Since 2015, the Securities and Exchange Board of India (SEBI) has developed robust cybersecurity frameworks for the Indian financial securities market. Thus far, SEBI has tailored its cybersecurity and resilience framework towards market intermediaries (MIs), such as stock brokers, depositories, mutual funds, and portfolio managers. However, recently (as of February 2024), SEBI has begun preparations for a new framework that would impose cybersecurity regulations on a broader swath of the Indian capital market.
If your organization is active in the Indian financial sector, complying with SEBI is, or soon will be, a mandatory requirement. Failure to comply with SEBI’s cybersecurity framework can result in exorbitant fines and penalties. Organizations that have yet to implement third-party risk management (TPRM) strategies into their cybersecurity regimen should do so immediately to improve their cyber defense and comply with SEBI’s framework.
This article will detail the primary requirements listed throughout SEBI’s cybersecurity framework and match them to adjacent TPRM strategies. Financial institutions should use these strategies to elevate their security posture and achieve comprehensive compliance.
Discover the world’s #1 TPRM solution: UpGuard Vendor Risk
Overview of SEBI and its charter
The Indian government created SEBI in April 1992, following the publication of the Securities and Exchange Board Act. Upon creation, SEBI replaced the Controller of Capital Issues, which had regulated the Indian securities market since 1947.
According to the official charter, SEBI is responsible for three main groups: the issuers of securities, investors, and market intermediaries. The primary objectives of SEBI include:
- Protecting investors: SEBI’s primary objective is to safeguard the interests of investors active in the Indian securities market.
- Regulating the securities market: SEBI develops industry-wide regulations and guidelines to govern market participants.
- Preventing insider trading: SEBI aims to prevent individuals from using non-public information to make investments.
- Fostering fair practices: SEBI promotes safe market practices by enforcing a code of conduct across all its market participants.
- Prohibiting fraudulent activity: SEBI investigates fraudulent activity and enforces corrective measures on participants who breach the board’s code of conduct.
- Developing a secondary market: SEBI aims to grow the Indian capital market by introducing new market liquidity and efficiency enhancements.
In recent years, SEBI has focused on advancing cybersecurity and cyber resilience in the Indian financial securities market. This focus has spurred the development of the SEBI cybersecurity framework, which SEBI has already imposed on many market participants and is currently tailoring to regulate the cyber risk of other groups.
The SEBI cybersecurity and cyber resilience framework
SEBI created its cybersecurity framework to empower MIs to develop robust cybersecurity programs that protect the financial sector from cyber threats and severe data breaches. In many ways, the SEBI cybersecurity framework mirrors other popular regulatory frameworks, especially the NIST CSF. The main pillars of the SEBI framework include:
- Governance: The governance section of the SEBI framework requires MIs to develop a comprehensive cybersecurity structure, including a board-level committee and dedicated cybersecurity team.
- Risk management: The risk management section of the SEBI framework focuses on risk identification and mitigation. Under SEBI, MIs must conduct regular risk assessments and implement vigorous mitigation strategies.
- Incident response: The framework’s incident response section addresses how MIs respond to cyber attacks and other disruptions. Under SEBI, MIs must develop an incident response process and form a dedicated team of trained cyber responders.
- Business continuity: The business continuity section of the SEBI framework requires MIs to develop backup systems, disaster recovery procedures, and other strategies to protect daily operations and prepare for potential cybersecurity incidents.
Given that cybersecurity is a holistic endeavor, the principles included in SEBI’s framework extend across the MI’s first and third-party attack surface. To properly defend themselves against cyber attacks, MIs need to develop robust third-party risk management programs and proactively mitigate vendor risks across their third-party ecosystem.
TPRM and the SEBI cybersecurity framework
In today’s technological landscape, third-party risks threaten the financial sector dramatically. Businesses are more interconnected than ever, and the average MI relies on an extensive network of third-party vendors to complete essential daily operations. These vendors offer financial benefits and improve efficiency but also subject organizations to inherent cybersecurity and data protection risks.
TPRM is not only necessary for compliance but also a priority for MIs to protect their interests and operations. In general, all MIs should develop a TPRM program complete with the following strategies:
These critical TPRM strategies will help MIs improve their cyber resilience and comply with SEBI’s cybersecurity requirements. Designed by experienced cybersecurity personnel, UpGuard offers a solution with flexible TPRM features suited to SEBI compliance.
