Background

SEBI has issued new framework for adoption of cloud services (SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033) on 6th March 2023. The framework has defined nine security principles  which shall be reviewed and implemented by the regulated entities to ensure compliance. The framework shall highlight the risk and controls which the Regulated Entity (henceforth referred as REs) needs to implement and monitor before adopting the cloud computing. The guidelines also set out the regulatory and legal compliances.

Applicability

The framework is applicable to the following regulated entities:

• Stock exchanges
• Clearing corporations
• Depositories
• Stockbrokers
• Depository Participants through Depositories
• Asset Management Companies (AMCs)/ Mutual Funds (MFs)
• Qualified Registrars to an Issue and Share Transfer Agents
• KYC Registration Agencies (KRAs)

Transition Period

• The framework shall come into force with immediate effect for all new or proposed cloud onboarding assignments/ projects of the REs
• REs which are currently availing cloud services (as on date of issuance of this framework) shall ensure that, wherever applicable, all such arrangements are revised, and they (RE) shall be in compliance with this framework not later than 12 (twelve) months from the date of issuance of the framework.

Milestones

The REs which are currently availing cloud services, shall provide milestone-based updates as follows:

Principle of Cloud Framework

The cloud framework provides mandatory requirements to be fulfilled by the RE for adopting cloud computing to augment the business prospects through scalability, reduced operational cost, digital transformation, and reduced IT infrastructure complexity.

The cloud framework is a principle-based framework which has nine high-level principles. The framework highlights the risks associated with cloud adoption and recommends the necessary mandatory controls. The document also recommends baseline security measures required to be implemented (by RE and CSP), and RE may decide to add additional measures as per its business needs, technology risk assessment, risk appetite, compliance requirements in all the applicable circulars/ guidelines/ advisories issued by SEBI from time to time, etc. Following are the core principles.

• Governance, Risk & Compliance:
• Selection of Cloud Service Providers (CSP)
• Data Ownership & Localization
• Responsibility of the Regulated Entity
• Due Diligence by the Regulated Entity
• Security Controls
• Contractual & Regulatory Obligations
• BCP, Disaster Recovery & Cyber Resilience
• Vendor Lock-In & Concentration Risk Management

Suggested Considerations

Identify cloud service providers and nature of cloud operating model

• Review the cloud governance and security controls implemented to monitor the cloud security controls
• Assess and identify the gaps against the required mandatory security controls
• Document and communicate the roadmap for cloud security framework implementation

Gap Assessment 

• Review the scope and coverage of what would constitute cloud computing and security against the SEBI guidelines.
• Assess existing cloud risk governance (for regulated entities and inter entity) to identify gaps in direction, evaluation or monitoring of risk topics

Continuous implementation support and testing

• Continue to assess the scope of threat led vulnerability and penetration testing), which contributes to SEBI requirements
• Assess the services received from third party service providers to identify any that would an additional level of governance and oversight

References: This document is to be read in reference with the SEBI Circular:

https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-services-by-sebi-regulated-entities-res-_68740.html