SEBI Cloud Security Framework for Indian Stock Brokers

The SEBI cloud security framework, introduced through a January 2023 circular, requires every SEBI-regulated entity — stock brokers, depositories, asset management companies, and registrar and transfer agents — to follow a structured compliance process before migrating any workload to the cloud. The framework mandates board-level approval of the cloud adoption strategy, formal data classification into four tiers, comprehensive CSP due diligence, implementation of security controls aligned with the SEBI Cyber Security and Cyber Resilience Framework, and an annual cybersecurity audit. Critical and sensitive data must remain within India's geographic borders at all times. If you operate a stock brokerage, RTA, or AMC in India, this is a regulatory obligation — not optional guidance.

What the January 2023 SEBI Circular Actually Requires

SEBI issued its Cloud Framework circular for regulated entities in January 2023, building on its existing Cyber Security and Cyber Resilience Framework. The circular does not restrict cloud use — it governs how regulated entities must use the cloud, and in what sequence.

The core obligations under the circular are:

1. Board approval — The board of directors must formally approve the cloud adoption strategy before any migration begins
2. Risk assessment — A cloud risk assessment specific to financial data must be conducted and documented
3. CSP due diligence — The Cloud Service Provider must be evaluated against defined criteria including audit rights, data portability, and incident notification timelines
4. Data classification — All data must be classified into critical, sensitive, internal, and public tiers before any workload moves to the cloud
5. Security controls — Controls aligned to SEBI CSCRF must be implemented and independently verified
6. Annual audit — A mandatory annual cybersecurity audit of cloud infrastructure is required
7. SEBI reporting — Material incidents and audit findings must be reported to SEBI in accordance with prescribed timelines

The Four-Level Data Classification Mandate

Before a single workload moves to the cloud, SEBI requires regulated entities to classify every category of data they hold. This classification determines which systems can be hosted in the cloud at all, which data can leave on-premises infrastructure, and what controls each data type requires.

Board-Level Governance: The Approval That Cannot Be Delegated

The SEBI circular is explicit that cloud adoption strategy must receive formal board approval. This is deliberate. SEBI treats cloud migration as a material operational risk decision — the same category of decision that requires board-level sign-off under the SEBI CSCRF's governance framework.

What this means in practice:

1. A technology committee or IT steering committee resolution alone is not sufficient — the full board must formally resolve to approve the strategy
2. The approved strategy must document which workloads will migrate, which CSPs are approved, what data classification applies, and how risks will be mitigated
3. Significant changes in CSP, cloud region, or workload scope require the board approval process to be revisited
4. Board minutes must retain evidence of this approval for auditors and SEBI examination

graph TD
    A[Board Approval of
Cloud Adoption Strategy] --> B[Cloud Risk Assessment]
    B --> C[CSP Due Diligence
and Selection]
    C --> D[Data Classification
Into Four Tiers]
    D --> E[Security Controls
Implementation]
    E --> F[Annual Cybersecurity
Audit]
    F --> G[SEBI Reporting
and Disclosure]

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style F fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style G fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

CSP Due Diligence: What the Contract Must Guarantee

SEBI requires regulated entities to formally evaluate their Cloud Service Provider before signing any contract. This is not a sales checklist — it is a legal and regulatory prerequisite. The due diligence must be documented and available for auditor review.

Key contractual requirements:

1. Audit rights: The regulated entity, or its appointed auditor, must have the contractual right to audit the CSP's infrastructure and controls relevant to the hosted data — including physical access to data centres on reasonable notice
2. Data portability: On contract termination, the CSP must provide all data in a portable format within a defined timeframe, at no prohibitive cost
3. Incident notification: The CSP must commit to notifying the regulated entity of any security incident affecting their data within a defined SLA — typically 1 hour or less — to allow the regulated entity to meet its own 6-hour CERT-In reporting obligation
4. Data residency guarantees: A contractual representation that critical and sensitive data will be stored and processed only within Indian geographic boundaries
5. Sub-processor disclosure: Any fourth parties who handle regulated entity data must be named, disclosed in advance, and bound by equivalent standards
6. Exit assistance: The CSP must commit to providing transition assistance for a defined period after contract termination

SEBI Cloud Security Framework: Controls Under CSCRF

The SEBI Cyber Security and Cyber Resilience Framework, which regulated entities must already comply with for on-premises infrastructure, extends directly to cloud environments. SEBI does not treat cloud as a separate security domain — the same control categories apply, adapted for the shared responsibility model.

The primary domains covered under the SEBI CSCRF cloud control framework are:

pie title SEBI Cloud Security Control Domains
    "Data Security and Privacy" : 25
    "Access Management" : 20
    "Resilience and Availability" : 20
    "Vendor Management" : 15
    "Audit and Logging" : 12
    "Incident Response" : 8

Data Security and Privacy covers encryption at rest and in transit, key management ownership, data masking in non-production environments, and data loss prevention controls. The regulated entity is responsible for managing encryption keys — not delegating key custody entirely to the CSP.

