Topics In Demand
Notification
New

No notification found.

Submission on SEBI’s Draft Consolidated Cybersecurity and Cyber Resilience Framework
Submission on SEBI’s Draft Consolidated Cybersecurity and Cyber Resilience Framework

August 31, 2023

73

0

On August 9, 2023, we submitted our feedback to SEBI on the Consultation Paper on a Consolidated Cybersecurity and Cyber Resilience Framework released by them on July 4, 2023 (available here). The key points in our feedback are as follows:

  1. The definition of “critical assets” should be narrowed to systems in India that contain the most vital and sensitive data and software and applications that are integral to the essential services of the RE.
  2. The CSCRF may lay down the roles and responsibilities of Designated Officers and CISOs to clarify the differences between the two.
  3. The use of “concentration risk” needs to be reviewed. The main focus needs to be on “operational resilience risk” instead
  4. The CSCRF should recognise the use of third-party audit reports to validate the physical security controls adopted by CSPs.
  5. The incident reporting and log retention requirements in the SEBI Cloud Framework applicable to CSPs should be aligned with the CERT-IN Cyber Security Directions read with the FAQs on those Directions.
  6. The requirement for obtaining Indian Common Criteria Certification may be done away with, and the use of internationally recognised certification mechanisms may be permitted instead.
  7. The requirements for audits by CERT-IN empanelled auditors should be mandatory for only market infrastructure institutions, while other regulated entities should be permitted to have their audit done as per best practices from other accredited bodies.
  8. Instead of data residency requirements for cloud instances, SEBI should align with the similar obligation in the CERT-IN Cybersecurity Directions to produce data required for supervision and enforcement upon formal request.

Our detailed submission is attached for your reference. For more information, please write to varun@nasscom.in with a copy to policy@nasscom.in.  


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


Download Attachment

20230808-sebi-cscrf-nasscom-feedback.pdf

images
Varun Sen Bahl
Manager - Public Policy

Reach out to me for all things about data regulation, cybersecurity policy, and internet governance.

© Copyright nasscom. All Rights Reserved.