SEBI comes out with framework for adoption of cloud services
Mar 07, 2023
Mumbai (Maharashtra) [India], March 7 : Markets regulator SEBI has come out with a principle-based framework for the adoption of cloud services by stock exchanges, clearing corporations and other entities.
The framework is based on the study, survey, and consultations done with market participants, regulators, cloud associations, cloud service providers (CSPs), government agencies, and SEBI Advisory Committees, according to a statement from the Securities and Exchange Board of India (SEBI).
Acoording to a statement from SEBI, the cloud framework provides mandatory requirements to be fulfilled by the regulated entity (RE) for adopting cloud computing to augment the business prospects through scalability, reduced operational cost, digital transformation and reduced information technology (IT) infrastructure complexity.
The framework, which has nine high-level principles, highlights the risks associated with cloud adoption and recommends the necessary mandatory controls.
The document also recommends baseline security measures required to be implemented (by RE and CSP), and RE may decide to add additional measures as per its business needs, technology risk assessment, risk appetite, compliance requirements in all the applicable circulars/guidelines/ advisories issued by SEBI from time to time, etc.
In one of its principles, the statement said the REs shall put in place effective governance, risk and compliance (GRC) sub-framework for cloud computing to enable them to formulate a cloud strategy suitable for their circumstances or needs. The RE shall also adhere with the governance framework mentioned in various circulars issued by SEBI.
In terms of cloud risk management, the statement said there is a paradigm shift in the manner of how cloud technology is built and managed in comparison with traditional on-premise infrastructure. Therefore, a comprehensive risk management should be undertaken by the RE to continually identify, monitor, and mitigate the risks posed by cloud computing. The cloud risk management approach should be approved by the board of the RE.
The cloud risk management approach shall provide details regarding the various risks of cloud adoption such as technical, legal, business, regulatory etc., and the commensurate risk mitigation controls which should be proportionate to the criticality and sensitivity of the data/operations to be on-boarded on the cloud.
According to the SEBI statement, the data on cloud should reside/be processed within the legal boundaries of India. However, for those investors whose country of incorporation is abroad, original data of the REs should be made available and easily accessible in legible and usable form within the legal boundaries of India.