated threat intelligence.
  • Cyber Capability Index (CCI) assessments are required for MIIs and QREs to measure cybersecurity maturity and ensure continuous
    improvement.
  • Smaller entities are encouraged to update their security frameworks and benefit from shared intelligence provided by Market SOCs to evolve their defenses.

 

Example:

  • A Stock Exchange (MII) reviews its cyber defenses after a phishing attack, updating its employee training program and implementing additional email filtering technologies to protect against similar threats in the future.
  • Portfolio Managers (say Small REs), after participating in shared
    Market SOC briefings, incorporate these learnings to strengthen their cybersecurity postures despite limited in-house resources.

Concluding Thoughts

It is clear from the above that the role of IT controls is significant to get comfort on the underlying IT Infrastructure and to place reliance on the integrity, processing and accuracy of the processes and reports generated. The next interesting question as auditors is, how does one audit these controls? How can one ensure that the risks are under control? Well, let us explore them in our next article.

Author

The author CA Narasimhan Elangovan, is a practising CA and partner KEN & Co. He is a GRC Professional, a Digital transformation catalyst and an author. He believes in the power of technology to solve everyday problems. He can be reached at narasimhan@ken-co.in

 
Open chat
Powered by Joinchat