Loading content...
REPORT
See all your cloud vulnerabilities for free today.
Get a Report100% FREE TEST
Scan container images locally for vulnerabilities, misconfigs, and malware — right from your terminal or CI/CD pipeline.
Cybersecurity in India's securities market is under the spotlight like never before. As more tools and services shift to cloud-hosted infrastructure, the benefits of scale and agility come with new risks. Even small lapses can lead to significant financial and reputational damage.
At a recent address, SEBI Chief Tuhin Kanta Pandey issued a sharp reminder of how fragile today’s digital infrastructure can be:
"A small glitch in a trading algorithm can trigger market disruption in milliseconds. A misconfigured server can give malicious actors a way in. A compromised account can lead to damaging data leaks."
To improve stability and trust in the industry, SEBI introduced the Framework for Adoption of Cloud Services by Regulated Entities (REs), published in Circular No.: SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033. The framework sets clear expectations for how REs must secure cloud workloads, applications, and data, helping close gaps that traditional approaches often miss.
Cybersecurity in financial markets has always been high stakes, but the shift to cloud has magnified the risks. In his address, Pandey highlighted the infamous Knight Capital incident of 2012, where a dormant trading algorithm was accidentally reactivated—causing a $440 million loss in just 45 minutes. He also pointed to the 2010 breach of a major US stock exchange where hackers compromised a board portal, shaking investor confidence despite trading operations remaining unaffected.
His message is clear: even small mistakes can have big consequences. As India's securities market increasingly relies on the cloud, REs must strengthen their defenses, not just against external attacks, but also against internal misconfigurations, faulty application programming interfaces (APIs), and compromised accounts.
SEBI's framework directly addresses these concerns, setting expectations for data confidentiality, operational resilience, supply chain security, and more.
Under SEBI, REs include stock exchanges, depositories, asset management companies, and other pivotal organizations in the securities market. For these entities, compliance with SEBI’s guidelines is critical to maintaining the trust and integrity of the financial ecosystem. Non-compliance can lead to severe financial, legal, and reputational consequences, making it imperative for REs to fortify their cloud security posture in alignment with SEBI.
Beyond best practices, SEBI's guidelines are targeted responses to the real-world risks financial institutions face as they expand across hybrid and multi-cloud environments. The key objectives of these guidelines include:
To achieve these objectives, SEBI's cybersecurity framework is built on a set of core pillars that address the most critical areas of cloud risk. These pillars focus on safeguarding sensitive investor data, maintaining consistent protections across environments, ensuring operational resilience, managing third-party risk, and enabling real-time threat detection.
Investor data is one of the most sensitive forms of information. In the cloud, this data often moves across distributed, multi-tenant systems, sometimes spanning multiple geographies.
SEBI's mandates around encryption, identity management, and access control ensure that even in the shared responsibility model of the cloud, sensitive trading and investor data remain protected from both external attackers and insider threats.
Market intermediaries rarely operate in a single environment — AWS, Azure, GCP, and on-premise data centers often work together. Without regulatory baselines, these environments could have inconsistent controls.
SEBI's focus on audits, logging, and configuration baselines ensures that workloads meet a consistent security standard, no matter where they live.
Downtime —whether due to ransomware, a misconfigured firewall, or a cloud region failure—can have far-reaching consequences such as trading disruptions and settlement failures that destabilize the financial ecosystem.
SEBI's requirements for business continuity, disaster recovery, and failover readiness help prevent downtime by mapping to cloud strategies like multi-region deployments, geo-redundant backups, and regular DR drills.
Modern cloud deployments rely heavily on APIs, managed services, and third-party SaaS tools. This interconnectedness creates new supply chain vulnerabilities.
SEBI's vendor due diligence clauses ensure that third-party cloud services are held to the same security standards as the financial institution, preventing a small vendor weakness from becoming a systemic risk.
In financial markets, the cost of delayed detection is high. Even brief gaps in visibility can allow threats to spread and compromise sensitive information before remediation steps can be taken.
SEBI's push for real-time monitoring, anomaly detection, and incident reporting translates into cloud-native measures like SIEM/SOAR integrations, GuardDuty alerts, and automated incident response workflows.
