The Rising Imperative of Cybersecurity Compliance in India’s Financial Sector

Recently, an online trading company settled with the Securities and Exchange Board of India (SEBI) for multiple violations and non-compliance including on account of mandatory cybersecurity and operational guidelines, by paying a penalty of around ₹5.74 crore. Last year, the entity had disclosed to the stock exchanges that it was verifying emails it had received on alleged data breach concerns, which was also reported by the media once again earlier this year and refuted by the entity.

Nevertheless, the Angel One settlement highlights the increasing importance of robust cybersecurity measures within India’s financial sector. As cyber risks grow in complexity, SEBI has been enhancing its regulatory frameworks to ensure the securities market remains secure, resilient, and capable of addressing new and emerging threats.

The 2018 SEBI Cybersecurity Circular laid the groundwork for cybersecurity compliance, requiring market intermediaries to inter alia:

1. implement critical cybersecurity measures based on the principles of Identify, Protect, Detect, Respond, and Recover

2. conduct regular audits and vulnerability assessments to protect vital market infrastructure

3. establish governance structures to ensure sustained adherence to cybersecurity best practices

   
   

Although these guidelines set a strong baseline, the sophistication of cyber threats has necessitated a more advanced and adaptive approach. Fast forward to SEBI’s 2024 Cybersecurity and Cyber Resilience Framework (CSCRF) introduced to address the evolving threat landscape. The deadline for implementing the framework has now been extended to March 31, 2025. This incorporates seemingly forward-thinking measures such as:

1. Graded Compliance: Tailoring cybersecurity requirements to an entity’s size, complexity, and risk exposure, ensuring larger entities with significant threats implement more robust defenses

2. Advanced Security Protocols: Mandating cutting-edge measures like post-quantum cryptography to counter emerging risks such as quantum computing, and establishing Security Operations Centers (SOCs) for real-time monitoring and rapid response

3. Cyber Resilience Focus: Going beyond traditional cybersecurity to emphasize long-term resilience, adopting principles such as Anticipate, Withstand, Contain, Recover, and Evolve, to prepare entities for future challenges

4. Real-Time Incident Reporting: Enforcing immediate reporting of cybersecurity incidents to SEBI to enhance transparency, enable quicker threat mitigation, and bolster overall market stability

   
   

The 2024 CSCRF is a prima-faci step towards meaningful milestones in safeguarding India’s financial ecosystem. Its focus on advanced security practices and cyber resilience equips market participants to navigate an increasingly complex cyber threat landscape. For public entities therefore, compliance is not merely a means to avoid penalties but a strategic investment in future-proofing operations, contributing to market stability.