SEBI introduces Framework for Adoption of Cloud Services by Regulated Entities

Table of Contents

1. Background

2.  Objective

3.  What is Cloud Computing?

4.  Applicability of cloud framework

5.  Scope of the Cloud computing

6. What is the Transition Period for Regulated Entities?

7.  Principles to be followed by REs

8.  Conclusion

SEBI vide circular no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033, dated March 6, 2023 has introduced a cloud framework that sets baseline standards for security and regulatory compliances. The main objective of the framework for adoption of cloud services by SEBI regulated entities (REs) is to identify and address the critical risks associated with cloud computing and to establish mandatory control measures that REs must implement before adopting cloud services.

1. Background

Cloud computing is becoming increasingly popular for delivering IT services, thanks to its scalability, ease of deployment, and lower maintenance costs. However, it also introduces new cyber security risks and challenges that businesses need to be aware of.

To help regulated entities (REs) navigate these risks, SEBI vide circular no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033, dated March 6, 2023 has introduced a cloud framework that sets baseline standards for security and regulatory compliances. This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and is designed to help REs implement secure and compliant cloud adoption practices.

2. Objective

The main objective of the framework for adoption of cloud services by SEBI regulated entities (REs) is to identify and address the critical risks associated with cloud computing and to establish mandatory control measures that REs must implement before adopting cloud services.

By following the guidelines outlined in the framework, REs can establish a robust risk management approach for cloud adoption, which includes assessing risks, implementing appropriate controls, monitoring compliance, and ensuring regulatory compliance.

3. What is Cloud Computing?

Cloud computing refers to the delivery of computing services over the internet or a network of remote dedicated servers. These services include storing, managing, and processing data, as well as running applications and other software.

The National Institute of Standards and Technology (NIST) defines “cloud computing” as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

4. Applicability of Cloud Framework

The framework shall be applicable to the following REs:

• StockExchanges
• ClearingCorporations
• Depositories
• Stock Brokers through Exchanges
• Depository Participants throughDepositories
• Asset Management Companies (AMCs)/ Mutual Funds(MFs)
• Qualified Registrars to an Issue and Share TransferAgents
• KYC Registration Agencies(KRAs)

The framework shall come into force with immediate effect for all new or proposed cloud on-boarding assignments/projects of the REs.

5. Scope of Cloud Computing

As per NIST, cloud computing has four types of deployment models viz public cloud, community cloud, private cloud and hybrid cloud.

5.1 Private Cloud

The cloud infrastructure for a single organization can be owned, managed, and operated by the organization itself or a third party, and can be located on or off- premises. It is exclusively used by a single organization with multiple consumers, such as different business units.

5.2 Community Cloud

Community cloud model is the model in which the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns, such as mission, security requirements, policy, and compliance considerations.

5.3 Public Cloud

Public cloud is a cloud infrastructure that is available for use by the general public and is owned, managed, and operated by organizations such as businesses, governments, or academic institutions. The public cloud is hosted on the premises of the cloud provider.

5.4 Hybrid Cloud

A combination of two or more distinct cloud infrastructures (private, community, or public) that are bound together by standardized or proprietary technology, allowing for data and application portability.

6. What is the Transition Period for Regulated Entities?

The transition Period for Regulated Entities is as follows:

• For the REs which are not utilizing any cloud services currently, the framework shall be applicable/come into force from the date of issuance
• For REs currently utilizing cloud services, SEBI has allowed a grace period of up to 12 months to comply with the framework, during which they must provide milestone-based updates to demonstrate their progress towards full compliance. Additionally, such REs shall provide regular milestone-based updates as follows:

7. Principles to be followed by REs

The cloud framework is a principle-based framework which covers Governance, Risk and Compliance (GRC), selection of Cloud Service Providers (CSPs), data ownership and data localization, due- diligence by REs, security controls, legal and regulatory obligations, Disaster Recover (DR) & Business Continuity Planning (BCP), and vendor lock-in risk.

