o To address requirements related to Governance Risk and Compliance, organizations have in recent past onboarded GRC Solutions, some of these are being operated in Software as a Service (SaaS) Cloud Model. The data contained in the GRC Solution are critical in nature.
o In this context SEBI has issued a circular titled “Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions” and is attached herewith as Annexure 1.
Ø Following is the gist of the communication received from SEBI.
o Ministry of Electronics & Information Technology, Govt. of India (MoE & IT), has informed SEBI that the financial sector institutions are availing or thinking of availing Software as a Service (SaaS) based solution for managing their Governance, Risk & Compliance (GRC) functions so as to improve their cyber Security Posture. As observed by MoE & IT, though SaaS may provide ease of doing business and quick turnaround, but it may bring significant risk to health of financial sector as many a time risk and compliance data of the institution moves beyond the legal and jurisdictional boundary of India due to nature of shared cloud SaaS, thereby posing risk to the data safety and security.
o In this regard, Indian Computer Emergency Response Team (CERT-in) has issued an advisory for Financial Sector organizations. The advisory has been forwarded to SEBI for bringing the same to the notice of financial sector organization.
o It is advised to ensure complete protection and seamless control over the critical systems at your organizations by continuous monitoring through direct control and supervision protocol mechanisms while keeping the critical data within the legal boundary of India.
o The compliance of the advisory shall be reported in the half yearly report by Stock Brokers and Depository Participants to Stock Exchanges and Depositories respectively and by direct intermediaries to SEBI with an undertaking, “Compliance of the SEBI circular for Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions has been made.”
For and on behalf of BSE Ltd,
Shri. Devendra Kulkarni
DGM ISMS / Cyber Security
Shri. Shivkumar Pandey
Group Chief Information Security Officer