The Securities and Exchange Board of India’s (Sebi’s) proposed cloud framework covering data localisation, risk assessment and data ownership has raised concern among the foreign investor fraternity.
Asia Securities Industry & Financial Markets Association (ASIFMA), which represents members like CLSA, Citi, abrdn, BlackRock, Barclays, among others, has requested the capital markets regulator not to impose local data storage and processing requirements.
In a letter to Sebi, the association has argued that data localisation will expose financial institutions (FIs) to greater cybersecurity risks by creating a more decentralised environment, which could inhibit central oversight and information sharing across borders.
“Local processing will negatively impact FIs’ global operation, their ability to undertake activities at a global level and cross-border service offering,” ASIFMA noted.
Typically, global firms consolidate their systems in a single global hub, while Sebi, in the consultation paper, has said that the data should reside or be processed within the legal boundaries of India.
Sebi had floated the consultation paper on cloud framework on November 4, highlighting key risks and control measures that need to be considered by regulated entities before adopting cloud-based solutions.
The association has expressed commitment to providing Sebi with timely access to the data needed to meet the regulatory mandate.
However, overseas investors have asked for more changes in the proposed cloud framework, including shared responsibility from cloud service providers (CSPs) along with the FIs in security and compliance. They have also argued that cloud risks should not be treated any differently from other third-party risks.
In the proposed framework, Sebi has suggested that there will be no shared responsibility or joint ownership of any function, task, activity between the regulated entity and CSP. Sebi’s stand on delineating responsibilities is in line with the industry practice.
“We recommend that Sebi enable FIs to leverage existing operational risk management, outsourcing, resilience and cybersecurity framework, instead of developing a new cloud-specific framework,” said the association.
Overseas investors have also requested the market watchdog to take into account the operating model of foreign global firms in India for audits, cloud governance framework, and cloud strategy. The letter to Sebi also requests the draft framework to be limited to public cloud and not to internal or private cloud of firms, which is used to service affiliated banks, securities, and asset management entities.
Furthermore, the association has suggested that Sebi take a principles- and risk-based approach, allowing the firms the flexibility to adopt evolving control measures that best fit their risk profile and to benefit from future developments and innovation.