These principles serve as general guidelines to set the standards for REs to comply with while adopting cloud services. The principles are stated as below –

7.1 Governance, Risk and Compliance Sub-Framework (GRC)

The REs must establish an effective GRC sub-framework for cloud computing to formulate a cloud strategy suitable for their circumstances/needs. This includes having a governance model/strategy approved by their Board, comprehensive risk management approach, compliance with legal/regulatory requirements, and a grievance redressal mechanism. Roles and responsibilities must be assigned for smooth functioning.

7.2 Selection of Cloud Service Providers

When selecting a Cloud Service Provider (CSP), a regulatory entity (RE) must ensure that all data storage and processing related to the RE is conducted within the data centres of CSPs empanelled by MeitY with valid audit status. For PaaS¹ and SaaS² services, the RE must choose CSPs that utilize the infrastructure/platform of MeitY empanelled CSPs.

7.3 Data Ownership and Data Localization

The RE shall retain the complete ownership of all its data and logs, encryption keys, and other related information that is stored in the cloud. The CSP shall only work in a fiduciary capacity and the RE, SEBI and any other authorized government authorized shall always have the right to access any or all of the data at any given point of time.

Further, to ensure that the RE and SEBI’s right to access the data is not affected by the adoption of cloud services, the storage and processing of data should be done according to specific conditions.

7.4 Responsibility of the Regulated Entity

Clear and unambiguous responsibilities must be established for all activities related to the cloud services provided by the CSP to the RE. These responsibilities should encompass technical, managerial, and governance-related tasks. Joint or shared ownership of any function, task, or activity between the RE and CSP is strictly prohibited.

7.5 Due Diligence by the Regulated Entity

The RE must conduct due diligence on CSPs beforehand and on a periodic basis to ensure that legal, regulatory, business objectives, etc. of the RE are not hampered. The due diligence should be risk-based depending on the criticality of the data, services, and operations planned to be on boarded on cloud.

7.6 Security Controls

RE must perform the assessment of CSPs to ensure that adequate security controls are in place. This includes verifying that CSP has a vulnerability management process in place to mitigate vulnerabilities in all components of the services that the CSP is responsible for (i.e. managed by the CSP).

7.7 Contractual and Regulatory Obligations

A clear and enforceable cloud service provider engagement agreement must be in place to protect the RE’s interests, risk management needs, and ability to comply with supervisory expectations. The agreement must include provisions for audit, and information access rights for the RE and SEBI for the purpose of performing due diligence and carrying out supervisory reviews.

7.8 BCP, Disaster Recovery & Cyber Resilience

The RE must assess its BCP framework to ensure compliance with the cloud framework as well as other guidelines/circulars issued by SEBI. RE must also assess the CSP’s capabilities, preparedness and readiness with respect to cyber resilience. This can be periodically assessed by conducting DR drills (in accordance with circulars/guidelines issued by SEBI) by involving necessary stakeholders.

Furthermore, RE must develop a viable and effective contingency plan to cope with situations involving a disruption or shutdown of cloud services.

7.9 Vendor Lock-In and Concentration Risk Management

Before entering into a contract with a cloud service provider (CSP), regulated entities (RE) must assess their exposure to CSP lock-in and concentration risks. This assessment should also be done periodically. To mitigate CSP concentration risks, REs should explore cloud-ready and CSP-agnostic solutions that enable them to migrate solutions as and when necessary with minimal changes.

8. Conclusion

The framework will enable REs to improve their overall IT resilience and reduce cybersecurity risks, while ensuring regulatory compliance. By adhering to the guidelines outlined in the framework, REs can minimize the risks associated with cloud adoption and make informed decisions about implementing cloud services.

With the SEBI cloud framework, REs in the securities market can confidently embrace the benefits of cloud computing while maintaining a secure and compliant IT infrastructure.

1. Platform as a service (PaaS) is a cloud computing model where a third-party provider delivers hardware and software tools to users over the internet.
2. Software as a service (SaaS) is a way of delivering applications remotely over the internet instead of locally on machines (known as “on-premise” software). SaaS applications are also known as Web-based software. On-demand software.