Authorities and governments across the globe take measures and issue regulatory frameworks to protect the financial sector against the increasing threat landscape and make banks and other institutions resilient. The European Commission enacted the Digital Operational Resilience Act (DORA), while in Singapore, the Monetary Authority published an advisory for addressing technology and cyber risks.
The financial sector in India faces the same challenges as elsewhere; hence, the Securities and Exchange Board of India (SEBI) introduced the Framework for the Adoption of Cloud Services by SEBI Regulated Entities (REs) on March 6, 2023. The Framework is a crucial addition to SEBI’s existing guidelines on cloud computing, sets baseline standards for security and regulatory compliances, and is designed to help REs implement secure and compliant cloud adoption practices.
Purpose of the SEBI Framework
The primary purpose of this Framework is to highlight the key risks and mandatory control measures regulated entities need to implement before adopting cloud computing. The circular outlines nine principles and requirements for REs to consider when adopting cloud computing. The Framework was developed after consulting with market stakeholders, regulators, cloud service providers, government agencies, and SEBI Advisory Committees.
The REs falling under the SEBI framework requirements are the following:
- Stock Exchanges
- Clearing Corporations
- Asset Management Companies
- Qualified Registrars to an Issue and Share Transfer Agents
- Know Your Customer (KYC) Registration Agencies
REs currently availing cloud services should ensure that, wherever applicable, all such arrangements are revised, and they should comply with the Framework within 12 months and no later than March 6, 2024.
How to Achieve Compliance
The Framework is based on nine high-level principles and provides mandatory requirements that REs must fulfill to adopt cloud computing.
REs must implement an enterprise-wide governance and risk management strategy for cloud computing. Although REs must abide by established rules and regulations, they can choose their deployment based on business needs and a technology risk assessment. They must also select a cloud service provider (CSP) certified by the Ministry of Electronics and Information Technology (MEitY). It’s important to remember that REs, not CSPs, are solely responsible for all their cloud services, including data security, logs, compliance, and privacy.
Data ownership is an essential aspect of compliance. REs must fully control and possess all their data. Data must be processed and stored within India's jurisdiction, a principle that applies to both domestic and overseas companies. Similarly, the RE and SEBI are entitled to access any information anytime, and original data must be available in India for overseas investors.
Due diligence is also an essential principle of the Framework. REs must assess the implications, risks, and advantages of implementing cloud services, guided by residual risk and the criticality of data and services. Similarly, REs should select a CSP based on financial stability, security risk assessment, data ownership, confidentiality, data protection, adherence to existing norms and regulations, and the adequacy of security controls. Contracts with CSPs must be clear and enforceable, protect the RE’s interests, meet management needs, and adhere to regulatory controls.
It’s also essential that REs evaluate and ensure that their Business Continuity Plan (BCP) complies with the cloud framework and other guidelines issued by SEBI. They should assess cyber resilience processes, conduct periodic disaster recovery drills and create a contingency plan to effectively handle any disruption or shutdown of cloud services. REs should determine the risk of vendor lock-in and periodically evaluate existing agreements. To mitigate the risks, REs should consider cloud-neutral solutions and develop exit strategies with risk indicators, triggers, scenarios, migration options, etc.
Thales offers integrated solutions enabling your organization to address the Framework for the Adoption of Cloud Services, focusing on Security Control and Concentration Risk Management Principles. Download the one-pager compliance brief or the respective eBook SEBI Regulated Entities, to learn how Thales can help your business comply with the Framework."