On November 27, 2020, the BSE issued a notice (20201127-7) as an advisory for financial organizations that have onboarded GRC solutions that are being operated in the SaaS cloud model. Since the data present or circulated in these solutions is generally critical in nature, SEBI issued an advisory for such organizations.
The BSE notice summarized the communication received from SEBI in this regard, as follows:
● While SaaS may improve the ease of doing business and result in quick turnaround times, it may also increase the risk to the health of the financial sector, since the risk and compliance data of an institution employing SaaS may often move beyond the legal and jurisdictional boundary of India. This is because of the nature of shared cloud solutions, and in turn, this poses a risk to the safety and security of organizational data.
● Given this potential risk, the Indian Computer Emergency Response Team (CERT-in) had issued an advisory for organizations operating in the financial sector. That advisory had been forwarded to SEBI, so the regulator could bring the details to the notice of such financial organizations.
● The said advisory suggested that such organizations make use of continuous monitoring through direct control and supervision protocol mechanisms to ensure complete protection and seamless control over the critical systems, and to keep critical data within the legal boundary of India simultaneously.
● The compliance of this advisory is to be reported in the half yearly report by Stock Brokers to Stock Exchanges, by Depository Participants to Depositories, and by direct intermediaries to SEBI. This report is to be accompanied by an undertaking that reads, “Compliance of the SEBI circular for Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions has been made.”