The Securities and Exchange Board of India (SEBI) on Monday unveiled a framework for the adoption of cloud services by stock exchanges, clearing corporations and other regulated entities (REs) including depositories, stock brokers through exchanges, asset management companies (AMCs) and KYC registration agencies (KRAs).
According to the regulator, the cloud framework is a principles-based framework that covers governance, risk and compliance (GRC), selection of cloud service providers (CSPs), data ownership and data localisation, due diligence by RE, security controls, legal, and regulatory obligations, among others.
The framework, which has nine high-level principles, highlights the risks associated with cloud adoption and recommends the necessary mandatory controls. The cloud framework has been drafted to provide baseline standards of security and for the legal and regulatory compliances by the REs. It will be in addition to the existing circulars, guidelines and advisories of SEBI.
“While cloud computing offers multiple advantages viz. ready to scale, ease of deployment, no overhead of maintaining physical infrastructure etc., the RE should also be aware of the new cybersecurity risks and challenges which cloud computing introduces,” SEBI noted.
In one of its principles, the statement said the REs shall put in place effective GRC sub-framework for cloud computing to enable them to formulate a cloud strategy suitable for their circumstances or needs. The RE shall also adhere with the governance framework mentioned in various circulars issued by SEBI.
In terms of cloud risk management, the statement said there is a paradigm shift in the manner of how cloud technology is built and managed in comparison with traditional on-premise infrastructure. Therefore, a comprehensive risk management should be undertaken by the RE to continually identify, monitor, and mitigate the risks posed by cloud computing. The cloud risk management approach should be approved by the board of the RE.
According to the SEBI statement, the data on cloud should reside/be processed within the legal boundaries of India. However, for those investors whose country of incorporation is abroad, original data of the REs should be made available and easily accessible in legible and usable form within the legal boundaries of India.
The framework will come into force immediately for all new or proposed cloud onboarding assignments/projects of the REs. For REs that are currently availing cloud services should ensure that wherever applicable, all such arrangements are revised and they should be in compliance with the framework within 12 months.