Due diligence
The best way financial institutions can secure their third-party environments and comply with SEBI is by preventing risky vendors from entering their digital supply chain in the first place. MIs should evaluate potential vendors during procurement and onboarding using due diligence. This powerful TPRM strategy leverages security ratings and questionnaires to assess the security posture of third-party service providers.
With UpGuard Vendor Risk, financial institutions have access to vendor security ratings and automated workflows for security questionnaires. UpGuard users can comprehensively evaluate every vendor in their third-party ecosystem by pairing these powerful features:
- Security Ratings: UpGuard’s security ratings are a data-driven, objective, and dynamic measurement of an organization’s security posture. UpGuard collects billions of data points through trusted commercial, open-source, and proprietary methods. This data is then rated using a proprietary algorithm to produce a security rating of 950.
- Security Questionnaires: UpGuard’s automated security questionnaires allow financial institutions to gain deeper insights into a vendor’s security posture. Users can access UpGuard’s industry-leading questionnaire library or build custom questionnaires. Users can then quickly send these questionnaires to vendors in their network.
MIs will achieve several of SEBI’s requirements by developing a comprehensive vendor due diligence process. Here’s how due diligence helps financial institutions with the SEBI framework’s main pillars:
- Governance: During procurement, risk personnel should communicate the inherent risks associated with vendor outsourcing to every level of an organization’s cybersecurity structure. On-the-ground personnel should complete due diligence and communicate results to the broader cybersecurity team and board as situations demand, which can be easily done with UpGuard’s report templates.
- Risk management: Vendor due diligence should inform an organization’s risk tiering, prioritization, and assessment cadence. An organization must identify high-risk vendors before these vendors gain access to internal systems and credentials.
- Incident response: Due diligence helps financial institutions holistically evaluate the security posture of their third-party ecosystems. Organizations should develop practical incident response procedures and educate personnel by identifying potential risks and their consequences.
- Business continuity: Due diligence empowers organizations with practical data and evidence. This data and evidence should inform an institution’s business continuity and disaster recovery plans.
Comprehensive vendor due diligence empowers organizations to identify vendor risks proactively. Personnel should tier vendors based on overall risk severity after an organization determines the level of inherent risk a vendor presents to the organization.
Risk tiering
Vendor tiering involves categorizing vendors based on their level of threat criticality. An organization should classify vendor relationships into different threat tiers ranging from low risk, medium risk, high risk, and critical risk, depending on the business impact that service provider has on your organization.
Financial institutions may struggle to mitigate the risks of all third-party vendors immediately, especially if they have just started establishing their TPRM program. Risk tiering can help MIs with resource and staff restrictions and prioritize mitigation and remediation efforts across their critical vendor relationships. By focusing on the most critical vendors first, MIs can ensure no business interruptions due to an unexpected incident involving a critical vendor.
Vendor tiering empowers MIs and other financial services organizations to distribute remediation efforts more efficiently. Risk personnel can momentarily disregard low-risk vendors and focus their risk management efforts on vendors with the greatest cybersecurity risk.
In UpGuard Vendor Risk, financial institutions can classify vendors with tiers based on the inherent risk they pose to their operation, filter vendors by tier, and customize notifications for a specific tier. If an organization supports an extensive network of third-party vendors, they can use the automated vendor classification feature to apply tiers and labels according to specific criteria.
Learn more about UpGuard Vendor Risk’s Vendor Tiering feature>
Risk tiering relates to each central pillar of the SEBI framework in the following ways:
- Governance: Risk tiering allows all levels of an organization to know which vendors present the most severe cybersecurity risks.
- Risk management: Financial institutions develop effective risk management programs and calibrate processes to their specific risk profile by tiering their vendors. Otherwise, an organization’s risk management program would be fragmented and ineffective.
- Incident response: Critical vendors present the most significant incident response challenges. Organizations need to be aware of these relationships to streamline their procedures.
- Business continuity: Critical vendors present the most significant business continuity challenges. Organizations need to be aware of these relationships to streamline their procedures.
Financial institutions should tier vendors proactively at the onset of a new third-party relationship. The organization should also update a vendor’s tier as needed during the vendor’s lifecycle, such as if the party’s security posture changes and as personnel conduct periodic risk assessments.
