Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI - SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033

..... rpose of this framework is to highlight the key risks, and mandatory control measures which REs need to put in place before adopting cloud computing. The document also sets out the regulatory and legal compliances by REs if they adopt such solutions. 3. Applicability: The framework shall be applicable to the following REs: i. Stock Exchanges ii. Clearing Corporations iii. Depositories iv. Stock Brokers through Exchanges v. Depository Participants through Depositories vi. Asset Management Companies (AMCs)/ Mutual Funds (MFs) vii. Qualified Registrars to an Issue and Share Transfer Agents viii. KYC Registration Agencies (KRAs) 4. Transition Period i. The framework shall come into force with immediate effect for all new or proposed cloud onboarding assignments/ projects of the REs. ii. REs which are currently availing cloud services (as on date of issuance of this framework) shall ensure that, wherever applicable, all such arrangements are revised and they (RE) shall be in compliance with this framework not later than 12 (twelve) months from the date of issuance of the framework. iii. Additionally, the REs which are currently availing cloud services, shall provide milestone-based upda .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... ervice Providers (CSPs), data ownership and data localization, due- diligence by REs, security controls, legal and regulatory obligations, DR & BCP, and vendor lock-in risk. The principles are broadly stated guidelines to set the standards by which RE must comply with while adopting cloud services. The principles are stated below: i. Principle 1: Governance, Risk and Compliance Sub-Framework ii. Principle 2: Selection of Cloud Service Providers iii. Principle 3: Data Ownership and Data Localization iv. Principle 4: Responsibility of the Regulated Entity v. Principle 5: Due Diligence by the Regulated Entity vi. Principle 6: Security Controls vii. Principle 7: Contractual and Regulatory Obligations viii. Principle 8: BCP, Disaster Recovery & Cyber Resilience ix. Principle 9: Vendor Lock-in and Concentration Risk Management The detailed framework is enclosed at Annexure-1 of this circular. 7. This circular is issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. Yours Faithfully, Shweta Bane .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... a valid STQC (or any other equivalent agency appointed by Government of India) audit status. For selection of CSPs offering PaaS and SaaS services in India, RE shall choose only such CSPs which: 1. Utilize the underlying infrastructure of MeitY empaneled CSPs for providing services to the RE. 2. Host the application/ platform/ services provided to RE as well as store/ process data of the RE, only within the data centers as empaneled by MeitY and holding a valid STQC (or any other equivalent agency appointed by Government of India) audit status. iv. In a multi-tenant cloud architecture, adequate controls shall be provisioned to ensure that data (in motion, at rest and in use) shall be isolated and inaccessible to any other tenant. RE shall assess and ensure that the multi tenancy segregation controls are placed by CSP, and shall place additional security controls if required. v. Data shall be encrypted at all lifecycle stages (at rest, in motion and in use), source or location to ensure the confidentiality, privacy and integrity. vi. RE shall retain complete ownership of all its data, encryption keys, logs etc. residing in cloud. vii. Compliance with legal and regulatory requirement .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... T User Acceptance Testing 26 VAPT Vulnerability Assessment & Penetration Testing 27 VM Virtual Machine 28 VPN Virtual Private Network 29 WAF Web Application Firewall Definitions 1. Cloud Model Description- The description of common cloud deployment models (as per NIST) [Ref: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf] is given below: Sr. No Model Description 1 Private Cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. 2 Community Cloud The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises 3 Public Cloud The cloud infrastructure is provisioned for open use by the general public. It ma .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... n of limited user specific application configuration settings. A few examples of SaaS are Gmail, Microsoft Office 365, etc. B. Other deployment models such as Application as a Service, Security as a Service, etc. may be considered as a sub-part or variant of the above-mentioned models as they contain components of IaaS, PaaS and SaaS. For example, Security as a Service is a form of SaaS which provides specialized information security services. Similarly, Application as a Service is a type of SaaS in which applications (for example Google sheets, Google docs, etc.) are delivered on-demand to customers through the internet. 