Cyber Audit Under SEBI CSCRF: A Deep Dive for Regulated Entities

In India’s fast-growing digital-first financial ecosystem, cybersecurity is becoming an important cog in the wheel. The Securities and Exchange Board of India (SEBI), as a result, has taken a critical step by introducing the Cybersecurity and Cyber Resilience Framework (CSCRF). The comprehensive framework aims to strengthen the cyber posture of the Indian securities market.

A key component of this framework is the mandatory cyber audit, a structured evaluation process designed to ensure Regulated Entities (REs) comply with CSCRF provisions and develop cyber resilience.

This blog unpacks everything you need to know about the cyber audit under SEBI CSCRF, from scoping and frequency to audit guidelines and more.

What is a Cyber Audit as per SEBI CSCRF?

A Cyber Audit under the CSCRF is a formal process mandated to verify the compliance of Regulated Entities (REs) with the framework’s provisions. It is a critical checkpoint to ensure that the cybersecurity measures and cyber resilience capabilities implemented by REs align with the standards and guidelines set by SEBI.

The audit is expected to cover 100% of the RE’s critical systems and 25% of its non-critical systems, selected on a sample basis. Critical systems are identified and classified based on their sensitivity and criticality to business operations, services and data management.

This includes any system that, if compromised, would adversely impact core business operations such as:

• Systems storing/transmitting regulatory data
• Devices connected to critical systems
• Internet-facing applications
• Client-facing applications and
• Ancillary systems used for accessing/communicating with critical systems

During the audit, the auditor verifies adherence to:

• The timelines specified in the CSCRF
• The implementation of all mandatory guidelines
• Whether equivalent or higher controls have been implemented for non-mandatory guidelines
• Whether industry best practices are followed in areas where no specific guidelines are mentioned

The audit process involves detailed assessment, identification of findings/observations, risk rating, Root Cause Analysis (RCA) and providing recommendations for corrective actions.

Who is Required to Conduct a Cyber Audit?

The CSCRF applies to a wide range of REs in the Indian securities market. The framework adopts a graded approach, classifying REs into five categories based on their span of operations and thresholds like number of clients, trade volume and assets under management:

1. Market Infrastructure Institutions (MIIs)
2. Qualified REs
3. Mid-size REs
4. Small-size REs
5. Self-certification REs

Cyber audit is mandatory for all these categories, except for Self-certification REs.

Self-certification REs are only required to conduct a Vulnerability Assessment and Penetration Testing (VAPT) audit through CERT-In empanelled organisations and submit a self-certification for compliance with applicable CSCRF provisions.

What is the Frequency of Cyber Audits?

The required frequency depends on the category of the RE:

• MIIs are required to undergo cyber audit at least twice in a year.
• Qualified REs are required to undergo cyber audit at least twice in a year.
• Mid-size REs providing Internet Based Trading (IBT) or Algo trading facilities are required to undergo audit at least twice in a year.
• Small-size REs providing IBT or Algo trading facilities are required to undergo audit at least twice in a year.
• Rest of the REs (Mid-size and Small-size REs not providing IBT/Algo trading, and potentially other categories not explicitly listed) are required to undergo audit at least once in a year.
• Self-certification REs are exempted from periodic audits.

Who Can Conduct the Cyber Audit?

A crucial requirement of the CSCRF is that audits must be conducted only by CERT-In empanelled IS auditing organisations. SEBI has also laid down specific Auditor Selection Norms:

• Auditors must be CERT-In empanelled.
• They should preferably have a minimum of 3 years of experience in IT audit of banking and financial services, especially in the securities market. Experience with ISO 00 frameworks is an added advantage.
• Auditors must possess or have direct access to experienced resources with relevant industry certifications such as CISA, CISM, GSNA, or CISSP.
• The auditing firm should follow ISMS/IT audit/governance frameworks aligned with leading industry practices like COBIT.
• Auditors must be free of any conflict of interest that could compromise the fairness, objectivity, and independence of the audit. They should not have been engaged in any consulting work with the audited RE’s departments in the last two years.
• The auditor must use only licensed tools for the audit.

A Non-Disclosure Agreement (NDA) is mandatory between the RE and the auditor. All data and the audit report must remain within the jurisdiction of India.

An auditing organisation can audit a specific RE for a maximum of three consecutive years, after which a cooling-off period of two years is required before they can audit the same entity again.

Reporting and Timelines

Upon completion of the audit, the final report, approved by the RE’s IT Committee or equivalent body, must be submitted to the respective reporting authority within a month of the audit’s completion. The reporting authority varies depending on the RE category (e.g., Stockbrokers/Depository Participants report to Stock Exchanges/Depositories, MIIs report to SEBI, IAs report to BASL, etc.).

