Description
SEBI issues technical clarifications on cybersecurity framework implementation for regulated entities under multiple regulatory jurisdictions.
Summary
SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities, addressing queries from various market participants. The circular provides specific guidance for entities under multiple regulatory jurisdictions and includes technical clarifications, re-categorization of certain entities, and cyber security audit policy guidelines from CERT-In.
Key Points
- Technical clarifications issued for CSCRF implementation across all SEBI regulated entities
- Special provisions for entities under multiple regulators’ purview (e.g., banks regulated by both SEBI and RBI)
- Four-part clarification structure covering principles, technical aspects, re-categorization, and audit guidelines
- Addresses queries received from various regulated entities seeking extensions and clarifications
- Builds upon previous circulars and FAQs issued since August 2024
Regulatory Changes
- Clarified application of CSCRF for entities regulated by multiple authorities
- Technical specifications and implementation guidelines updated
- Re-categorization framework for Portfolio Managers and Merchant Bankers
- Integration of CERT-In cyber security audit policy guidelines
- Harmonization of cybersecurity requirements across different regulatory frameworks
Compliance Requirements
- All SEBI regulated entities must implement the clarified CSCRF requirements
- Entities under multiple regulators must follow specific principles outlined in Part-A
- Portfolio Managers and Merchant Bankers subject to re-categorization requirements
- Compliance with CERT-In cyber security audit policy guidelines mandatory
- Previous timeline extensions and clarifications remain applicable
Important Dates
- Original CSCRF issued: August 20, 2024
- Previous extensions granted: March 28, 2025 and June 30, 2025
- Current clarifications effective: August 28, 2025
- Implementation timelines as per previous extension circulars apply
Impact Assessment
- High impact on all SEBI regulated entities requiring comprehensive cybersecurity framework implementation
- Particularly significant for entities under multiple regulatory jurisdictions needing harmonized compliance approach
- Affects operational procedures, IT infrastructure, and risk management frameworks
- Potential cost implications for system upgrades and audit compliance
- Enhanced cybersecurity posture across Indian capital markets ecosystem
Impact Justification
Comprehensive cybersecurity framework clarifications affecting all SEBI regulated entities with cross-regulatory implications