SEBI Introduces Guidelines on Cloud Framework – 2023

SEBI, through circular no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 dated March 6, 2023, has introduced a framework for cloud adoption by entities regulated by SEBI. which are known as Regulated Entities or REs.

Regulated Entities or REs must adhere to the SEBI guidelines on establishing a cloud framework with baseline standards for security and regulatory compliance.

Under these guidelines, REs are required to identify critical risks associated with cloud computing, and mandate control measures regulated entities must implement before adopting cloud services.

By complying with the framework’s recommendations, REs may create a robust risk management strategy for cloud adoption that prioritizes risk assessment and the implementation of appropriate controls to monitor & ensure regulatory compliance.

The circular’s main objective is to identify the crucial risks and necessary control measures that REs must implement before adopting cloud computing technology.

 

The prescribed cloud framework also outlines the regulatory and legal requirements that REs must comply with upon adopting cloud-based computational solutions. The framework is set to be effective immediately for any new or proposed cloud onboarding assignments or projects of the REs.

Nine Principles of the Cloud Framework

Among the main objectives of SEBI’s cloud framework is the de-risking of cloud adoption by creating the basis for necessary access and data controls.

Since cloud computing is an emerging field, creating a framework to mitigate technological and compliance risks is the first step in boosting widespread cloud adoption.

SEBI’s cloud framework guidelines are formulated as nine high-level principles –

    • Principle 1: Governance, Risk and Compliance Sub-Framework
    • Principle 2: Selection of Cloud Service Providers
    • Principle 3: Data Ownership and Data Localization
    • Principle 4: Responsibility of the Regulated Entity
    • Principle 5: Due Diligence by the Regulated Entity
    • Principle 6: Security Controls
    • Principle 7: Contractual and Regulatory Obligations
    • Principle 8: BCP, Disaster Recovery & Cyber Resilience
    • Principle 9: Vendor Lock-in and Concentration Risk Management

REs including stockbrokers, mutual fund companies, stock exchanges, asset management companies & KRAs are required to comply with these principles with immediate effect.

REs currently using a cloud framework must ensure that they’re compliant with these rules within 12 months of the release of the circular.

Cloud Compliance Checklists for Registered Intermediaries 

We’ve condensed the SEBI guidelines for cloud framework into a checklist, to help REs streamline compliance and ensure that they pick th right CSP (cloud service provider) for their needs.

The checklist is divided broadly into the following components –

  • Cloud security policy framework
  • Key management
  • Identity & access management
  • Log management
  • Data security

Data Security Checklist 

Data At Rest Data encrypted on server side & client side?
System hardening in place?
Procedures to manage patches & system-level vulnerabilities?
 Data In Transit Firewalls for marketplace networks & web applications?
Procedures to manage certificates & network layer vulnerabilities? 
DOS/DDOS protection?
TLS/SSL for app traffic?
On-prem VPN for cloud connectivity?
Application Security Source code review?
Web application testing?

 

Log Management Checklist 

Log analysis for system, user activity, DNS & network traffic logs?
Logs retained & archived? 
Systems for log monitoring & alerts?

 

Key Mangement Checklist

On-premise key management system?
Key management services in place?
Dedicated hardware security module in place?

 

Identity & Access Management Checklist 

Multifactor authentication present?
Access rights review?
Rotating credentials & password policy?
Role-based temporary credentials?
Programmatic access for individual users?

 

Cloud Security Policy Checklist 

BCP/DR frameworks & testing procedures in place?
Cloud operational procedures & internal audits?
Security certifications for CSPs present?
Security control baseline & incident management procedures in place?

 

SignDesk offers globally compliant document automation services, with data access & controls adhering to 15+ international certifications including HIPAA, GDPR, GLBA, FERPA, CCPA & ISO for cloud security.

To learn more about how our cloud architecture enables hassle-free eSignatures, eStamping, KYC & contract management for REs, get in touch with our team of solutions experts.

Cloud Framework Principles Explained 

RE may choose any deployment approach depending on its business requirements and evaluation of the risk posed by the technology. Adherence to this cloud framework and other SEBI, the Indian government, state government, and other laws, regulations, and circulars should be enforced.

The Cloud Security Alliance (CSA) has defined a set of nine principles for cloud security known as the Security Guidance for Critical Areas of Focus in Cloud Computing. As per the circulars, these principles are:

  • Governance, Risk, and Compliance (GRC):

To create a cloud strategy appropriate for their needs/circumstances, the REs must adopt a strong GRC sub-framework for cloud computing. REs must likewise follow the governance structure outlined in several SEBI circulars.

    • Cloud Governance:

The REs must have a governance model and plan for cloud computing authorized by the Board, Partners, and Owners.

    • Cloud risk management: 

Compared to traditional on-premise infrastructure, there has been a paradigm shift in how cloud technology is developed and maintained. The RE should thus implement a thorough risk management strategy to continuously identify, track, and reduce the risks associated with cloud computing.

The Board of the RE should endorse the cloud risk management strategy. The cloud risk management approach will provide information on the various risks associated with cloud adoption, including technical, legal, business, and regulatory risks, as well as the appropriate risk mitigation controls that should be proportionate to how sensitive and essential the data and operations that will be moved to the cloud are.

    • Compliance and Legal Aspects:

The RE must have policies, procedures, and other measures in place to guarantee compliance with all applicable legal and regulatory requirements (including but not limited to guidelines, circulars, advisories, etc.) for cloud deployments issued by SEBI, the Government of India, or the appropriate state government.

  • Selection of Cloud Service Providers:
    While selecting a Cloud Service Provider (CSP), the RE must meet the following criteria: 
    • The MeitY-empanelled CSPs’ data centers should be used for the storage and processing of data (DC, DR, near DR, etc.), including logs and any other data pertaining to RE in any form in the cloud, provided that they hold valid STQC (or other equivalent agency appointed by the Government of India) audit status. 
    • The RE should only pick CSPs that:
      • Utilize the underlying infrastructure/platform of only MeitY empaneled CSPs for providing services to RE; and offer PaaS and SaaS services in India.
      • Only inside the data centres as appointed by MeitY and having a current STQC (or any other comparable agency authorized by the Government of India) audit status, host the application/platform/services (DC, DR, near DR, etc.) given to the RE as well as store/process data of the RE.
      • Have a back-to-back, enforceable agreement in place with all of their partners, vendors, and subcontractors (including those who provide the platform’s underpinning infrastructure) to ensure that they are adhering to the guidelines outlined in this framework, particularly those in Principles 6 (Security Controls), 7 (Contractual and Regulatory Obligations), and 8 (Confidentiality) (BCP, Disaster Recovery & Cyber resilience)
  • Data Ownership and Localization:

The REs’ cloud-based data and logs, encryption keys, etc. must remain entirely their property. The CSP is only permitted to act in a fiduciary role. The right to view some or all of the data at any time must thus always be available to the RE, SEBI, and any other government agency authorized by law.

Apart from that, the storage/processing of data, including logs and any other data/information pertaining to RE in any form, in the cloud shall be done under the following conditions to ensure that RE and SEBI’s rights to access RE’s data, as well as SEBI’s rights of search and seizure, are not affected by the adoption of cloud services:

    • The data must be stored and processed inside Indian territory. 
    • For investors whose place of incorporation is outside of India, however, the REs must maintain the original data, transactions, and logs in a format that is readable and useable within Indian legal jurisdiction. 

The RE is responsible for ensuring the conditions are always met while adopting or using cloud services.

  • Responsibility of the Regulated Entity 

Although the administration of the infrastructure and other technical components may be divided between the RE and the CSP, it is agreed that this is a possibility that the RE is solely responsible for all facets of the cloud services it has adopted. This includes cloud applications’ accessibility, the privacy, integrity, and security of its data and logs, and ensuring the RE’s compliance with all relevant laws, rules, regulations, circulars, etc., issued by SEBI, the Government of India, or the relevant state government.

  • Due Diligence by the Regulated Entity 

The REs should assess the necessity, consequences (financial, regulatory, etc.), risks, advantages, etc., of using cloud computing. Additionally, the RE must perform its due diligence concerning CSPs beforehand and periodically to ensure that its legal, regulatory, business, and other objectives are not compromised. 

The risk-based nature of the due diligence will rely on how crucial the data, services, and activities intended to be integrated into the cloud are.

  • Security Controls

The RE is responsible for ensuring that it complies with any applicable circulars, recommendations, advisories, etc., published by SEBI, such as those related to cybersecurity, system audits, and DR-BCP.

  • Contractual and Regulatory Obligations

To safeguard RE’s interests, risk management requirements, and capacity to meet supervisory expectations, a clear and enforceable cloud service provider engagement agreement should be in place.

Also, the provisions for audit and information access rights to the RE and SEBI to conduct due diligence and supervisory reviews should be included in the contractual/agreement conditions between RE and CSP. REs shall also ensure that the contractual terms and agreement with CSP do not impair its ability to manage risks, provide supervision, and comply with regulatory requirements.

  • BCP, Disaster Recovery, and Cyber Resiliency

The REs must evaluate their BCP framework to ensure it complies with all current SEBI recommendations and circulars, including the cloud framework.

REs shall also evaluate CSP’s capabilities, readiness, and preparation concerning cyber resilience. The same can be evaluated regularly by conducting DR exercises with the required stakeholders (per the circulars/guidelines provided by SEBI).

  • Managing Concentration Risk

The CSP lock-in and concentration risk must be evaluated by REs. Before engaging in a contract or arrangement with CSP, a risk evaluation must be completed. The risk should also be evaluated periodically after that.

To reduce the risks associated with CSP concentration, REs must look at cloud-ready and CSP-independent solutions that will allow them to migrate their existing solutions to the cloud when needed with the least amount of disruption. 

It is necessary to establish exit plans considering the relevant risk indicators, exit triggers, exit scenarios, potential relocation possibilities, etc.

Choosing a Cloud Service Provider – Recommendations for Stock Intermediaries 

Several aspects need to be considered when choosing a cloud service provider (CSP), including the company’s security and compliance capabilities, performance, scalability, price, dependability, support, and compatibility with current systems and applications. Some of the recommendations are as follows:

  • RE may choose any deployment approach depending on its business requirements and evaluation of the risk posed by the technology. Adherence to this cloud framework and other SEBI, the Indian government, state government, and other laws, regulations, and circulars should be enforced.
  • REs are solely responsible for all aspects of the cloud services they have adopted, including but not limited to the cloud applications’ availability, the confidentiality, integrity, and security of their data and logs, and ensuring RE compliance with all relevant laws, rules, regulations, circulars, etc. issued by SEBI, the Government of India, or the applicable state government. As a result, the RE will be responsible for any violations.
  • The REs must follow the nine principles outlined in the framework for providing cloud services. The REs must ensure that their cloud installations adhere to the rules literally and figuratively.
  • Only CSPs that MeitY has appointed may provide cloud services. The STQC (or any other comparable organization designated by the Government of India) audit status should be current for the CSP’s data center.
  • Where appropriate, the RE and CSP (and MSP/SI) should clearly define and restrict their respective roles concerning all actions (technical, managerial, governance-related, etc.) using cloud services.
  • The roles and duties of the RE and CSP (and MSP/SI where appropriate) for ensuring compliance with circulars (such as the outsourcing circular, the BCP-DR, the cybersecurity, and cyber resilience circular, etc.) issued by SEBI from time to time should be clearly defined and demarcated.
  • The auditor must confirm and certify, as part of the system audit of the RE, that the roles and duties of the RE and CSP/MSP/SI are clearly defined:
    1. For every duty, function, activity, and component.
    2. For each provision of the applicable or pertinent SEBI circular, guidelines, or rules, the auditor must confirm and certify that the agreement/contract executed between the RE and CSP (and MSP/SI, if appropriate) reflects the duties mentioned above and their responsibilities.
  • The provisions for audit and information access rights to the RE and SEBI for conducting due diligence and supervisory reviews should be included in the contractual/agreement conditions between RE and CSP.
  • SEBI, CERT-In, or any other government agency must at any time:
      • Conduct direct audits and inspections of resources of CSP (and its subcontractors/vendors) about the RE or hire a third party auditor to do so and check the adherence with SEBI and government guidelines/policies/circulars and standard industry policies. 
      • Conduct a search and seizure of CSP resources that are used to store and process data and other pertinent resources (such as logs, user information, etc.) related to the RE.
      • Hire a forensic auditor to determine the main reason behind any RE-related occurrence, whether it involves cyber security or another type of incident.
      • Look for the audit reports from the CSP audits. 

        The RE must ensure that the agreement or contract with CSP contains sufficient clauses to permit the functionality mentioned above.

  • The cloud framework should be reviewed with any periodic circulars, directives, recommendations, etc., issued by SEBI (including circulars on outsourcing, cybersecurity, BCP-DR, etc.)
  • Transitioning to the cloud framework:
      • The framework will be applicable/be in effect as of the release date for REs not already using cloud services.
      • Up to 12 months will be granted to REs using cloud services to ensure they comply with the framework.
  •  No separate reporting is intended; the REs must include their compliance with the framework as part of their system audit, cybersecurity audit, and VAPT reports. The reporting must follow the standardized format SEBI has periodically announced.

SEBI Cloud Adoption Framework – Key Takeaways for REs 

This framework’s primary goal is to highlight the main dangers and necessary control mechanisms REs must implement before implementing cloud computing. The paper also outlines the legal and regulatory requirements that REs must meet to implement such solutions.

The framework must be used with the following REs: stock exchanges, clearing corporations, deposits, and stock brokers through Exchanges.

The methodology is based on research, surveys, and discussions with regulators, government organizations, SEBI Advisory Committees, cloud associations, and cloud service providers (CSPs). The framework’s executive summary is as follows:

  1. The REs may choose any deployment methodology based on evaluating the risks associated with the technology and their business needs. Adherence to this cloud framework and other SEBI, the Indian government, state government, and other laws, regulations, and circulars should be enforced.
  2. Although the IT services and functionality may be outsourced (to a CSP), it should be noted that RE is solely responsible for all aspects of the cloud services it has adopted, including but not limited to the cloud applications’ availability, the confidentiality, integrity, and security of its data and logs, and ensuring RE’s compliance with laws. As a result, any infringement of the same shall be the responsibility and account of the RE.
  3. Only CSPs appointed by the Ministry of Electronics and Information Technology (MeitY) may provide cloud services. The STQC (or any other comparable organization designated by the Government of India) audit status should be current for the CSP’s data centre.
  4. Adequate controls must be set up in a multi-tenant cloud architecture to guarantee that data (in motion, at rest, and in use) is separated and unavailable to any other tenant. If further security controls are needed, RE will review the multi-tenancy segregation rules that CSP has implemented and ensure they are followed.
  5. To guarantee confidentiality, privacy, and integrity, data must be encrypted at all lifecycle stages (at rest, in motion, and in use).
  6. All cloud-based RE’s data, encryption keys, logs, etc., shall remain its property.
  7. The RE must always guarantee compliance with all legal and regulatory obligations, including the ones outlined in this framework.
  8. The Security Operations Center (SOC) (internal, external, or managed SOC) should keep track of RE’s cloud installations.
  9. Security controls, legal and regulatory compliances, a clear separation of duties and responsibilities, acceptable services and performance criteria, etc., are all covered in the agreement between the RE and CSP.
  10. The REs must disclose their compliance (with this framework) in their systems audit, cybersecurity audit, and VAPT reports. They must do so in accordance with the standardized format as periodically announced by SEBI.

On-demand self-service, widespread network access, resource pooling, quick adaptability, and measurable service are typical traits of cloud computing. Cloud computing benefits include lower IT expenses, scalability, business continuity, accessibility from anywhere and on any device, improved performance and availability, rapid application deployment, etc., because of these properties.

Globally Compliant Document Automation Powered By Cloud Computing

SignDesk is a trusted & acclaimed provider of SaaS-based digital documentation solutions. Our solutions utilize advanced AI and ML technology to help businesses overcome complex documentation and productivity challenges.

We ensure real-time compliance with regulations and employ industry-standard measures to safeguard client data. Our solutions are trusted and used by thousands of clients, including major Indian banks and enterprises across various industry sectors.

Our certifications for cloud security include:

  • ISO 27017:

From a CSP perspective, we have now enabled thorough security controls for cloud-based assets. Moreover, the cloud solution will allow clients to track pertinent actions and document all vital operational operations.

  • NIST-800-171:

Issued by NIST under the US Department of Commerce, compliance with this certification signifies that we secure Controlled Unclassified Information (CUI) through strict access controls as necessary, in addition to aligning cybersecurity to US standards.

  • ISO 27001:

The worldwide standard ISO 27001, which has independently improved and has been certifying our ISMS (Information Security Management System) for some time, has also been updated.

  • HIPAA: 

The Health Insurance Portability and Accountability Act (HIPAA) is the gold standard for healthcare information security. Compliance with HIPAA mandates that we create policies and put controls in place to protect Protected Health Information (PHI).

  • CCPA:

PII is protected under the California Consumer Privacy Act (CCPA), giving businesses more transparency and control over client data handling and maintenance.

  • FERBA:

The Family Educational Rights and Privacy Act (FERPA), considered the gold standard for educational data, safeguards pertinent information in the academic field to secure student information.

  • GLBA:

The secure management of non-public personal information is governed by the Gramm-Leach-Bliley Act (GLBA) (NPI). The certification, which is well-liked by financial institutions, guarantees that financial information is safeguarded from all information security risks and that obligations to customers and end-users are honoured.

  • GDPR:

The General Data Protection Regulation (GDPR), which lays out strict rules for data processing and storage in the EU, is one of the world’s most comprehensive data protection laws. We’ve been using this standard for a while and are pleased to report that our compliance levels have significantly increased.

  • ISO 27701:

We have strengthened our ISMS and developed a framework for a Privacy Information Management System (PIMS) adaptable to all kinds of data security and privacy-centric certifications, including GDPR, CCPA, GLBA, FERPA, HIPAA, and more if we comply with ISO 27701.

  • ISO 27018:2019

To assist clients in streamlining operations, we have reinforced PII controls in our cloud storage systems and improved our compliance with ISO 27018.

Contact us one of our solution specialists to learn how SignDesk can help you scale up and secure your cloud computing procedures by adhering to the SEBI guidelines on cloud framework.