Implementing and Automating the Cyber Capability Index (CCI) as per SEBI’s CSCRF

The Securities and Exchange Board of India (SEBI) has formulated the Cybersecurity and Cyber Resilience Framework (CSCRF) to strengthen the cybersecurity posture of Regulated Entities (REs) in the Indian securities market. The CSCRF aims to address ever-evolving cyber threats and ensure the resilience of REs against cybersecurity incidents and attacks. It achieves this by establishing standards and guidelines for enhancing cybersecurity and promoting robust cybersecurity practices.

Cyber Capability Index (CCI): A Measurement Tool 

Within the CSCRF framework, the Cyber Capability Index (CCI) plays a pivotal role in evaluating and monitoring the cybersecurity maturity of specific RE categories. It utilises 23 parameters with different weightages to assess an RE’s cybersecurity preparedness and resilience, covering various aspects of cybersecurity function, from governance to operational controls. 

Based on the calculated index value, REs are categorized into six distinct cybersecurity maturity levels, ranging from “Exceptional” to “Fail”. The rating categories are as follows: 

• Exceptional Cybersecurity Maturity (Index score of 100-91) 

• Optimal Cybersecurity Maturity (Index score of 90-81) 

• Manageable Cybersecurity Maturity (Index score of 80-71) 

• Developing Cybersecurity Maturity (Index score of 70-61) 

• Bare Minimum Cybersecurity Maturity (Index score of 60-51) 

• Fail (Index score of <= 50) 

Who Needs to Comply with the CCI? 

The CCI applies to two specific categories of REs: 

• Market Infrastructure Institutions (MIIs): These include entities like Stock Exchanges, Depositories, and Clearing Corporations. 

• Qualified REs: These are determined based on specific criteria outlined in the CSCRF 

MIIs are mandated to undergo a third-party assessment of their cyber resilience using the CCI every six months. Qualified REs, on the other hand, are required to perform a self-assessment using the CCI annually.  Both MIIs and Qualified REs must submit evidence of their CCI assessments to SEBI within 15 days of completion. 

Why is the CCI Important?  

The CCI offers REs a valuable tool to: 

• Evaluate Cybersecurity Maturity: By providing a quantifiable measure of cybersecurity preparedness and resilience, the CCI enables REs to accurately assess their progress and effectiveness in implementing cybersecurity measures. 

• Identify Areas for Improvement: The CCI’s comprehensive assessment across 23 parameters helps REs pinpoint weaknesses and vulnerabilities within their cybersecurity framework. This allows them to develop targeted strategies to strengthen their overall cybersecurity posture. 

• Enhance Compliance: The CCI serves as a mechanism for REs to demonstrate their adherence to the CSCRF and ensure ongoing compliance with the stipulated cybersecurity standards. 

Automating the CCI: Streamlining Compliance 

The CSCRF emphasizes the importance of automation in streamlining the CCI compliance process. REs are encouraged to develop automated tools and dashboards, preferably integrated with a log aggregator, to facilitate the efficient collection and analysis of relevant data. 

Here’s how automation can enhance CCI compliance: 

• Real-time Monitoring: Automated tools can continuously track key cybersecurity parameters identified in the CCI, enabling the prompt identification of potential risks and deviations from established baselines. This real-time monitoring capability strengthens the proactive security posture of REs.

• Efficient Data Collection: Automation simplifies the process of gathering evidence required for CCI assessments. Automated tools can collect and aggregate data from various sources, including security logs, configuration settings, and user activity, reducing the burden on REs and ensuring data accuracy. 

• Simplified Reporting: With automation, REs can generate comprehensive and accurate CCI reports for submission to SEBI. Automated reporting tools can collate the collected data, perform calculations as per the CCI methodology, and present the results in standardized formats, saving time and effort. 

The CSCRF recommends that REs make automated dashboards available during cyber audits, onsite inspections, or audits conducted by SEBI or any agency appointed by SEBI. 

CyberNX can help Regulated Entities (REs) to implement CCI and automate the dashboard creation process. Contact us for all your CSCRF compliance requirements.