A robust exposure management program can help regulated entities curb cyber security threats: Rajnish Gupta, Tenable India
A few months ago, India’s stock market regulator, SEBI, has rolled out the Cyber Security and Cyber Resilience Framework. This framework is intended to ensure that regulated entities, from stock exchanges to portfolio manager, adopt comprehensive cyber security measures that can withstand, contain, and recover from cyber attacks. In an exclusive interaction with Express Computer, Rajnish Gupta, Managing Director & Country Manager, Tenable India, outlines how this framework aims to safeguard the integrity of India’s financial systems by strengthening cyber security protocols and why financial organisations need to align their cyber security strategies with overall business risk.
Why is SEBI’s Cyber Security and Cyber Resilience Framework crucial to cyber security domain at this juncture?
The frequency and severity of cyber attacks have escalated globally, targeting financial markets and institutions. With India’s financial service organisations adopting AI technologies and moving data to the cloud due to various digitisation initiatives, the risk of data breaches, ransomware, and phishing have increased significantly. SEBI’s framework aims to safeguard the integrity of India’s financial systems by strengthening cyber security protocols.
However, capital market organisations must not wait for regulations to adopt a preventive approach to cyber security. As a critical infrastructure sector, these organisations must establish effective proactive security mechanisms to make it more difficult for cyber adversaries to be successful in their attempts.
How does this framework stack up against other international frameworks?
It aligns with the National Institute of Standards and Technology’s (NIST) Cyber Security Framework functions, which include identify, detect, protect, respond, recover, and governance. However, SEBI’s framework is broader with greater focus on the need for better vulnerability assessments for new software developments. The new framework is also positive towards installing robust accountability mechanisms, where financial organisations need to align their cyber security strategies with overall business risk. It also places importance on having appropriate oversight towards cyber security from the top leadership within organisations.
What risks do regulated entities take on with a reactive approach to cyber security?
India’s financial sector was the second most targeted sector by cyber adversaries in 2024. With threat actors leveraging attack paths in the cloud, a reactive cyber security posture would prevent organisations from detecting threats early, leaving them vulnerable to data breaches, which can greatly affect market stability and investor confidence.
With reactive measures, organisations will be left with firefighting threats, and resorting to incident response and damage control, instead of actively preventing these attacks from happening in the first place. In such a situation, it’s only a matter of “when” an attack takes place. This can lead to operational disruptions that can damage the organisation’s credibility. India’s increasing reliance on digital platforms for trading and financial services makes it critical for regulated entities to adopt a preventive approach to cyber security such as exposure management.
Regulated entities are among the first to adopt cyber security measures. In the current scenario, with cloud migration and rapid digitisation, what aspects of security are often overlooked?
Cloud adoption among regulated entities has introduced several critical cyber risks that are often overlooked — leading to what can be termed the ‘Toxic Cloud Trilogy’. It involves the presence of critically vulnerable, overly privileged and publicly exposed cloud assets. In the rush to deploy cloud services, organisations often overlook the importance of robust cloud security, which addresses these three critical risks.
In multi and hybrid cloud environments, it becomes more difficult to gain complete visibility into all of these cloud assets as traditional security measures struggle to keep up with the dynamic nature of the cloud. Regulated entities are challenged with effectively keeping track of all cloud assets, blinding them to business-critical vulnerabilities. Without comprehensive visibility into the cloud infrastructure, identifying risks becomes nearly impossible.
Additionally, hybrid cloud environments rely on third-party vendors, such as cloud service providers and SaaS platforms. Organisations often lack visibility into the security posture of these vendors. A vulnerable third-party system, if not continuously assessed, can become the entry point for cyber attacks, putting critical financial data at risk.
How can stock exchanges, portfolio management organisations, and other regulated entities protect themselves against the rising threat of cyber attacks?
Implementing a robust exposure management program is the key to overcoming existing cyber security challenges. It empowers organisations to assess their vulnerabilities, prioritize remediation efforts, and streamline their cyber security operations.
Exposure management unifies security visibility, insight, and action across the entire attack surface, helping organisations isolate and eliminate priority cyber exposures — be it from IT infrastructure, cloud environments, or critical infrastructure. It sheds light on risk relationships across siloed solutions, identifying and fixing priority exposures and reducing overall business risk. Exposure management is a preventive approach to security that can help regulated entities curb threats before they turn into large-scale attacks.