The Securities and Exchange Board of India (Sebi) has laid down a principle-based framework for cloud adoption and recommended baseline security measures required to be implemented by Sebi-registered entities (REs) and cloud service providers (CSP). The framework talks about governance, risk and compliance, selection of CSPs, data ownership and data localisation, due-diligence by REs, security controls, legal and regulatory obligations, and vendor lock-in risks.
REs should have a management structure to monitor and control the activities and services deployed on cloud. REs have to conduct regular audits/VAPT of its cloud deployments.
Cloud services shall be taken only from the Ministry of Electronics and Information Technology-empanelled CSPs. The CSPs’ data centres should hold a valid STQC (or any other equivalent agency appointed by the government of India) audit status. Data shall be encrypted at all lifecycle stages.
The engagement with a CSP having the country of registration outside of India exposes the RE to country risk. To manage such risk, wherever applicable, REs shall closely monitor the CSPs’ country, government policies and its political, social, economic and legal conditions on a continuous basis, and establish sound procedures for mitigating the country risk.
REs have to retain the complete ownership of all its data and logs, and encryption keys residing in cloud. The CSP will work only in a fiduciary capacity. REs, Sebi and any other government authority shall always have the right to access any or all of the data at any or all point of time.
Also read: Share market holidays March 2023: NSE Nifty, BSE Sensex to remain closed for 10 days this month
The data on cloud should reside/be processed within the legal boundaries of India. For investors whose country of incorporation is outside India, REs shall keep the original data available and easily accessible in legible and usable form within the legal boundaries of India. The CSP shall notify the RE of any cybersecurity incident.
A clear and enforceable cloud service provider engagement agreement should be in place to protect Res’ interests, risk management needs and ability to comply with supervisory expectations.