SEBI's framework sets clear expectations for what REs must achieve to strengthen their cloud security posture. The table below pairs each requirement with our recommended best practices, plus why they are critical in today’s cloud environments.
| SEBI Cybersecurity Requirement | Cloud Security Best Practice | Why It Matters in the Cloud |
|---|---|---|
| Data Encryption at Rest & In Transit | Use AWS KMS, Azure Key Vault, GCP Cloud KMS; enable TLS 1.2+; encrypt object storage & databases | Protects investor/trading data in multi-tenant environments |
| Strong Access Control & IAM | Enforce least privilege, enable multi-factor authentication (MFA), apply role-based access controls (RBAC) in Kubernetes and virtual machines (VMs) | Prevents unauthorized access via compromised credentials |
| Regular Security Audits & Compliance Checks | Automate CIS Benchmark scans; use AWS Config, Azure Security Center, GCP SCC | Maintains consistent security posture across environments |
| Incident Detection & Response | Enable CloudTrail, Activity Logs, Audit Logs; integrate security information and event management (SIEM) and security orchestration, automation, and response (SOAR) tools | Reduces breach detection-to-response time |
| Disaster Recovery & Business Continuity | Deploy workloads in multi-availability zone (AZ)/region; automate backups; run disaster recovery (DR) drills | Minimizes downtime during outages or attacks |
| Vendor & Third-Party Risk Management | Review vendor security; demand SOC 2 / ISO 27001; secure APIs | Prevents supply chain vulnerabilities |
| Threat Intelligence & Anomaly Detection | Integrate threat feeds; enable anomaly detection on IAM & network traffic | Identifies threats before major damage occurs |
| Patch & Vulnerability Management | Automate operating system (OS) & container patching; scan images before deployment | Closes known vulnerabilities before they're exploited |
Cloud adoption brings agility, scalability, and cost efficiency, but it also introduces shared security responsibilities. While Cloud Service Providers (CSPs) secure the infrastructure they manage, SEBI’s Principle 6.2 – Security in the Cloud places a clear obligation on REs to safeguard their own workloads, applications, and data in the cloud. These requirements are as follows:
SEBI suggests that every RE must maintain a strong patch management process for the systems they manage in the cloud. Regular vulnerability scanning, timely patching of operating systems and applications, and proactive hardening of services reduce the attack surface and help prevent known exploits.
SEBI expects REs to conduct periodic VAPT exercises to uncover misconfigurations, insecure APIs, or weak access policies. These tests should be carried out before new systems go live and at defined intervals, ensuring that vulnerabilities are identified and fixed well within regulatory timelines.
SEBI says that incidents in the cloud must be treated with urgency. REs should have a well-defined incident response plan, tightly integrated with their Security Operations Center (SOC). Cloud workloads should be monitored in real time, with alerts and events feeding directly into SOC workflows for rapid detection, investigation, and response.
Cloud environments change frequently, making static security checks insufficient. SEBI emphasizes ongoing monitoring of cloud resources, ensuring that configurations, access controls, and CSP compliance remain aligned with SEBI’s cybersecurity guidelines at all times.
Access to CSP-managed resources must follow strict controls based on the principle of least privilege. SEBI says administrators and privileged users should have time-bound, justifiable access, with mandatory MFA and comprehensive audit logging.
Interfaces are entry points that attackers can exploit. SEBI outlines three specific focus areas:
Management Interfaces: Must be protected with MFA, firewalls, and restricted network access.
Internet-Facing Interfaces: Should be secured with web application firewalls (WAF), anti-distributed denial-of-service attack (DDoS) protections, API gateways, and encrypted connections.
Inter-Organization Interfaces: Links between REs, CSPs, or third parties must be secured using internet security protocol (IPSEC), virtual private networks (VPNs), or equivalent safeguards to prevent interception or unauthorized access.
When CSPs provide platform-level services, they must adopt secure development practices, embedding security from design to deployment. SEBI expects CSPs to implement zero-trust principles, secure APIs, and fine-grained access control mechanisms to reduce risks.
Engaging MSPs or SIs adds complexity. SEBI says CSPs must have clear, enforceable agreements with their partners or subcontractors to ensure that security controls are consistently applied across the supply chain.
CSPs handling platform-level encryption must manage the full lifecycle of cryptographic keys securely. REs should ensure that encryption practices meet SEBI’s data confidentiality, privacy, and integrity standards.
Endpoints and networks connecting to cloud services must not be weak links. SEBI recommends implementing antivirus tools, Data Loss Prevention (DLP), micro-segmentation of networks, and monitoring tools like cloud access security broker (CASB) or secure access service edge (SASE) solutions for visibility and policy enforcement.
SEBI says that REs must have a robust, isolated, and encrypted backup and recovery plan. Backups should be tested regularly to ensure that ransomware, accidental deletions, or cloud outages do not disrupt critical business operations.
Translating SEBI requirements into day-to-day operations can be challenging. Many REs struggle with fragmented toolsets that lack interoperability, poor visibility across hybrid and multi-cloud environments, and the highly manual effort required to maintain continuous compliance.
The good news is that with the right solution—a cloud native application protection platform (CNAPP)—REs can seamlessly align technical controls, automate compliance checks, and embed continuous monitoring into daily workflows.
By transforming compliance from a reactive audit task into an automated governance framework, organizations that adopt this approach can:
See how your cloud security posture measures up to industry standards. Get a personalized custom assessment today.
