Summary on Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)

In march 2023, SEBI published a framework for adoption of cloud services by SEBI Regulated Entities (REs). This framework is loosly based on US’s NIST CSF and it’s scope applies to following:

• Stock Exchanges
• Clearing Corporations
• Depositories
• Stock Brokers through Exchanges
• Depository Participants through Depositories
• Asset Management Companies (AMCs)/ Mutual Funds (MFs)
• Qualified Registrars to an Issue and Share Transfer Agents
• KYC Registration Agencies (KRAs)

This regulation applies to Public, Community & Hybrid* cloud Private cloud would be considered as or prem deployment and shall be governed by SEBI circulars on Cyber Security, BCP/DR, outsourcing, etc.

*Hybrid Cloud: A hybrid cloud is a combination of two or more out of public cloud, community cloud and private cloud.

I’m trying to summarize this article which would help cloud based SaaS companies engaging with SEBI or SEBI regulated entities to have a compliant cloud infrastructure.

There are 9 Principles for governance of cloud framework namely:

• Principle 1: Governance, Risk and Compliance Sub-Framework
• Principle 2 : Selection of Cloud Service Providers
• Principle 3 : Data Ownership and Data Localization
• Principle 4 : Responsibility of the Regulated Entity
• Principle 5 : Due Diligence by the Regulated Entity
• Principle 6 : Security Controls
• Principle 7 : Contractual and Regulatory Obligations
• Principle 8 : BCP, Disaster Recovery & Cyber Resilience
• Principle 9 : Vendor Lock-in and Concentration Risk Management

Summary

• The RE may opt for any model of deployment on the basis of Its business needs and technology risk assessment provided that all compliances are met.
• Outsourcing can be done but RE is solely accountable for all aspects related to the cloud services adopted
• The cloud services shall be taken only from the Ministry of Electronics and Information Technology ( MeitY ) empaneled CSPs
• The CSP’s data center should hold a valid STQ C (or any other equivalent agency appointed by Government of India) audit status.
• In a multi tenant architecture, data isolation & data segregation shall be ensured
• Data shall be encrypted at all lifecycle stage i.e Data encryption at transit, in motion & in use
• RE shall retain complete ownership of all its data , encryption keys, logs etc. residing in cloud
• RE shall have a SOC (Security Operations Center) and can be in- house, third-party SOC or a managed SOC
• RE shall ensure compliances with regulations at all time and shall have a detailed agreement with CSP covering legal, security, roles & responsibilities, uptime, etc.
• RE shall periodically provide audit reports to SEBI like systems audit, cybersecurity audit and VAPT reports

Principle 1: Governance, Risk and Compliance Sub — Framework

The RE shall have a Board/ partners/ proprietors approved governance model/ strategy for cloud computing in place. Strategy shall have following:

1. Cloud Governance:

• What cloud service model & cloud services to be used
• Measure to comply with legal regulations & security of stake holders

2. Risk Management

• Periodic risk assessment covering identification of threat sources and events, identifying vulnerabilities and pre — disposing conditions, control analysis, magnitude of impact, etc.
• Have a dedicated person like CISO for Security to be answerable for security

3. Compliance and Legal Aspects

• Compliance with applicable regulations/laws of SEBI/ Government of India / respective state government.

4. Roles & Responsibilities

• Role of the Board /Key Management Personnel (KMP): Review & Approval of the governance plans & infosec policy
• Role of Senior Management: Periodic assessment of cloud policy, review of risk assessment, management of Human resources, review of architecture, business continuity, recovery & uptime, capacity building & breach notification
• Role of IT team: Manage day to day operations
• Additional roles are per requirement by RE

5. Grievance redressal mechanism

• Responsibility and accountability for redressal of investors’ / members’ grievances related to cloud on boarded services shall rest with the RE

6. Monitoring and Control of Cloud Deployments

• Monitoring the performance, uptime & security
• Periodic VAPT & Risk Assessment

7. Country Risk

• The engagement with a CSP having country of incorporation/registration outside of India, exposes the RE to country risk
• RE shall closely monitor the CSP’s country’s government policies and its political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk including exit strategies from the CSP

8. Contingency

• The RE shall ensure that availability of records to the RE and the supervising authority are not affected under any circumstances, even in case of liquidation of the CSP

Principle 2: Selection of Cloud Service Providers

The RE shall ensure that the following conditions are met while choosing any Cloud Service Provider (CSP):

• CSP shall have an infrastructure which is either sourced from or is MeitY empaneled CSPs’ data centers holding valid STQC (or any other equivalent agency appointed by Government of India) audit status
• CSP should have proper logging mechanism, data backup & recovery and supports Disaster Recovery

Principle 3: Data Ownership and Data Localization

• RE shall retain full ownership of data, logs, keys, etc. stored in cloud & CSP shall operate in fiduciary capacity
• CSP shall provide full visibility to RE/SEBI/Govt. of India into Infrastructure & Compliance
• The data should reside/be processed within the legal boundaries of India.
• For the investors whose country of incorporation is outside India, the REs shall keep the original data/ transactions/ logs, available and easily accessible in legible and usable form, within the legal boundaries of India.
• RE is ultimately responsible for data security and compliance with SEBI/ GOI/State regulations

Principle 4: Responsibility of the Regulated Entity

• RE is solely accountable for all aspects related to the cloud services adopted by it including, but not limited to, availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE’s compliance with respect to the applicable laws, rules, regulations, circulars, etc. issued by SEBI/ Government of India/ respective state government. Accordingly, the RE shall be held accountable for any violation of the same.
• There shall be no “joint / shared ownership” for any function/ task/ activity between the RE and CSP. If any function/ task/ activity has to be performed jointly by the RE and CSP, there shall be a clear delineation and fixing of responsibility for each sub — task / line — item within the task .
• An explicit and unambiguous delineation / demarcation of responsibilities shall also be done with respect to MSP/ SI

Principle 5: Due Diligence by the Regulated Entity of CSP

• Periodic due diligence beforehand and on a periodic basis to ensure that legal, regulatory , business objectives , etc. of the RE are not hampered.
• Financial soundness check
• Security risk assessment
• Data isolation & segregation
• Adherence to legal agreements
• Serve customer while maintaining confidentiality
• Background check for employees & personnel accessing facility
• Ability to comply with regulations & compliances

Principle 6: Security Controls

Pentesting & Monitoring

• Periodic VAPT & timely patching of the defined scope with a mutually agreed SLA in legal agreement
• Security Monitoring & timely notification to RE with details in line with SEBI/GOI guidelines

Process & Planning

• CSP shall have Incident Management Plan
• RE shall review CSP’s Key Management Plan including key management lifecycle
• Anomaly from above prescribed controls shall be notified to RE
• In Multitenancy, data isolation & data segregation shall be ensured
• Any access by others tenants or unauthorized access by CSP shall be investigated and notified to RE
• Investigative reports by CSP shall be shared with RE
• Agreement with CSP shall contain secure data deletion clause
• RE can ask CSP to have global compliances like SOC II

Infrastructure Security

• CSP shall have adequate controls like Anti-Virus, Encryption, Data Segregation, etc.
• Security controls such as IDS, IPS, Firewall, WAF, Anti DDOS, etc. shall be in place and additional controls such as IPSEC VPN/SSL VPN shall be adopted by CSP

Remote Access

• CSP shall use VPN for remote access to infrastructure

SDLC

• Secure Software Development Life Cycle shall be followed by CSP alongwith zero trust principles, fine grained access control mechanism, API Gateways , etc. shall be adopted for development and usage of APIs

Identity & Access Management

• CSP’s Identity & User Access Management
• Administrative privileges/ users shall be tracked via a ticket and shall be shared with RE when requested
• Minimal administrative capabilities for a pre — defined time period for Administrators & privileged users
• Mandatory MFA for administrators & privileged users

