Description
SEBI issues technical clarifications on cybersecurity framework implementation for regulated entities under multiple regulatory jurisdictions.
Summary
SEBI has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) originally released in August 2024. This circular addresses queries from regulated entities and provides specific guidance for entities operating under multiple regulatory jurisdictions, along with re-categorization of certain entity types and technical implementation details.
Key Points
- Technical clarifications provided in four parts: principles for multi-regulator entities, technical clarifications, re-categorization of Portfolio Managers and Merchant Bankers, and CERT-In audit policy guidelines
- Special provisions for SEBI regulated entities that are also regulated by other authorities like RBI (e.g., custodians, depository participants, merchant bankers who are also banks)
- References five previous circulars and FAQs issued between August 2024 and June 2025 providing extensions and clarifications
- Applies to all major categories of SEBI regulated entities including AIFs, stock exchanges, mutual funds, brokers, depositories, and rating agencies
Regulatory Changes
- Establishes clear principles for entities under multiple regulatory frameworks to avoid conflicting compliance requirements
- Re-categorizes Portfolio Managers and Merchant Bankers within the cybersecurity framework structure
- Incorporates CERT-In’s Cyber Security Audit Policy Guidelines as part of the compliance framework
- Provides technical implementation guidance based on industry feedback and queries
Compliance Requirements
- All SEBI regulated entities must implement the cybersecurity framework as per the original August 2024 circular and subsequent clarifications
- Entities under multiple regulators must follow specified principles to ensure coordinated compliance
- Must adopt cyber security audit policies aligned with CERT-In guidelines
- Specific compliance timelines and requirements detailed in referenced previous circulars (extensions granted through June 2025)
Important Dates
- Original CSCRF issued: August 20, 2024
- Previous extensions granted: December 2024, March 2025, June 2025
- Current clarification issued: August 28, 2025
- Implementation deadlines referenced in previous circulars remain applicable
Impact Assessment
- High impact on all SEBI regulated entities requiring comprehensive cybersecurity infrastructure upgrades
- Particular significance for entities operating under multiple regulatory jurisdictions who need coordinated compliance approach
- Enhanced cyber resilience requirements will necessitate significant IT infrastructure investments and policy updates across the securities market ecosystem
- Framework aims to strengthen overall market infrastructure security and data protection capabilities
Impact Justification
Cybersecurity framework affects all SEBI regulated entities with mandatory compliance requirements