The cloud framework was designed to provide basic security standards and legal and regulatory compliance by the Regulated Entities (REs). It will be an addition to Sebi’s existing circulars, guidelines and recommendations.

“The primary purpose of this framework is to highlight the key risks and mandatory controls that REs need to take before adopting cloud computing. The document also sets out the regulatory and legal compliances of REs when adopting such solutions. The framework is effective immediately for any new or proposed cloud onboarding engagements or projects by REs.

Cloud computing is the on-demand delivery of IT resources over the Internet with pay-to-use fees. Instead of buying and maintaining computer products and services, one can pay to use a cloud computing service and save time, effort, and expense.

REs currently consuming cloud services should ensure that all such agreements are revised as appropriate and aligned with the framework within 12 months. Recently, the reliance on cloud computing for the delivery of IT services has increased.

“While cloud computing offers several benefits, namely scalability, ease of deployment, no overhead for maintaining physical infrastructure, etc., RE should also be aware of the new cybersecurity risks and challenges that cloud computing brings,” noted Sebi.

According to the regulator, the cloud framework is a principles-based framework that covers governance, risk and compliance (GRC), selection of cloud service providers (CSPs), data ownership and data localization, due diligence by REs, security controls and legal and regulatory obligations, among others.