Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI issues technical clarifications on cybersecurity framework covering principles for multi-regulated entities, technical guidelines, and audit policy requirements.

Summary

SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities, addressing queries received from market participants. The circular provides guidance on principles for entities under multiple regulators, technical clarifications, re-categorisation of Portfolio Managers and Merchant Bankers, and cyber security audit policy guidelines from CERT-In.

Key Points

Technical clarifications issued in response to queries from regulated entities
Framework applies to all SEBI regulated entities including AIFs, stock exchanges, mutual funds, depositories, and intermediaries
Addresses challenges faced by entities regulated by multiple authorities (SEBI, RBI, etc.)
Provides specific guidance on implementation and compliance requirements
References previous circulars and FAQs issued between August 2024 and June 2025

Regulatory Changes

Part-A covers principles for REs under multiple regulators’ purview (SEBI and RBI)
Part-B provides technical clarifications on framework implementation
Part-C addresses re-categorisation of Portfolio Managers and Merchant Bankers
Part-D incorporates Cyber Security Audit Policy Guidelines from CERT-In
Clarifies compliance requirements for entities with dual regulatory oversight

Compliance Requirements

All listed SEBI regulated entities must comply with cybersecurity framework requirements
Entities under multiple regulators need to follow specific principles outlined in Part-A
Technical implementation must align with clarifications provided in the circular
Cyber security audits must follow CERT-In guidelines as specified in Part-D
Portfolio Managers and Merchant Bankers subject to updated categorisation requirements

Important Dates

Original CSCRF circular dated August 20, 2024
Multiple extensions and clarifications issued between December 2024 and June 2025
Current technical clarifications dated August 28, 2025
Implementation timelines as per previous extension circular dated June 30, 2025

Impact Assessment

High impact on all SEBI regulated entities requiring cybersecurity compliance upgrades
Particularly affects banks and financial institutions under dual regulation (SEBI-RBI)
Standardizes cybersecurity practices across the securities market ecosystem
Enhances protection of market infrastructure and investor data
May require significant IT infrastructure investments and policy updates by regulated entities

Impact Justification

Mandatory cybersecurity framework compliance affects all SEBI regulated entities with specific technical requirements and audit policies

Category	Compliance
Circular ID	`de709f5fa37485fe`
Impact	High
Severity	High
Tags	cybersecurity compliance sebi-framework cyber-resilience regulated-entities technical-clarifications
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink