Get in Touch
Get in Touch


SEBI Advisory: Cloud services adoption framework – Key Takeaways

May 4, 2023

Asish Karunakaran   

Asish Karunakaran, Vice President & Head of Financial Services Cloud, Tata Communications

The Securities and Exchange Board of India (SEBI) introduced a new cloud framework for its regulated entities (REs)* on March 6, 2023. This framework is aimed at enabling REs to adopt cloud while maintaining data security, privacy, and regulatory compliance. In this article, Asish Karunakaran, Vice President and Head of Financial Services Cloud at Tata Communications, will discuss the key takeaways from the SEBI advisory framework.

It’s essential for REs* to optimise cloud-enabled transformation and achieve holistic operational efficiency and transformation. After all, the varied benefits of cloud will shape the future of how services are delivered by these entities.

In this regard, SEBI’s cloud framework provides a comprehensive set of guidelines for REs* to safely unlock value at scale with cloud.

Key takeaways from the SEBI advisory framework

The new SEBI guidelines should be viewed as an extension of the existing framework, although this can sometimes be challenging for REs*, particularly those who are new to the cloud.

Here are some of the crucial takeaways from the latest SEBI guidelines:

  • Mandatory empanelment with the Ministry of Electronics and Information Technology (MeitY): REs* must only choose the services of cloud service providers (CSPs) that are empanelled with MeitY and hold valid STQC audit status, because they’re solely accountable for the confidentiality, integrity and security of their data. As such, REs* are required to perform a detailed due diligence before selecting the CSPs. They must also ensure they’re continuously adhering to the guidelines and controls prescribed by regulators, including encryption requirements, log retention, isolation and auditability.
  • Mandatory establishment of security operations centres (SOCs): All cloud deployments made by REs* should be monitored and managed through SOCs. These include all in-house, third-party and managed cloud services.
  • Keeping data within the geographical boundaries of the nation, country risk and concentration risk: Data localisation is one of the significant mandates of SEBI. REs* must ensure that onboarding CSPs to adopt cloud doesn’t compromise data integrity and security. The entities are required to have adequate contingency and exit strategies to mitigate risk to the country.
  • Anytime auditability by SEBI or Government of India -certified bodies: SEBI has been steadfast about auditability. The framework clearly states that SEBI and other GOI-certified regulators have complete authority to conduct audits of REs* data logs and their cloud adoption practises at any time. This mandate brings the entire cloud chain – the REs*, the CSPs and the third parties – under the ambit of SEBI and GOI.
  • Seizure of CSP resources if necessary: The framework even goes one step ahead and states SEBI can seize logs, hardware, and any other resource deemed necessary in their pursuit for transparency and weeding out irregularities. REs* must accept this mandate to comply with the framework.
  • Mandatory tripartite agreement between the REs*, CSPs and CSP vendors/partners: For the new mandates to bear desired results, SEBI has also instructed REs* to enter three-way agreements with their CSPs and third-party stakeholders. This is to ensure that all parties are on the same page and the cloud journey is both fruitful and secure.
  • Mandatory exit strategy: REs* using Software as a service (SaaS) and Platform as a service (PaaS) tend to rely heavily on native cloud capabilities, thereby increasing risk of vendor lock in. Hence, the framework emphasises that REs* must have an exit strategy in place to mitigate any future risks. This means that REs* should adopt an extremely cautious approach while selecting a cloud provider, as well as at the time of designing the stack and the services going to be consumed.


Relevance of private and community cloud

In alignment with SEBI’s framework, a hybrid of private and community cloud is more suitable for maintaining compliance with ever evolving regulatory guidelines. This is because while public cloud alone offers more capabilities, it’s also reliant on native capabilities which leave REs* more vulnerable to data breaches and security lapses.

However, private and community cloud provide significant advantages over public cloud since its offers flexibility in aligning controls and compliance with stringent guidelines from regulators. Here are some of the essential benefits of private and community cloud for REs*:

  • Control: Private and community cloud can allow REs* to have enhanced control over their data and information. This is key for them to always secure their data assets, as prescribed by SEBI.
  • Security: Unlike public cloud, private and community cloud enable REs* to remain on top of their data and user controls without heavily relying on third parties and external stakeholders.
  • Customisation and compliance: These are important advantages as REs* have greater freedom to customise their cloud operations in compliance with the SEBI guidelines.
  • Predictability and cost control: Private and community cloud operates in a niche environment which allows deliverables and services to be highly customisable. And in turn, this enables control on the cost.


In conclusion

SEBI’s cloud adoption framework is a positive development for the financial sector in India. With the increasing adoption of cloud technology in the sector, it’s essential that appropriate safeguards are in place to protect sensitive data. SEBI’s framework addresses this and paves a way towards a more secure and efficient financial sector in India by guiding REs* with a clear roadmap for adopting cloud while keeping data secure and staying compliant.

As highly skilled domain experts with years of experience and in-depth knowledge of the financial services industry, Tata Communications can partner with you on your cloud journey. We thrive on the principles of focused customer centricity, enhanced operational interoperability, strengthened core competencies, and improved compliance and governance.

Our private, industry specific cloud solutions are aimed at helping our clients optimise their data, ensure complete security and maintain compliance with changing guidelines. Based on these, our team can help you expedite and optimise cloud adoption in line with SEBI’s guidelines.

Learn how Tata Communications’ IZO™ Financial Cloud Services can help you create a cloud ecosystem that is purpose built for your business, while ensuring you stay compliant with all regulatory requirements.

*Please Note: The advisory is applicable to the below REs:

  • All Stock Exchanges
  • All Clearing Corporations
  • All Depositories
  • All Stockbrokers through Exchanges
  • All Depository Participants through Depositories
  • All Mutual Funds / Asset Management companies / Trustee Companies / Boards of Trustees of Mutual Funds / Association of Mutual Funds of India
  • All KYC registration agencies
  • All Qualified registrars to an issue / share transfer agent