India CSCRF SEBI Cybersecurity Compliance

Cybersecurity and Cyber Resilience Framework (CSCRF) by SEBI

On August 20th, 2024, the Securities and Exchange Board of India (SEBI) released the Cybersecurity and Cyber Resilience Framework (CSCRF) to SEBI-regulated entities (REs) to enhance the current cybersecurity measures in the Indian securities market and strengthen the mechanism for dealing with cyber risks or threats.

The CSCRF aims to provide standards and guidelines for strengthening cyber resilience and maintaining robust cybersecurity of SEBI REs. The CSCRF framework shall supersede existing SEBI cybersecurity circulars/ guidelines/ advisories/ letters.

Approach and Structure

The CSCRF is standards-based and broadly covers the five cyber resiliency goals adopted from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In): Anticipate, Withstand, Contain, Recover, and Evolve. These cyber resiliency goals have been linked with the following cybersecurity functions: Governance, Identify, Protect, Detect, Respond, and Recover.

The CSCRF is structured into four parts:

Part I: Objectives and Standards
Part II: Guidelines
Part III: Structured formats for compliance
Part IV: Annexures and References

Scope

The framework shall apply to the following REs and also further sub classifies the REs into different categories based on their operational scale, number of clients, trade volume, and assets under management, and provides for specific compliance requirements for each category.

Timeline for implementing CSCRF

For REs where cybersecurity and cyber resilience circular already exists – by January 01, 2025.
For other REs where CSCRF is being issued for the first time – by April 01, 2025.

Compliance brief

Cybersecurity and Cyber Resilience Framework (CSCRF)

Explore solutions for CSCRF compliance by addressing cybersecurity function guidelines of Governance, Identity and Protect in the framework.

Get the Compliance Brief

Cybersecurity and Cyber Resilience Framework (CSCRF)

How Thales Helps with CSCRF compliance

Thales can help REs comply with CSCRF by addressing cybersecurity function guidelines of Governance, Identity and Protect in the framework.

We provide solutions in three key areas of cybersecurity: Application Security, Data Security, and Identity & Access Management.

CSCRF Compliance Solutions

Application Security

Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).

Data Security

Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.

Identity & Access Management

Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.

Address CSCRF Standard Code and Guidelines

GV.PO - 1.3.ii. Policy | S1, S2, S5

SafeNet Authentication Service Private Cloud Edition (PCE) is a cost-effective, easy-to-use on-premises authentication platform that offers over 200 pre-tested configurations, supports third-party solutions, and offers diverse token types.

CipherTrust Data Discovery & Classification (DDC) identifies and classifies data across various data stores, enhancing data privacy and security by managing assets across on-premises, hybrid, cloud, and multi-cloud environments.

Imperva Data Security Fabric Data Activity Monitoring (DAM) enables REs to identify risks related to critical data by continuously monitoring data store activity, providing detailed audit trails.

ID.AM - 2.1.ii. Asset Management | S1, S4

Imperva Data Security Fabric Data Activity Monitoring (DAM) streamlines auditing across various platforms, including relational, NoSQL, mainframe, big data, and data warehouses, and supports Microsoft Azure and AWS, capturing detailed data activity automatically.

ID.RA - 2.2.ii. Risk Assessment | S1, S2

Thales Luna HSMs and High-speed Encryptors provide a crypto-agile approach to ensure PQC readiness for REs.

Fortify your encryption keys with Quantum-safe Thales Luna HSM which is commercially available with NIST quantum-resistant finalist algorithms added.
- Quantum-Resistant Algorithms (QRA) with PQC FM with Hash Based Signing (SP800-208)
- Integrated/ Custom-made PQC: Implement your own Post- Quantum Crypto using Luna’s Functionality Module (FM) or with various Partner FMs/integrations
- QRNG: Inject quantum entropy with QRNG and Luna HSM’s secure key storage
Thales High Speed Encryption (HSE) network encryption solutions offer secure data in transit, supporting Post-Quantum Cryptography (PQC) with a crypto-agile, FPGA-based architecture, providing long-term protection against quantum attacks and encrypting everywhere.

PQC starter kit enables REs to safely test quantum-safe solutions in a trusted environment, partnering with Quantinuum to set up a Luna HSM for PQC-ready keys.

ID.RA - 2.2.ii. Risk Assessment | S4

Imperva Web Application Firewall (WAF) offers comprehensive security for web applications, detecting and preventing cyber threats. It blocks attacks in real-time and updates rules daily.

Imperva Data Security Fabric Data Risk Analytics monitors data access and activity, providing visibility for all users. It uses deep domain security expertise and machine learning to identify suspicious behaviors.

SafeNet Authentication Service Private Cloud Edition (PCE) allows organizations to limit access to confidential resources and supports third-party solutions via SAML, RADIUS, Agents, or APIs.

