DISCLAIMER: The information provided in this blog post is for general informational purposes only and does not constitute legal or financial advice. Cockroach Labs and its authors do not assume any responsibility for actions taken based on the content herein. Readers are encouraged to seek independent legal and financial counsel tailored to their specific circumstances before making any decisions.
This post provides a general overview of the Cybersecurity and Cyber Resilience Framework (CSCRF), highlighting some key mandates within the framework and explaining how CockroachDB, a distributed SQL database, along with its advanced security features, can help your organization adhere to these requirements and improve your overall cybersecurity posture.
Technology has fundamentally transformed the securities market, making it significantly more efficient, accessible, and affordable. In today’s environment, as technology evolves more rapidly than ever, keeping IT infrastructure and data safe has become a major concern for the Securities and Exchange Board of India (SEBI) and its Regulated Entities (REs).
To better tackle current cybersecurity and resilience needs, while also making cybersecurity guidelines consistent for all REs, SEBI created the Cybersecurity and Cyber Resilience Framework (CSCRF), which helps organizations directly address cyber risks, threats, and incidents in the securities market.
Although the SEBI itself hasn't been the target of a major, publicly disclosed cyberattack recently, the entities it regulates have faced significant cybersecurity challenges. Additionally, you may have noticed the following recent trends:
SEBI's Focus on Cybersecurity: Since 2015, SEBI has been consistently publishing cybersecurity guidelines and best practices for REs to bolster their cyber resilience. They've been working to make sure market players are better protected against and can bounce back from cyberattacks through their Cybersecurity and Cyber Resilience Framework (CSCRF).
Vulnerabilities in the Securities Market: Think of it like a health check for your systems. Catching those weaknesses before the bad guys do.The securities market, with its high volume of financial transactions and sensitive data, continues to be a prime target for cybercriminals. Market intermediaries like stock exchanges, depositories, and clearing corporations need to be observant in implementing robust cybersecurity measures.
Evolving Threats: Cyber threats are constantly evolving, with new attack vectors and techniques emerging. SEBI's focus on cybersecurity reflects the need for continuous adaptation and improvement in security practices.
Objectives of the Cybersecurity and Cyber Resilience Framework (CSCRF)
At its core, the Cybersecurity and Cyber Resilience Framework (CSCRF) aims to tackle emerging cyber risks, align with industry best practices, reduce the toil associated with audits, all while helping REs maintain regulatory compliance. In addition, the CSCRF provides a ready-made game plan for external reporting.
Regulated Entities (REs) Classification
The CSCRF classifies the REs into five categories based on their operational scope and thresholds:
Market Infrastructure Institutions (MIIs)
Qualified REs
Mid-size REs
Small-size REs
Self-certification REs
Applicability
The CSCRF applies to a wide range of entities including Alternative Investment Funds, Mutual Funds, Stock Brokers, Stock Exchanges, and Venture Capital Funds, and others operating in the securities market.
Structure of CSCRF
The CSCRF document is structured into four parts:
Part I: Objectives and Standards - Definitions, compliance matrix, audit report timelines, objectives, and standards.
Part II: Guidelines - Recommendations or mandatory instructions for implementing cybersecurity standards.
Part III: Compliance Formats - Standardized formats for reporting compliance.
Part IV: Annexures and References - Auditor guidelines, scenario-based cyber resilience testing, Cyber Capability Index (CCI), and guidelines for Security Operations Centre (SOC).
Cyber Resilience Goals and Security Controls
Knowing the CSCRF's layout is key, but it's just as crucial to see how its aims and advice turn into real cybersecurity targets and measures. The CSCRF isn't just theoretical; it provides clear, actionable steps. The document then jumps into the main cyber resilience goals of the CSCRF and the security controls that help companies lower the risk of a cyber attack.
NOTE: Each of these goals can be further broken down into cybersecurity functions like Governance, Identify, Protect, Detect, Respond, and Recover. The below just provides a high-level overview of each goal without diving into the cybersecurity functions for each goal.
Anticipate: Expect the Unexpected
Stay vigilant for any cyber threats headed our way, and do what you can to stop them before they start.
Security Controls: Governance, Risk Assessment, Identification and Classification of Critical Systems
Withstand: Keep Calm and Keep Operating
Keep the business running smoothly and the system working, even when cyber attacks are happening.