3. Regulated Entity (RE) - The term “Regulated Entity” refers to SEBI registered/ recognized intermediaries (for example brokers, mutual funds, KYC Registration Agencies, and QRTAs) and Market Infrastructure Institutions (Stock Exchanges, Clearing Corporations, and Depositories) regulated by SEBI. 4. Key Management- In the context of encryption/ decryption, a key is typically a random string of bits generated to hide (encrypt) or reveal (decrypt) data. A key is most commonly used along with an algorithm (method) for encryption/ decryption of data. Ther .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... d that the RE cannot outsource the risks and decision making associated with deployment of cloud services, to the CSP. The risk assessment shall include (but not limited to) standards like identifying threat sources and events, identifying vulnerabilities and pre-disposing conditions, control analysis, magnitude of impact, etc. 4. A clearly identified and named resource (typically CISO) shall be appointed and shall be responsible for security of the deployments in cloud. iii. Compliance and Legal Aspects: The RE shall have policies, processes, etc. in place to ensure compliance with the applicable legal and regulatory requirements (including but not limited to guidelines, circulars, advisories, etc.) for deployments in cloud, issued by SEBI/ Government of India/ respective state government. iv. In order to ensure the smooth functioning and adherence with the GRC sub-framework, it is mandated to divide the roles and assign the responsibilities as given below: 1. Role of the Board/Key Management Personnel (KMP)- The Board/KMP shall be responsible for: a. Approval of cloud governance model and cloud risk management approach, and setting up processes for smooth on boarding on cloud whi .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... and services deployed on cloud. This shall include, but not limited to, monitoring the performance, uptime (of the systems/ resources) and service availability, adherence to SLA requirements, incident response mechanism, etc. 2. RE shall conduct regular audits/VAPT of its cloud deployments. The frequency and scope of such audits/VAPT shall be in line with SEBI cyber guidelines /circulars /framework issued from time to time. 3. Additionally, the RE shall also assess the performance of the CSP, adequacy of the risk management practices adopted by the CSP, compliance with laws/regulations etc. vii. Country Risk: The engagement with a CSP having country of incorporation/registration outside of India, exposes the RE to country risk. To manage such risk, wherever applicable, the RE shall closely monitor the CSP’s country’s government policies and its political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk. This includes, inter alia, having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding co .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... e CSP shall be working only in a fiduciary capacity. Therefore, the RE, SEBI and any other Government authority authorized under law, shall always have the right to access any or all of the data at any or all point of time. ii. Visibility: Whenever required (by RE/ SEBI), the CSP shall provide visibility to RE as well as SEBI into CSP’s infrastructure and processes, and its compliance to applicable policies and regulations issued by SEBI/ Government of India/ respective state government. iii. Data Localization: In order to ensure that RE and SEBI’s right to access RE’s data as well as SEBI’s rights of search and seizure are not affected by adoption of cloud services, the storage/ processing of data (DC, DR, near DR etc.) including logs and any other data/ information pertaining to RE in any form in cloud shall be done as per the following conditions: 1. The data should reside/be processed within the legal boundaries of India. 2. However, for the investors whose country of incorporation is outside India, the REs shall keep the original data/ transactions/ logs, available and easily accessible in legible and usable form, within the legal boundaries of India. T .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... l also be done with respect to MSP/ SI, and the same shall be included in the agreement (in-line with the requirements given above). iv. Similarly, there shall be an explicit and unambiguous delineation/ demarcation of responsibilities between the RE and CSP (and MSP/SI wherever applicable) for ensuring compliance with respect to applicable circulars (for example cybersecurity and cyber resilience circular, outsourcing circular, BCP-DR etc.) issued by SEBI from time to time. There shall be no “joint/ shared ownership” for ensuring compliance with respect to any clause. If compliance for any clause has to be jointly ensured by RE and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the clause. This delineation shall also be added explicitly in the agreement (as an annexure) signed between the RE and the CSP (and MSP/SI wherever applicable). v. In view of the fact that a CSP is not a RE, the RE shall continue to have ultimate responsibility and liability for any violation of the laws, rules, regulations, circulars, etc. issu .