This March 2023, SEBI (Securities and Exchange Board of India) formulated a framework with nine principles for the adoption of cloud services by regulated entities (REs). As a regulated entity, are you prepared? Read on to find out.
On March 6, 2023, a circular by Shweta Banerjee, the Deputy General Manager of the Security and Exchange Board of India (SEBI), was issued titled ‘The Framework for Adoption of Cloud Services by SEBI-regulated entities (REs)’.
The circular outlines nine principles and requirements for REs to consider when adopting cloud computing. The framework was developed after studying and consulting with market participants, regulators, cloud associations, cloud service providers, government agencies, and SEBI Advisory Committees.
But before we go any further, let us look at the categories under SEBI-registered entities (REs).
The “framework for the adoption of cloud services” circular starts with a definition of cloud computing highlighting the advantages such as reduced IT costs, scalability, business continuity, accessibility, higher performance and availability, quick application, and deployment.
Vaultastic is a cloud-based archiving solution offered by Mithi Software Technologies Pvt. Ltd . It is a Software-as-a-Service (SaaS) platform, which means that it is hosted in the cloud and accessible via a web browser or API.
Vaultastic is hosted on the AWS public cloud across regions (including the India region). AWS is empanelled with the Ministry of Electronics and Information Technology (MeitY) of India, a government agency responsible for promoting the development of the electronics and IT sectors in India. As an empanelled Cloud Service Provider (CSP) with a valid Standardisation Testing and Quality Certification (STQC), AWS has demonstrated compliance with Indian government standards for cloud services. Mithi’s cloud-native archiving service, Vaultastic, is compliant with major regulations such as HIPAA, GDPR, SEBI, RBI, and IRDAI, and is continually audited for vulnerabilities by independent third parties.
This principle states that REs require board-approved governance and risk management strategies for cloud computing. It includes the adoption of cloud service models, classification of services to be onboarded, protection of stakeholder interests, and compliance with legal and regulatory requirements.
REs have the flexibility to choose their deployment model based on business needs and technology risk assessment but must adhere to SEBI/Government of India/state government rules and regulations. SEBI has approved the following:
Along with
Vaultastic as a SaaS platform built on the AWS Public Cloud service has more benefits than the Private Cloud as outlined below:
| Private Cloud | SaaS on the Public Cloud | |
|---|---|---|
| Costs | Setting up a private cloud can be expensive, especially in terms of initial setup costs, ongoing maintenance, and staffing. | Vaultastic offers pay-as-you-go pricing models, which means only pay for what you use. This optimizes up to 60% of costs for organizations while also improving cash flow. |
| Scalability | Private cloud may offer limited scalability depending on the resources available. Organizations may need to invest in additional hardware and software to scale their private cloud infrastructure, which can be costly and time-consuming. | Vaultastic as a SaaS offers unlimited scalability, allowing you to add or remove resources to meet changing demands. This can be particularly beneficial for businesses that experience seasonal spikes in demand or need to scale up or down based on market conditions rapidly. |
| Risks | The risk of keeping data physically in-house or in a data center is that it can be vulnerable to physical threats such as theft, fire, flood, and natural disasters. In addition, if the data center is not secured correctly or if the in-house security measures are not robust, the data can be susceptible to hacking and cyberattacks. | Vaultastic leverages the shared security model of the cloud, where the CSP offers security OF the cloud, and Vaultastic offers security IN the cloud. CSPs have robust security measures to protect customer data and prevent unauthorized access. They also typically have teams of experts dedicated to monitoring and responding to security threats. |
More and more industries, especially financial institutions, are moving to the public cloud, as evidenced here. And Vaultastic/Mithi can help you make your transition to the public cloud a smooth experience.
While REs have a role in selecting a CSP, managing board and key management duties to oversee cloud deployment, Vaultastic can provide data services to help with
Vaultastic can further assist REs in identifying and mitigating risks as well as offering technical expertise in cloud deployment and integration with existing IT infrastructure.
This principle states that data related to REs in any form stored or processed in the cloud should be within MeitY empanelled CSPs with valid audit status. For PaaS and SaaS services, RE should only select cloud applications using MeitY-empanelled data centers and have clear agreements with partners/vendors/subcontractors to comply with security, contractual, regulatory, and disaster recovery requirements.
