The cases of cyberattacks on financial institutions are on a rise, thus rendering the interests of investors prone to risk.
The capital markets regulator SEBI, therefore, recently came up with a consultation paper on Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for the entities regulated by the SEBI.
First and foremost, the paper highlights that cybersecurity incidents may be classified into four categories: low severity, medium severity, high severity and critical severity.
Any incident that results in disruption, stoppage or variance in the normal functions/operations of systems of the entity thereby impacting normal service delivery and functioning of the entity, must be classified as high or critical incident.
For all incidents classified as high or critical, the intermediary has to submit a forensic audit/ investigation report.
Based on the severity of the incident, the intermediary needs to submit a report to the regulator. If the severity is low or medium, the maximum duration for submission of report is 75 days, and when the severity is high or critical, the maximum duration for the submission of report is 60 days.
The consultation paper underscores that there are some cybersecurity events that must be reported to the regulator, failing which a financial disincentive or regulatory action may be taken by SEBI as deemed fit depending on the nature of the incident.
Cybersecurity events that need to be reported:
A. Target scanning of critical network systems.
B. Compromise of critical systems.
C. Unauthorised access of IT systems/ data.
D. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, link to external websites etc.
E. Malicious code attacks such as spreading of virus/ worm/ Tojan/ Bots/ Spyware/ Ransomware/ Crypto miners.
F. Attack on servers such as database, mail, DNS and network devices such as routers.
G. Identity theft, spoofing and phishing attacks.
Incidents that do not need to be reported such as:
A. Instances of phishing/vishing at customer’s end.
B. Security alerts/ events that are not materialising into an incident.
C. DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the customer service even if it lasts beyond 30 minutes.
D. Vulnerabilities observed or brought to the notice of the regulated entity which is neither an attempt nor a successful incident.
E. Connectivity issues.