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... here a CSP has exposure to multiple entities. 6. Ability to enforce agreements and the rights available thereunder including those relating to aspects such as data storage, data protection and confidentiality, SLA, etc. 7. RE shall ensure that CSP performs proper screening and background checks of its personnel and vendors before onboarding, and provides adequate trainings and awareness programs to ensure that the customer (RE) services are not hampered due to misconfiguration/inadvertent actions/operational issues/etc. 8. Capability of the CSP to deal with RE’s compliance needs, operational aspects, and ensure information security, data privacy, etc. 9. CSP’s ability to ensure compliance with this framework as well as all applicable rules/ regulations/ circulars issued by SEBI from time to time. 10. Any other additional criteria that the RE considers appropriate/ as per RE's requirement. Principle 6: Security Controls 6. Security Controls [For CSPs offering PaaS/ SaaS services, in the event any particular security control does not apply to their specific deployment model, such CSPs have to ensure that their vendor/ partner/ sub-contractor providing the underlying i .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... pact (financial, reputational, operational, etc.) on the RE shall be intimated to RE by CSP in a timely manner. The reporting should be done in-line with the guidelines/ regulations/ circulars issued by SEBI/ Government of India and (wherever applicable) as per the contractual agreement signed between the CSP and RE. iii. Incident Management: The RE shall ensure that the CSP has incident management processes in place, to detect, respond and recover from any incident at the earliest. The processes should aim to minimize the impact to the RE. iv. Wherever Key management is being done by CSP for platform level encryption (for example, full disk encryption or VM level encryption), RE shall assess and ensure that the entire Key lifecycle management is being done by CSP in a secure manner. v. Secure User Management [Any type of access/ user provided to SEBI/ any law enforcement agency of Government of India or state government shall be exempt from this clause ]: Wherever the user management is done by CSP, the RE shall ensure that role based access and rule based access are strictly followed by CSP for its resources and it shall be based on the principle of least privilege. The following .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... standard for information security developed by American Institute of Certified Public Accountants (AICPA). ] reporting for CSP. ix. RE shall ensure that CSP has adequate controls (for example anti-virus, encryption of data, micro-segmentation, etc.) in place to safeguard cloud infrastructure as well as to ensure the privacy, confidentiality, availability, processing integrity and security of the RE’s data right from data creation/transfer/etc. in the cloud till final expunging of data. 6.2. Security in the Cloud: RE shall perform risk-based assessment and place adequate controls depending on the criticality of the data/ services/ operations (placed in cloud environment) under the purview of RE. Some of the common controls (including but not limited to) that RE shall put in place are: 6.2.1. Vulnerability Management and Patch Management: The RE shall have a well-defined Vulnerability Management policy in place and should strictly adhere with the same. The policy should also address the vulnerability management aspects of the infrastructure /services /etc. managed by RE in the cloud. The components managed by RE shall be up to date in terms of patches/OS/version etc. The patch .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... ermissions shall be adopted wherever feasible. v. Multi factor authentication shall be adopted for admin accounts. 6.2.6. Security of Interfaces: Controls related to typical interfaces in a cloud deployment are given below: 6.2.6.1. Management interface: i. This is the interface provided to the RE by CSP to manage the infrastructure on cloud. This interface is also used to manage the account of the RE assigned by CSP. ii. To mitigate the risks, the interface shall have Two Factor Authentication (2FA)/ Multi Factor Authentication (MFA). For additional security, measures such as dedicated lease lines may be explored. The access logs and access list to the interface should be strictly monitored (by RE and CSP). The traffic to and from the interface shall be regulated through firewall, Intrusion prevention system, etc. 6.2.6.2. Internet facing interfaces: Any interface which is exposed to public at large on the internet in the form of a service/API/etc. is considered as internet facing interface. Adequate security controls such as IPS, Firewall, WAF, Anti DDOS, API gateways etc. should be in place and additional controls such as 2FA authentication, SSL VPN solutions shall also be consi .