Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI issues technical clarifications on cybersecurity framework implementation for regulated entities under multiple regulatory jurisdictions.

Summary

SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities, addressing implementation queries and providing specific guidance for entities under multiple regulatory jurisdictions. The circular covers principles for multi-regulated entities, technical clarifications, re-categorization of Portfolio Managers and Merchant Bankers, and CERT-In cyber security audit policy guidelines.

Key Points

• Technical clarifications issued in four parts covering different aspects of CSCRF implementation
• Special provisions for SEBI REs under multiple regulators’ purview (e.g., banks regulated by both SEBI and RBI)
• Re-categorization guidelines for Portfolio Managers and Merchant Bankers
• Integration of CERT-In cyber security audit policy guidelines
• Addresses queries received from various regulated entities seeking extensions and clarifications

Regulatory Changes

• Clarification of CSCRF application for entities under multiple regulatory frameworks
• Updated categorization for Portfolio Managers and Merchant Bankers within cybersecurity framework
• Integration of CERT-In guidelines into existing SEBI cybersecurity requirements
• Technical specifications for framework implementation across different entity types

Compliance Requirements

• All SEBI regulated entities must comply with updated CSCRF guidelines including technical clarifications
• Entities under multiple regulators must follow specific principles outlined in Part-A
• Portfolio Managers and Merchant Bankers must adhere to re-categorization requirements in Part-C
• Implementation of CERT-In cyber security audit policy guidelines as specified in Part-D
• Compliance with all previous CSCRF circulars and FAQs referenced in the document

Important Dates

• Original CSCRF circular: August 20, 2024
• Previous clarifications: December 31, 2024; March 28, 2025; April 30, 2025; June 11, 2025; June 30, 2025
• Current technical clarifications: August 28, 2025

Impact Assessment

• High impact on all SEBI regulated entities requiring comprehensive cybersecurity framework implementation
• Particular significance for multi-regulated entities (banks, custodians, DPs, MBs) providing clarity on regulatory overlap
• Enhanced cybersecurity requirements may necessitate additional technology investments and compliance resources
• Standardization of cybersecurity practices across SEBI regulated entities to improve overall market infrastructure resilience

Impact Justification

High importance due to mandatory cybersecurity compliance requirements affecting all SEBI regulated entities