PR.AA - 3.1.ii. Identity Management, Authentication, and Access Control | S1, S2, S3, S7, S9

Imperva Web Application Firewall (WAF) offers comprehensive web application security, detecting and preventing cyber threats like cross-site scripting and illegal resource access. It blocks attacks in real time, with daily updates from the threat research team.

Imperva API Security provides full API visibility, automatically discovering endpoints and assessing risks. It classifies sensitive APIs using call data, enabling proactive security measures. Continuous monitoring promotes faster, secure software releases, available as an add-on or part of API Security Anywhere offering.

CipherTrust Transparent Encryption offers continuous file-level encryption, centralized key management, and privileged user access control, ensuring unauthorized access in physical, virtual, and cloud environments, ensuring seamless implementation.

CipherTrust Enterprise Key Management enhances key management in cloud and enterprise environments, providing high security and centralization for home-grown encryption and third-party applications using FIPS 140-2-compliant virtual or hardware appliances.

SafeNet Authentication Service Private Cloud Edition (PCE) provides centralized, secure access to enterprise applications through various authentication methods like OTP, PKI credentials, Kerberos, and various form factors.

PR.AA - 3.1.ii. Identity Management, Authentication, and Access Control | S10, S11, S12

Thales OneWelcome Identity and Access Management Solutions offer comprehensive security measures and reporting capabilities for organizations, utilizing multi-factor authentication devices for multiple applications.

Thales OneWelcome Consent & Preference Management module allows financial institutions to gather consumer consent, manage data access, and manage B2B delegation based on user roles and responsibilities.

PR.AA - 3.1.ii. Identity Management, Authentication, and Access Control | S13, S14

CipherTrust Manager simplifies key lifecycle management, including activities such as generation, backup and restore, deactivation, and deletion. Its key destruction phases allow organizations to achieve digital shredding of data.

PR.AA - 3.1.ii. Identity Management, Authentication, and Access Control | S16, S17

Imperva API Security provides security teams with comprehensive API visibility, enabling faster, more secure software release cycles and preventing resource-intensive workflows, thereby ensuring they stay updated with new risks.

PR.DS – 3.3.ii. Data Security | S1, S2, S3

Data-at-rest

Thales offers multiple solutions for data at rest that can coexist with native encryption provided by Cloud Service Provider (CSP).

CipherTrust Transparent Encryption offers continuous file-level encryption to protect against unauthorized access in physical, virtual, and cloud environments. It uses strong, standard-based protocols like AES and ECC, and is FIPS 140-2 Level 1 validated.
CipherTrust Tokenization provides tokenization, dynamic data masking for data anonymization and deidentification in the cloud.
CipherTrust Application Data Protection provides format preserving or traditional encryption to applications using RESTful APIs. All of the above solutions can be used to provide protection for data at rest in the cloud.
CipherTrust Manager is the central management point for the CipherTrust Data Security Platform. It manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role based access control to keys and policies, supports robust auditing and reporting, and offers developer-friendly REST API.

Data-in-transit

Thales High Speed Network Encryption (HSE) solutions secure data in motion as it moves across the network between data centers and headquarters, branch and satellite offices, to backup and disaster recovery sites, on premises and in the cloud.

CipherTrust Data Discovery and Classification (DDC) simplifies the process of identifying and classifying sensitive data across various data stores, thereby reducing security risks and enabling better decision-making for cloud transformation and remediation.

Imperva API Security provides comprehensive API visibility for security teams by automatically detecting endpoints and determining risks around sensitive data. It enhances protection against OWASP API Security Top 10 Risks for REs, allowing developers to build microservices and APIs across different environments.

Annexure-G: Application Authentication Security

CipherTrust Secrets Management (CSM) automates access to secrets across DevOps tools and cloud workloads, powered by Akeyless Vault, and integrates with third-party applications like GitHub and Kubernetes.

Annexure-I: Data Transport Security

Thales High Speed Encryptors (HSE) offer network-independent, data-in-motion encryption, protecting data, video, voice, and metadata from eavesdropping, surveillance, and interception. Available as physical and virtual appliances, they support a wide network speed range.

Annexure-J: Framework for Adoption of Cloud Services | Principle 6: Security Controls

Framework for Adoption of Cloud Services

CipherTrust Data Security Platform provides secure cloud storage for REs, utilizing advanced encryption and centralized key management, ensuring data mobility across multiple cloud vendors.

CipherTrust Cloud Key Manager (CCKM) supports Bring Your Own Key (BYOK) use cases across multiple cloud infrastructures and SaaS applications. It provides robust safeguards for enterprise data, enabling compliance and control over encryption key life cycles.

CipherTrust Transparent Encryption provides transparent encryption and access control for data residing in Amazon S3, Azure Files and more.

CipherTrust Tokenization tokenizes the data before it is migrated to the cloud in the obfuscated form to protect the data from any breach.

Thales Luna Hardware Security Modules (HSM) provide organizations with dedicated hardware for crypto key control, offering a tamper-resistant environment for secure cryptographic processing, key generation, and encryption.