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... ocessed in the cloud, confidential computing solutions shall be implemented. ii. To ensure RE’s controls on encryption and Key management, the following shall be followed: 1. Wherever applicable: a. “Bring Your Own Key” (BYOK) approach shall be adopted, which ensures that the RE retains the control and management of cryptographic keys that would be uploaded to the cloud to perform data encryption. b. “Bring Your Own Encryption” (BYOE) approach shall be followed by the RE. 2. In case BYOK and BYOE approaches (as given above) are not implemented by RE, the RE shall conduct a detailed risk assessment and implement appropriate risk mitigation measures to achieve equivalent functionality/ security to BYOK and BYOE approaches. 3. Generating, storing and managing the keys in a Hardware Security Module (HSM) shall be implemented in a dedicated HSM to have complete control of Key management. However, it is to be noted that HSM should be designed in fault tolerance mode to ensure that the failure of HSM should not have an impact on data retrieval and processing. 6.2.10. End Point Security: The RE shall ensure that the data security controls in the nature of anti .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... dia/ respective state government. Principle 7: Contractual and Regulatory Obligations 7. Contractual and Regulatory Obligations [With respect to CSPs offering PaaS/SaaS services, REs shall deploy the services of only those CSPs which have a back-to-back, clear and enforceable agreement with their vendor/ partner/ sub-contractor providing their underlying infrastructure/ platform for fulfilling the requirements provided in this Principle. ]: i. A clear and enforceable cloud service provider engagement agreement should be in place to protect RE’s interests, risk management needs, and ability to comply with supervisory expectations. ii. The contractual/agreement terms between RE and CSP shall include the provisions for audit, and information access rights to the RE as well as SEBI for the purpose of performing due diligence and carrying out supervisory reviews. RE shall also ensure that its ability to manage risks, provide supervision and comply with regulatory requirements is not hampered by the contractual terms and agreement with CSP. iii. The contract/agreement shall be vetted with respect to legal and technical standpoint by the RE. The agreement shall be flexible enough to .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... ired, CSP has to conduct additional audits (from CERT-In empaneled auditors) to fulfil all the requirements provided in various applicable circulars/ regulations issued by SEBI, and the same shall be ensured by the RE. 5. The RE shall ensure that appropriate clauses/ terms (including SLA clauses) are added in the agreement (signed between RE and CSP) to enforce the above-mentioned audit/ VAPT requirements. vi. Contract/Agreement should have adequate provisions regarding the termination of contract with CSP, and appropriate exit strategies to ensure smooth exit without hindering any legal, regulatory or technical obligations of the RE. vii. As part of exit strategy, a clear expunging clause shall be defined in agreement with CSP, which shall state that whenever the RE intends to expunge the data, CSP shall securely and permanently erase the RE’s data in disks, backup devices, logs, etc. and no data shall remain in recoverable form. However, it is the responsibility of the RE to ensure that the minimum retention requirements for data (including logs) as prescribed by SEBI/ Government of India/ respective state government are met and that the required data, logs, etc. are archiv .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... other party. 11. Specifying the resolution process for events of default, insolvency, etc. and indemnities, remedies, and recourse available to the respective parties. 12. Contingency plan(s) to ensure business continuity planning, RPO/RTO, and recovery requirements. 13. Provisions to fulfill the search and seizure requirements (as provided above in this principle) and audit/ VAPT requirements (as provided above in this principle). 14. Right to seek information (by RE/ SEBI) from the CSP about the third parties (in the supply chain) engaged by the CSP. 15. Clauses making the CSP contractually liable for the performance and risk management practices of its sub-contractors. 16. Obligation of the CSP to comply with directions issued by SEBI in relation to the activities of the RE on boarded on cloud. 17. Termination rights of the RE, including the ability to orderly transfer the proposed cloud onboarding assignment to another CSP, if necessary or desirable. 18. Obligation of the CSP to co-operate with the relevant authorities in cases involving the RE as and when required. 19. Clauses for performing risk assessment by CSP with respect to hiring of third party vendors, the checks/ pro .