Risk assessment
SEBI’s cybersecurity framework calls for extensive risk management procedures and a robust risk assessment cadence helps MIs achieve SEBI compliance. Third-party risk assessments allow financial institutions to holistically evaluate the risks associated with a third-party relationship. Key reasons cybersecurity personnel perform vendor risk assessments include:
- Risk identification: Vendor risk assessments help financial institutions identify security vulnerabilities, compliance issues, and other risks present in a vendor’s attack surface. Once identified, organizations and their service providers can take corrective action.
- Security posture assessment: Through a combination of security ratings, questionnaires, and other tools, vendor risk assessments help organizations evaluate the security posture of vendors throughout the vendor lifecycle. An assessment highlights areas of concern or gaps in the vendor’s security measures.
- Compliance evaluation: Vendor risk assessments assess whether third-party vendors meet industry compliance requirements (like SOC 2 and ISO 27001), cybersecurity frameworks (including SEBI), and data privacy laws (such as GDPR).
- Risk mitigation: Risk assessments help MIs streamline their mitigation efforts by providing evidence that organizations can communicate to vendors regarding the need for enhanced security measures, new security controls, or particular certifications.
- Business continuity: Vendor risk assessments help financial institutions ensure business continuity by developing evidence-based incident response and disaster recovery plans.
Risk assessments are the foundation of several critical cybersecurity strategies and frameworks, but manual risk assessments are common in the finance sector. Manual assessments present a variety of challenges because they are time-consuming, error-prone, and difficult to track across extensive vendor networks. Migrating to an automated solution like UpGuard Vendor Risk empowers MIs to streamline their vendor risk assessment program—alleviating many of the hurdles financial organizations face regarding risk assessments.
Learn more about UpGuard’s powerful vendor risk assessments>
Performing consistent vendor risk assessments enables MIs to comply with many conditions listed throughout the SEBI framework, especially when they pair this cadence with a TPRM solution that offers ongoing security monitoring.
Continuous security monitoring
MIs must work vigilantly to maintain continued SEBI compliance and oversight of their third-party ecosystem. Continuous security monitoring (CSM) allows organizations to track changes in a vendor’s security posture and identify new vulnerabilities throughout the vendor lifecycle. Continuous monitoring helps financial institutions comply with SEBI’s framework in each of the four pillars:
- Governance: CSM gives critical stakeholders visibility over their organization’s security posture, helping foster a culture of proactive cybersecurity.
- Risk management: Effective risk management programs are cyclical: automated CSM identifies risks, personnel mitigates risks, and the organization deploys risk assessments to appraise vendor remediation efforts.
- Incident response: CSM is typically a required strategy of most incident response programs. Organizations can use CSM to identify cybersecurity incidents quickly and streamline mitigation.
- Business continuity: Disaster recovery times can improve their incident response and mitigation metrics by installing CSM.
CSM is a critical cybersecurity strategy that informs an organization’s first-party and third-party risk management processes. However, CSM can be difficult to maintain if it is performed in an as-needed or inconsistent manner with manual tooling. A comprehensive cybersecurity solution, like UpGuard Vendor Risk, can help.
UpGuard Vendor Risk automatically runs daily scans of the vendors within a user’s vendor portfolio. These scans help risk personnel identify the following security risks in real time:
- Publicly accessible ports
- Susceptibility to adversary-in-the-middle attacks
- Poor email security
- Hijacked domains
- Software vulnerabilities
- Leaked user credentials
- False domains generated by typosquatting
- Changes in a vendor’s security posture
However, implementing these strategies can be challenging, especially for MIs starting from scratch. The main challenges MIs face during TPRM implementation are cost, difficulty, and lack of qualified personnel. However, these challenges shouldn’t stop an organization from pursuing TPRM.
Many challenges MIs face during implementation will be dissolved (or significantly reduced) through the use of a comprehensive TPRM solution like UpGuard Vendor Risk.
The #1 TPRM Solution in the World: UpGuard Vendor Risk
UpGuard empowers financial institutions to develop robust compliance and third-party risk management programs through its scalable pricing model, intuitive user interface, and complete cybersecurity offerings.
In Winter 2024, UpGuard earned the title of #1 Third-Party & Supplier Risk Management Software from G2. G2 is the world’s most trusted peer-to-peer review site for SaaS software. For six consecutive quarters, the site has also named UpGuard a Market Leader in TPRM software across the Americas, APAC, and EMEA regions.
Market intermediaries and other organizations within the Indian financial sector can rely on UpGuard to help develop their comprehensive third-party risk management programs.