Security Controls: Authentication, Access Controls, Network Segmentation, Full-disk Encryption (FDE)
Contain: Limit the Damage Quickly
Quickly stop incidents and minimize the blast radius of any breach.
Security Controls: Security Operations Centre (SOC), Intrusion Detection Systems (IDS), Endpoint Security
Recover: Get Back Up Faster
Get back to business as usual quickly after cyberattacks, ensuring data is safe and secure once more.
Security Controls: Incident Response Management Plan, Cyber Crisis Management Plan (CCMP), Regular Backups
Evolve: Always Stay Ahead
Keep your cyber defenses strong, check for weaknesses, and always look for better ways to protect against new threats.
Security Controls: Regular Security Audits, Continuous Risk Assessments, Cyber Capability Index (CCI), Red Teaming Exercises
At its core, the CSCRF lays out rules for classifying and storing data locally, securing APIs, running an effective Security Operations Center (SOC), and using a Standard Bill of Materials (SBOM), all while stressing the need for good governance and managing risks in the supply chain.
For continuous security monitoring, every organization requires a Security Operations Center (SOC). Options include using a third-party SOC, building an in-house SOC, collaborating for a shared SOC, or utilizing a marketplace SOC.
Compliance and Audits
To comply with CSCRF regulations, REs must implement systems and procedures to ensure the following:
Market Infrastructure Institutions (MIIs) and Qualified REs must obtain ISO 27001 certification
Vulnerability Assessment and Penetration Testing (VAPT) must be conducted regularly
All cybersecurity incidents must be reported immediately via the dedicated SEBI portal
MIIs and Qualified REs must use the Cyber Capability Index (CCI) to periodically monitor and assess their cyber resilience
MIIs and Qualified REs must conduct red teaming exercises
REs must also conduct cyber audits in accordance with CSCRF timelines
Future-Proofing Cybersecurity
As the cybersecurity landscape evolves, so will the framework, ensuring it keeps pace with the needs of the securities market. The CSCRF isn't just dealing with today’s cybersecurity issues. It incorporates considerations for future threats like quantum computing by recommending ongoing risk evaluations and strong data security to prevent "harvest now, decrypt later" attacks.
For REs, the message is crystal clear: compliance today is the key to resilience tomorrow. For detailed guidelines, REs should refer to the CSCRF document available on SEBI's official website.
How CockroachDB Can Help Achieve CSCRF Compliance
CockroachDB, a distributed SQL database, can significantly help SEBI REs achieve compliance with CSCRF. Here are just a few of the key features that CockroachDB provides to give you and your customers confidence in your database.
High Availability
CockroachDB architecture ensures that your data is always available and replicated across different nodes. This means that if something goes wrong, your system can keep running without any downtime.
CSCRF Compliance Area: Data Resilience (Withstand & Recover)
Built-in Encryption (at rest & in transit)
CockroachDB protects sensitive data by encrypting it, both during storage and transmission (at rest and in transit), which aligns with security standards, as described in our security overview.
CSCRF Compliance Area: Encryption and Security (Protect)
Audit Logging and Monitoring
Provides audit logging and monitoring capabilities for tracking and reviewing database activities, enabling timely detection of unauthorized actions and anomalies, so that you can quickly spot and deal with any unauthorized access or weird stuff going on.
CSCRF Compliance Area: Compliance Auditing (Detect & Respond)
Fine-Grained Access Control
Enables precise control over user access and permissions, enhancing overall security posture as mentioned in, authentication and authorization.
CSCRF Compliance Area: Identity Management, Authentication, Access Control (Protect)
Scalable and Distributed Architecture
A scalable, distributed architecture limits single points of failure and aids in effective containment during incidents as in scalability Overview.
CSCRF Compliance Area: Containment Strategies (Contain)
Check out our Trust Center to learn more about our security capabilities.
Act Now. Build Resilience. Stay Compliant.
Non-compliance with SEBI’s CSCRF isn’t just risky, it’s costly. From penalties to reputational fallout, the stakes are high. CockroachDB empowers REs to stay one step ahead with built-in security features, continuous availability, and a scalable, distributed architecture designed for resilience. Don’t wait for an incident to rethink your infrastructure.
Talk to an expert today to learn more about how CockroachDB can future-proof your data today. Operate with confidence — with CockroachDB at the core. Create a CockroachDB Cloud account today for $400 in free credits.
