SEBI on Monday made it mandatory for all the regulated entities (REs) to adopt the new cloud framework.

The framework sets out the regulatory and legal compliances by REs (exchanges, clearing corporations, asset management companies, depositories, brokerages, KYC registrar agents and others) if they adopt cloud framework.

SEBI said that the cloud framework is a principle-based framework which covers governance, risk and compliance (GRC), data localisation, data ownership and process visibility, access, risk assessment and due-diligence on cloud service provider (CSP), security controls, legal and regulatory obligations, disaster recovery (DR) and Business Continuity Plan (BCP) and vendor lock-in.

“The framework shall come into force with immediate effect for all new or proposed cloud onboarding assignments/projects of the REs,” SEBI circular said. REs, which are currently availing cloud services (as on date of issuance of this framework) should ensure that, wherever applicable, all such arrangements are revised and in compliance with this framework within 12 months, the regulator said.

The major purpose of the new framework is to highlight the risks associated with cloud adoption and recommends the necessary mandatory controls. The document also recommends baseline security measures required to be implemented (by RE and CSP), and RE may decide to add additional measures as per its business needs, technology risk assessment, risk appetite, compliance requirements in all the applicable circulars/guidelines/advisories issued by SEBI from time to time, etc.

The framework recommends that the cloud services should be taken only from the Ministry of Electronics and Information Technology empaneled CSPs and that the CSP’s data centre should hold a valid standardisation testing and quality certificate (or any other equivalent agency appointed by the Government of India) audit status.

Compliance with legal and regulatory requirements has to be ensured by the RE. The cloud deployments of RE shall be monitored through in-house Security Operations Centre (SOC), a third-party SOC or a managed SOC. Necessary provisions for audit and inspection of CSP and its sub-contractor or engage third-party auditor to conduct audit and inspection should be included, the circular said.