A declaration from the Managing Director (MD) or Chief Executive Officer (CEO), or the Board member/Partners/Proprietor for entities without an MD/CEO, is required along with the audit report.

Crucially, the findings identified during the audit must be closed within three months of submitting the report. A graded approach based on the criticality of the observation should be followed for closure. Follow-on audits must be completed within six months of the initial audit’s completion to verify the closure of observations. Any observations still open after six months require approval from the IT Committee and must be closed before the next audit cycle begins.

How CyberNX Can Help with Your CSCRF Cyber Audit?

As a CERT-In empanelled cybersecurity organisation, CyberNX is qualified to conduct the mandatory audits required by SEBI’s CSCRF. Engaging an experienced and certified firm like CyberNX can significantly assist REs in meeting their compliance obligations and strengthening their overall cybersecurity posture.

Here’s how CyberNX can support REs:

1. Conducting Comprehensive Cyber Audits

CyberNX can perform cyber audits covering 100% of critical systems and the required sample of non-critical systems, ensuring adherence to the detailed scope and methodology specified in the CSCRF.

2. Verifying Compliance with Standards and Guidelines

Expertise allows verification that the RE has implemented all applicable mandatory guidelines and equivalent or higher controls for non-mandatory ones, including industry best practices where relevant.

3. Performing Mandatory VAPT

CyberNX can conduct the necessary VAPT audits, including external and internal infrastructure/ application testing, API security testing, mobile application VAPT, network segmentation testing, OS and DB assessment, and cloud VAPT, using only licensed tools. This directly addresses the CSCRF requirements and helps identify vulnerabilities that need remediation.

4. Risk Assessment and Management

Assist REs in conducting periodic risk assessments (including post-quantum risks) and developing robust cyber risk management frameworks as mandated by the CSCRF.

5. SOC Efficacy Assessment

Support REs in measuring and assessing the functional efficacy of their Security Operations Centre (SOC), whether it’s an internal SOC, a third-party managed SOC, or a Market SOC, using the quantifiable methods specified in the framework.

6. Incident Response and Recovery Testing

Conduct scenario-based cyber resilience testing drills to evaluate the adequacy and effectiveness of the RE’s response and recovery plans, including Business Continuity Plan (BCP) and Disaster Recovery (DR) capabilities.

7. Red Teaming Exercises

For MIIs and Qualified REs, CyberNX can execute mandated goal-based adversarial simulation red teaming exercises to identify weaknesses in cyber defences.

For a deeper insight, check out our detailed blog on Integrating Red Teaming into Your SEBI CSCRF Compliance Strategy. 

8. Threat Hunting and Compromise Assessment

Conduct periodic threat hunting and compromise assessments to proactively identify undetected threats in the network environment.

Want to know more about above, Read our blog Proactive Threat Detection with Threat Hunting under SEBI CSCRF. 

9. Detailed Reporting and Documentation

Provide comprehensive audit reports, VAPT reports, and other necessary documentation in the standardised formats required by SEBI.

10. Tracking and Verification of Findings Closure

Assist REs in tracking the closure of identified vulnerabilities and non-compliances and conduct follow-on audits to verify that remediation measures have been effectively implemented within the prescribed timelines.

11. Guidance on Implementing Controls

While the auditor’s role is verification, a CERT-In empanelled firm can, based on its expertise, provide insights into implementing the technical and operational controls outlined in the CSCRF guidelines, such as access controls, data security measures, patch management, SSDLC, API security and more.

12. Assessing Cyber Capability Index (CCI)

For MIIs, CyberNX can conduct the mandatory third-party assessment of their cyber resilience using the CCI. For Qualified REs, CyberNX can assist with the self-assessment process and verify the necessary evidence.

For a deeper insight, check out our detailed blog on Implementing and Automating the Cyber Capability Index (CCI) as per SEBI CSCRF 

By partnering with a qualified CERT-In empanelled organisation like CyberNX, REs can navigate the complexities of the CSCRF, meet their mandatory audit requirements effectively, and significantly enhance their cyber resilience against the evolving threat landscape.

Conclusion

The SEBI CSCRF marks a significant step towards strengthening the cybersecurity posture of the Indian securities market. The mandatory cyber audit is a vital mechanism within this framework to ensure compliance and hold REs accountable for protecting investor interests and market integrity.

REs across different categories must understand their specific audit obligations regarding frequency, scope, and reporting. Engaging with a CERT-In empanelled and experienced cybersecurity firm is not just a compliance necessity but a strategic decision to build and maintain robust defences in the face of persistent cyber threats.

The commitment to regular audits and proactive risk management, as outlined by the CSCRF, is essential for fostering a secure and resilient securities market ecosystem.

Need Help with SEBI CSCRF Cyber Audit? Contact our experts to ensure full compliance and enhance your cybersecurity posture.