Mithi uses AWS as an infrastructure platform for its data archiving solutions, which has achieved full empanelment with Meity and completed the STQC audit. Mithi, the provider of Vaultastic, conducts periodic risk assessments on its partners and third-party vendors to identify and address service provision gaps. In addition, Mithi’s cloud platform has an in-built disaster recovery system to relax any RPO or RTO anxieties.
REs shall retain complete ownership of all their data, and the application provider and CSP shall act only in a fiduciary capacity. The RE and SEBI have the right to access any data at anytime. The application provider must provide the RE and SEBI visibility into its infrastructure and processes.
Data must be stored/processed within the legal boundaries of India, but for foreign investors, original data must be available in India. REs are responsible for data security and compliance with laws, regulations, and SEBI requirements and must monitor the CSP and comply with regulations.
REs are accountable for all aspects of cloud services adopted by them, including confidentiality, integrity, and security of data and logs and compliance with applicable laws and regulations. Responsibilities between the RE and CSP must be demarcated and added to the agreement. REs shall have the ultimate responsibility and liability for any violation of laws, regardless of the demarcation of responsibilities.
All SLAs/ contracts/ agreements implemented by Mithi delineate responsibilities, and Mithi is committed to amending contracts to comply with future SEBI regulations.
REs are accountable for all aspects of cloud services adopted by them, including confidentiality, integrity, and security of data and logs and compliance with applicable laws and regulations. Responsibilities between the RE and CSP must be demarcated and added to the agreement. REs shall have the ultimate responsibility and liability for any violation of laws, regardless of the demarcation of responsibilities.
All SLAs/ contracts/ agreements implemented by Mithi delineate responsibilities, and Mithi is committed to amending contracts to comply with future SEBI regulations.
This principle sets guidelines for securing the cloud computing infrastructure. These guidelines suggest that REs should assess CSPs to ensure adequate security controls are in place. REs need to check the vulnerability management and patch management, vulnerability assessment and penetration testing (VAPT), incident management and SOC integration, continuous monitoring, secure user management, secure software development, managed service provider and system integrator, and encryption and cryptographic key management.
The principle further states that CSP should adopt the BYOK and REs the BYOE approach to ensure that RE retains control over encryption and key management.
Mithi’s cloud platform is protected at 7 layers to ensure compliance with SEBI’s security framework requirements. Namely:
Mithi will implement/ assist with BYOK and BYOE protocols as well as the storage of encryption keys in approved HSMs at the request of the RE.
Finally, while maintaining traditional security mechanisms, Mithi is committed to continuously improving secure software development that includes micro-services, APIs, containers, and serverless architecture.
This principle discusses the importance of having a clear and enforceable agreement between a CSP and a RE to ensure that the interests of the RE are protected, risk management needs are met, and regulatory compliance is adhered to. The agreement should include a provision regarding the audit, VAPT, incident reporting, compliance with legal requirements, performance criteria, and data storage within legal boundaries.
Mithi creates SLAs/contracts/agreements that align with SEBI guidelines. REs are free to perform their own VAPT audits on the solution.
This principle states that REs must evaluate and ensure that their Business Continuity Plan (BCP) complies with the cloud framework and other guidelines issued by SEBI. It should also evaluate the cyber resilience of the CSP and conduct period Disaster Recovery(DR) drills per SEBI’s circulars/guidelines. Moreover, REs needs to create a contingency plan to effectively handle any disruption or shutdown of cloud services.
Mithi’s cloud platform delivers robust BCP readiness with in-built disaster recovery. The data durability achieved is extremely high. The entire cloud solution undergoes AWS FTR audits where the solution is checked for reliability, security, availability, performance, and more. The audit also includes DR drills.
Mithi can assist REs with their BCP framework, make their own BCP framework available for review, and provide a preparedness report on their BCP steadfastness, DR drills, and cyber resilience for RE/SEBI’s review.
This principle states that REs should assess CSP lock-in and concentration risks before agreeing and periodically evaluate the agreement. To mitigate the risks, REs should consider cloud-ready and CSP-agnostic solutions and develop exit strategies with risk indicators, triggers, scenarios, migration options, etc.
Mithi boasts of having a customer-friendly exit policy, which ensures data portability and for large data sizes, physical shipment of the data.
For REs not using cloud services, the framework becomes applicable immediately. Still, for REs currently using cloud services in any form, SEBI has allotted 12 months to ensure their compliance with the framework. Additionally, they must provide SEBI with regular updates based on the below timeline milestones:
