This March 2023, SEBI (Securities and Exchange Board of India) formulated a framework with nine principles for the adoption of cloud services by regulated entities (REs). As a regulated entity, are you prepared? Read on to find out.
On March 6, 2023, a circular by Shweta Banerjee, the Deputy General Manager of the Security and Exchange Board of India (SEBI), was issued titled 'The Framework for Adoption of Cloud Services by SEBI-regulated entities (REs)'.
The circular outlines nine principles and requirements for REs to consider when adopting cloud computing. The framework was developed after studying and consulting with market participants, regulators, cloud associations, cloud service providers, government agencies, and SEBI Advisory Committees.
But before we go any further, let us look at the categories under SEBI-registered entities (REs).
- Stock Exchanges (Eg: Bombay Stock Exchange (BSE), National Stock Exchange (NSE), Calcutta Stock Exchange (CSE), etc.)
- Clearing Corporations (Eg: Indian Clearing Corporation Limited, Metropolitan Clearing Corporation of India Ltd., Multi-Commodity Exchange Clearing Corporation Ltd, etc.)
- Depositories (Eg: National Security Depository Limited (NSDL) and Central Depository Services (India) Limited (CDSL))
- Stock Brokers through Exchanges (Eg: Zeordha, Sharekhan, etc.)
- Depository Participants through Depositories (Eg: Karvy Stock Broking Limited, Edelweiss Securities Ltd, etc.)
- Asset Management Companies (AMCs)/ Mutual Funds (MF) (Eg: Kotak Mahindra Asset Management Company (AMC), SBI Bluechip Fund (MF), etc.)
- Qualified Registrars to an Issue and Share Transfer Agents (Eg: Karvy Fintech Private Limited, Link Intime India Private Limited, etc.)
- KYC Registration Agencies (Eg: CAMS ( Computer Age Management Services) Limited, DotEx International Limited, etc.)
The "framework for the adoption of cloud services" circular starts with a definition of cloud computing highlighting the advantages such as reduced IT costs, scalability, business continuity, accessibility, higher performance and availability, quick application, and deployment.
The circular also recognizes the importance of considering factors such as risk identification, control mechanisms, security and operational standards, vendor lock-in, and compliance with legal, technical, and regulatory requirements. The framework is based on nine high-level principles and provides mandatory requirements that REs must fulfill to adopt cloud computing.
The Nine Principles and how Vaultastic can help SEBI-Registered Entities
Vaultastic is a cloud-based archiving solution offered by Mithi Software Technologies Pvt. Ltd . It is a Software-as-a-Service (SaaS) platform, which means that it is hosted in the cloud and accessible via a web browser or API.
Vaultastic is hosted on the AWS public cloud across regions (including the India region). AWS is empanelled with the Ministry of Electronics and Information Technology (MeitY) of India, a government agency responsible for promoting the development of the electronics and IT sectors in India. As an empanelled Cloud Service Provider (CSP) with a valid Standardisation Testing and Quality Certification (STQC), AWS has demonstrated compliance with Indian government standards for cloud services. Mithi’s cloud-native archiving service, Vaultastic, is compliant with major regulations such as HIPAA, GDPR, SEBI, RBI, and IRDAI, and is continually audited for vulnerabilities by independent third parties.
Principle 1: Governance, Risk, and Compliance Sub-Framework
This principle states that REs require board-approved governance and risk management strategies for cloud computing. It includes the adoption of cloud service models, classification of services to be onboarded, protection of stakeholder interests, and compliance with legal and regulatory requirements.
REs have the flexibility to choose their deployment model based on business needs and technology risk assessment but must adhere to SEBI/Government of India/state government rules and regulations. SEBI has approved the following:
- Private cloud
- Community cloud
- Public cloud
- and Hybrid cloud models
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
- And other models such as Application as a Service and Security as a Service
Vaultastic as a SaaS platform built on the AWS Public Cloud service has more benefits than the Private Cloud as outlined below:
|Private Cloud||SaaS on the Public Cloud|
|Costs||Setting up a private cloud can be expensive, especially in terms of initial setup costs, ongoing maintenance, and staffing.||Vaultastic offers pay-as-you-go pricing models, which means only pay for what you use. This optimizes up to 60% of costs for organizations while also improving cash flow.|
|Scalability||Private cloud may offer limited scalability depending on the resources available. Organizations may need to invest in additional hardware and software to scale their private cloud infrastructure, which can be costly and time-consuming.||Vaultastic as a SaaS offers unlimited scalability, allowing you to add or remove resources to meet changing demands. This can be particularly beneficial for businesses that experience seasonal spikes in demand or need to scale up or down based on market conditions rapidly.|
|Risks||The risk of keeping data physically in-house or in a data center is that it can be vulnerable to physical threats such as theft, fire, flood, and natural disasters. In addition, if the data center is not secured correctly or if the in-house security measures are not robust, the data can be susceptible to hacking and cyberattacks.||Vaultastic leverages the shared security model of the cloud, where the CSP offers security OF the cloud, and Vaultastic offers security IN the cloud.
CSPs have robust security measures to protect customer data and prevent unauthorized access. They also typically have teams of experts dedicated to monitoring and responding to security threats.
More and more industries, especially financial institutions, are moving to the public cloud, as evidenced here. And Vaultastic/Mithi can help you make your transition to the public cloud a smooth experience.
While REs have a role in selecting a CSP, managing board and key management duties to oversee cloud deployment, Vaultastic can provide data services to help with
- Centralized Data Protection & Management
- Data Discovery and Recovery
- Addressing various Stakeholder interests/concerns
- and Legal and Regulatory Compliance
Vaultastic can further assist REs in identifying and mitigating risks as well as offering technical expertise in cloud deployment and integration with existing IT infrastructure.
Principle 2: Selection of Cloud Service Providers
This principle states that data related to REs in any form stored or processed in the cloud should be within MeitY empanelled CSPs with valid audit status. For PaaS and SaaS services, RE should only select cloud applications using MeitY-empanelled data centers and have clear agreements with partners/vendors/subcontractors to comply with security, contractual, regulatory, and disaster recovery requirements.
Mithi uses AWS as an infrastructure platform for its data archiving solutions, which has achieved full empanelment with Meity and completed the STQC audit. Mithi, the provider of Vaultastic, conducts periodic risk assessments on its partners and third-party vendors to identify and address service provision gaps. In addition, Mithi’s cloud platform has an in-built disaster recovery system to relax any RPO or RTO anxieties.
Principle 3: Data Ownership and Data Localization
REs shall retain complete ownership of all their data, and the application provider and CSP shall act only in a fiduciary capacity. The RE and SEBI have the right to access any data at anytime. The application provider must provide the RE and SEBI visibility into its infrastructure and processes.
Data must be stored/processed within the legal boundaries of India, but for foreign investors, original data must be available in India. REs are responsible for data security and compliance with laws, regulations, and SEBI requirements and must monitor the CSP and comply with regulations.
Mithi guarantees that all stored data and data logs will be under the RE’s control, and Mithi will be transparent about cloud deployment processes, providing full access to REs. Additionally, Mithi ensures that all data processed by the platform will remain within the country’s boundaries.
Principle 4: Responsibility of the Regulated Entity
REs are accountable for all aspects of cloud services adopted by them, including confidentiality, integrity, and security of data and logs and compliance with applicable laws and regulations. Responsibilities between the RE and CSP must be demarcated and added to the agreement. REs shall have the ultimate responsibility and liability for any violation of laws, regardless of the demarcation of responsibilities.
All SLAs/ contracts/ agreements implemented by Mithi delineate responsibilities, and Mithi is committed to amending contracts to comply with future SEBI regulations.
Principle 5: Due Diligence by the Regulated Entity
REs should conduct due diligence before adopting cloud computing services and evaluate the implications, risks, and benefits. REs should perform risk-based due diligence as per the criticality of the data/services. REs should look for financial soundness, security risk assessment, data ownership, confidentiality, data protection, and compliance with applicable rules and regulations in a CSP. CSPs must also perform proper screening and background checks of personnel and vendors and provide adequate training to ensure information security, data privacy, and compliance.
Mithi is committed to providing all documentation, audits, and third-party vendor contracts information and complete transparency in their contractual obligations to assure REs that they align with SEBI’s framework requirements.
Principle 6: Security Controls
This principle sets guidelines for securing the cloud computing infrastructure. These guidelines suggest that REs should assess CSPs to ensure adequate security controls are in place. REs need to check the vulnerability management and patch management, vulnerability assessment and penetration testing (VAPT), incident management and SOC integration, continuous monitoring, secure user management, secure software development, managed service provider and system integrator, and encryption and cryptographic key management.
The principle further states that CSP should adopt the BYOK and REs the BYOE approach to ensure that RE retains control over encryption and key management.
Mithi’s cloud platform is protected at 7 layers to ensure compliance with SEBI’s security framework requirements. Namely:
- Hardened and Secured cloud services and storage..
- Encryption for data-at-rest, data-at-motion, and data-in-use, adhering to data residency norms.
- Zero-trust protocols, authentication, authorization, DDOS protection, and more.
- Role-based granular access control, Filters, Policies, and more
- Secure user management protocols
- Two-factor authentication (2FA) and Multi-factor authentication (MFA)
- Network segregation
- And documentation of data breaches
Mithi will implement/ assist with BYOK and BYOE protocols as well as the storage of encryption keys in approved HSMs at the request of the RE.
Finally, while maintaining traditional security mechanisms, Mithi is committed to continuously improving secure software development that includes micro-services, APIs, containers, and serverless architecture.
Principle 7: Contractual and Regulatory Obligations
This principle discusses the importance of having a clear and enforceable agreement between a CSP and a RE to ensure that the interests of the RE are protected, risk management needs are met, and regulatory compliance is adhered to. The agreement should include a provision regarding the audit, VAPT, incident reporting, compliance with legal requirements, performance criteria, and data storage within legal boundaries.
Mithi creates SLAs/contracts/agreements that align with SEBI guidelines. REs are free to perform their own VAPT audits on the solution.
Principle 8: BCP, Disaster Recovery & Cyber Resilience
This principle states that REs must evaluate and ensure that their Business Continuity Plan (BCP) complies with the cloud framework and other guidelines issued by SEBI. It should also evaluate the cyber resilience of the CSP and conduct period Disaster Recovery(DR) drills per SEBI’s circulars/guidelines. Moreover, REs needs to create a contingency plan to effectively handle any disruption or shutdown of cloud services.
Mithi’s cloud platform delivers robust BCP readiness with in-built disaster recovery. The data durability achieved is extremely high. The entire cloud solution undergoes AWS FTR audits where the solution is checked for reliability, security, availability, performance, and more. The audit also includes DR drills.
Mithi can assist REs with their BCP framework, make their own BCP framework available for review, and provide a preparedness report on their BCP steadfastness, DR drills, and cyber resilience for RE/SEBI’s review.
Principle 9: Vendor lock-in and concentration risk Management
This principle states that REs should assess CSP lock-in and concentration risks before agreeing and periodically evaluate the agreement. To mitigate the risks, REs should consider cloud-ready and CSP-agnostic solutions and develop exit strategies with risk indicators, triggers, scenarios, migration options, etc.
Mithi boasts of having a customer-friendly exit policy, which ensures data portability and for large data sizes, physical shipment of the data.
For REs not using cloud services, the framework becomes applicable immediately. Still, for REs currently using cloud services in any form, SEBI has allotted 12 months to ensure their compliance with the framework. Additionally, they must provide SEBI with regular updates based on the below timeline milestones:
- By or before April 6th, 2023: REs shall provide details of cloud services utilized, if any, currently deployed by them.
- By or before June 6th, 2023: REs shall submit a roadmap to SEBI, which includes details of major activities, timelines, etc., for the implementation of the framework.
- Between June 6th, 2023, to March 6th, 2024: REs shall submit a quarterly progress report as per the roadmap submitted to SEBI.
- After March 6th, 2024: REs are to be in compliance in totality with the framework and to regularly update SEBI on this aspect.
Vaultastic/ Mithi can assist REs in adhering to SEBI’s Cloud Framework. Built on a MeitY empanelled and STQC-certified CSP, Mithi can provide advisory services to identify and mitigate risks, ensure and provide technical expertise in cloud deployment, and comply with legal and regulatory requirements. To know more about what Vaultastic/ Mithi can offer, click here.