Access Management requires multi-factor authentication for all privileged access to cloud management consoles and production environments, role-based access controls, regular access reviews, and privileged access management tooling with full session logging.

Resilience and Availability mandates formally defined and tested Recovery Time Objectives and Recovery Point Objectives. For trading systems, downtime during market hours is a material regulatory risk, not merely an operational inconvenience.

Vendor Management covers ongoing monitoring of CSP performance against contractual SLAs, contract compliance tracking, and the management of CSP-concentration risk.

Audit and Logging requires centralised log management with immutable audit trails, retained for the periods specified in SEBI CSCRF, accessible to regulators and auditors on request.

Incident Response defines the internal response process, escalation paths, and regulatory reporting obligations — particularly the CERT-In mandatory notification timeline.

Resilience Requirements: RTO, RPO, and Business Continuity

One of the most practically demanding aspects of the SEBI cloud framework is the resilience mandate. Regulated entities cannot simply rely on their CSP's uptime SLA and assume compliance. They must formally define, document, and test:

1. Recovery Time Objective: The maximum acceptable time for a system to be restored after a disruption — measured from the point of failure declaration
2. Recovery Point Objective: The maximum acceptable data loss measured in time — i.e., the furthest back the system can roll back to a clean state
3. Business Continuity Plan: A documented plan covering cloud failure scenarios, including partial CSP outage, full regional outage, and CSP-initiated service termination
4. DR drill frequency: Annual testing is the minimum; SEBI CSCRF recommends more frequent testing for critical trading systems

The Annual Cybersecurity Audit: What Auditors Will Examine

SEBI mandates an annual cybersecurity audit for all regulated entities. Where cloud infrastructure is in scope, auditors specifically examine whether the SEBI cloud framework's requirements are being met in practice — not just on paper.

Automated vulnerability assessment of cloud infrastructure — covering misconfiguration detection, exposure analysis, and access control gap identification — is an effective way to identify issues before the formal auditor does. Bachao.AI provides automated VAPT scanning that maps findings to security control frameworks, giving compliance teams a continuous view of their cloud security posture ahead of the annual audit cycle.

CERT-In Incident Reporting: The 6-Hour Regulatory Clock

Under CERT-In's mandatory incident reporting directions, all regulated entities must report cybersecurity incidents to CERT-In within 6 hours of detection. This timeline applies to cloud-hosted infrastructure as much as on-premises systems — the hosting model does not change the reporting obligation.

The SEBI cloud framework reinforces this by requiring the CSP's incident notification SLA to be set at a timeline that gives the regulated entity enough time to assess, escalate internally, and still meet its 6-hour CERT-In obligation.

The regulatory incident chain therefore works as follows:

1. CSP detects an incident affecting the regulated entity's environment
2. CSP notifies the regulated entity within its contractual SLA (typically under 1 hour)
3. Regulated entity assesses the scope and classifies the incident
4. Regulated entity notifies CERT-In within 6 hours of detection
5. If the incident is material, SEBI is notified as required by CSCRF

For context on how investor personal data obligations intersect with cloud security — particularly under the Digital Personal Data Protection Act 2023 — the DPDP compliance guidance covers the personal data angle in detail.

Preparing for Your First SEBI Cloud Compliance Cycle

If your organisation is beginning its SEBI cloud compliance journey, the sequencing matters as much as the checklist. Board approval must come first — it is the gating prerequisite for everything else. Data classification must follow before any workload can be evaluated for cloud migration. CSP due diligence must be completed, and contracts signed to satisfaction, before production data moves.

Practical steps to get started:

1. Inventory your data — Know what you hold before you classify it. A data mapping exercise covering all investor records, transaction data, and internal systems is the necessary starting point
2. Commission a board resolution — Prepare a formal cloud adoption strategy document for board consideration, including risk assessment, CSP shortlist, and data residency commitments
3. Review CSP contracts against SEBI requirements — Existing contracts with cloud providers may need to be amended to include the required audit rights, portability, and notification clauses
4. Engage a CERT-In empanelled auditor — SEBI expects the annual cybersecurity audit to be conducted by a qualified independent third-party auditor. For cloud infrastructure, a CERT-In empanelled partner delivers the depth of assessment that SEBI requires
5. Build your incident response plan — Map it explicitly to the 6-hour CERT-In reporting window and SEBI internal escalation procedures

You can read the primary source — the SEBI Cloud Framework circular and the SEBI CSCRF — directly on the SEBI website. CERT-In's reporting directions are at cert-in.org.in. MeitY's cloud policy guidance, which informs the data residency framework, is at meity.gov.in.

Published by Dhisattva AI Pvt Ltd, a DPIIT Recognized Startup building India's automated security testing platform.