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... ervices adopted by it including but not limited to availability of cloud applications, confidentiality, integrity and security of its data and logs, and ensuring RE’s compliance with the applicable laws, rules, regulations, circulars, etc. issued by SEBI/ Government of India/ respective state government. 2. The RE shall explicitly and unambiguously specify the party (RE or CSP/MSP/SI) which is responsible for ensuring compliance with each clause of the applicable SEBI circulars (for example cybersecurity circular, systems audit, etc.) in its audit reports. There shall be no “joint/ shared ownership” for any of the clauses. In case the responsibility of ensuring compliance (for any clause) rests with both parties, the task shall be split into sub-tasks/line-items, and for each sub-task/line-items, the responsible party shall be indicated in the report. 3. The RE shall ensure that the demarcation/ delineation of responsibilities is provided for each clause of the applicable SEBI circular(s). 4. In view of the above requirements, as well as to ensure effective monitoring of cloud deployments by REs, reporting of compliance (with this framework) shall be done by the R .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... facilitate the RE in migrating the solutions as and when necessary, with minimal changes. Exit strategies shall be developed, which should consider the pertinent risk indicators, exit triggers, exit scenarios, possible migration options, etc. iii. The RE shall also take measures to implement data portability and inter-operability as part of exit/ transfer strategy. iv. In order to mitigate the risk arising due to failure/ shutdown of a particular CSP, and to limit the impact of any such failure/ shutdown on the securities market, SEBI may specify concentration limits on CSPs (thereby setting a limit on the number of REs that a CSP may provide its services to). 10. Recommendations: i. RE may opt for any model of deployment on the basis of its business needs and technology risk assessment. However, compliance should be ensured with this cloud framework as well as other rules/ laws/ regulations/ circulars made by SEBI/ Government of India/ respective state government. ii. REs are solely accountable for all aspects related to the cloud services adopted by them including but not limited to availability of cloud applications, confidentiality, integrity and security of their data and log .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... tween the RE and CSP. If any function/ task/ activity has to be performed jointly by the RE and CSP, there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the task. The same should be a part of the agreement (as an annexure) between the RE and the CSP (and MSP/SI wherever applicable). vi. Similarly, there should be an explicit and unambiguous delineation/ demarcation of responsibilities between the RE and CSP (and MSP/SI wherever applicable) for ensuring compliance with respect to circulars (for example cybersecurity and cyber resilience circular, outsourcing circular, BCP-DR etc.) issued by SEBI from time to time. There shall be no “joint/ shared ownership” for ensuring compliance with respect to any clause. If compliance for any clause has to be jointly ensured by RE and CSP (and MSP/SI wherever applicable), there should be a clear delineation and fixing of responsibility between the RE and the CSP (and MSP/SI wherever applicable) for each sub-task/ line-item within the clause. This delineation shall also be added explicitly in the agreement (as an annexure) sign .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x

..... should be read along with the circulars (including circulars on outsourcing, cybersecurity, BCP-DR, etc.), directions, advisories, etc. issued by SEBI from time to time. xi. Transition Period: 1. For the REs which are not utilizing any cloud services currently, the framework shall be applicable/ come into force from the date of issuance. 2. For the REs which are currently utilizing cloud services, upto 12 months shall be given to ensure their compliance with the framework. Additionally, such REs shall provide regular milestone-based updates as follows: SN. Timeline Milestone 1 Within one (1) month of issuance of framework REs shall provide details of the cloud services, if any, currently deployed by them. 2 Within three (3) months of issuance of framework The REs shall submit a roadmap (including details of major activities, timelines, etc.) for the implementation of the framework 3 From three (3) to twelve (12) months of issuance of framework Quarterly progress report as per the roadmap submitted by the RE. 4 After twelve (12) months of issuance of framework Compliance with respect to the framework to be reported regularly 3. The above-mentioned reporting shall be done to the aut .....

x x x x x   Extracts   x x x x x

Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) - SEBI

x x x x x   Extracts   x x x x x