Encryption

• Encryption of data at rest, in Motion & in use shall be ensured. Wherever data that is being used or processed in the cloud, confidential computing solutions shall be implemented
• Wherever possible, “Bring Your Own Key ” (BYOK) & “Bring Your Own Encryption” (BYOE) approach shall be adopted by RE
• If RE is not controlling BYOK/BOE, then RE shall conduct a detailed risk assessment and implement appropriate risk mitigation measures to achieve equivalent functionality/ security to BYOK and BYOE approaches.
• Hardware Security Module (HSM) shall be used wherever possible with fault tolerance mode.

Endpoint Security

• AV, DLP, Host IDS/IPS, EDR/CDR, Patch Management solution, etc. shall be configured on cloud by CSP & can demand additional controls

Network Security

• RE can explore using Cloud Access Security Broker (CASB) / Secure Access Service Edge (SASE) / similar frameworks or tools
• Only essential communication channels shall be allowed and all other channels be disabled like accessing cloud via jump server or bastion host

Backup & Recovery

• RE shall ensure that a backup and recovery policy is in place to address the backup requirement of cloud deployments.
• BCP/DR plan shall be reviewed at least twice a year
• Backups shall be segregated from production/dev/UAT environment
• Backups shall have encryption & key management

Breach Notification

• CSP shall notify the RE of any cybersecurity incident CSP shall provide all related forensic data, reports and event logs as required by RE/SEBI/ CERT-In/ any other government agency .
• The incident shall be dealt as per the Security Incident Management Policy of the RE along with the relevant guidelines/ directions issued by SEBI/ Government of India/ respective state government

Principle 7: Contractual and Regulatory Obligations

• A clear and enforceable cloud service provider engagement agreement should be in place with clauses on exit, VAPT, Risk assessment, Audits, compliance activities of CSP’s infrastructure, control of RE’s resources in CSP’s infrastructure, audit rights, termination rights
• SEBI/ CERT-In/ any other government agency shall at any time:

Conduct direct audits and inspection of resources of CSP pertaining to RE

Perform search and seizure of CSP’s resources storing/ processing data and other relevant resources (including but not limited to logs, user details, etc.) pertaining to the RE

Engage a forensic auditor to identify the root cause of any incident related to RE

Seek the audit reports of the audits conducted byCSP

• REs data shall be readily accessible, continuous monitoring shall be in place, access management shall be enforced, RPO,RTO, service SLAs, uptime be included in the agreement, Clearly defined RACI
• In the event of any CSP deployed by an RE losing its empanelment status with MeitY/ commits a passive breach of contract / agreement in any way, the RE shall ensure that it becomes compliant with this framework within 6 ( six ) months of being notified of / discovering the breach .

Principle 8: BCP, Disaster Recovery & Cyber Resilience

• RE shall assess it’s BCP/DR plan as well as CSP’s
• BCP/DR drills shall be performed periodically
• RE shall develop contingency plans to cope with situations involving disruption / shutdown of cloud services

Principle 9: Vendor Lock — In and Concentration Risk Management

• Before entering into contract with CSP, RE shall assess its exposure to CSP lock-in and concentration risks.
• In order to mitigate the CSP concentration risks, RE shall explore the option of cloud — ready and CSP agnostic solutions
• Exit strategies shall be developed, which should consider the pertinent risk indicators, exit triggers, exit scenarios , possible migration options , etc .
• RE shall implement data portability and inter — operability as part of exit/transfer strategy
• SEBI may specify concentration limits on CSPs thereby setting a limit on the number of REs that a CSP may provide its services to

In my opinion, getting ISO 27001 (ISMS) & SOC II Type II should suffice for comlying with not only this but most of the framework in Indian Markets with regulations

Reference:

https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-services-by-sebi-regulated-entities-res-_68740.html