SEBI Issues Clarifications on Cybersecurity Framework

The Securities and Exchange Board of India (SEBI) has issued further clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF), which was first introduced in August 2024. Since then, the framework has been updated multiple times—clarified in December 2024, extended in March 2025, further clarified in April 2025, supplemented with FAQs in June 2025, and extended again in June 2025.

Highlights of the clarification include:

• For SEBI-regulated entities (REs) that are also regulated by other bodies such as the RBI, some principles have been formulated.
  • Principle of Exclusivity: The CSCRF will apply only to systems, applications, infrastructure, and processes used exclusively for SEBI-regulated activities. Shared infrastructure, networks, technology stacks, or security solutions will fall within SEBI’s audit/inspection scope if not already covered by the primary regulator.
  • Principle of Equivalence: CSCRF controls that are already addressed under another regulator’s cybersecurity framework will be deemed compliant, provided the RE adheres to the primary regulator’s framework.
• Technical clarifications:
  • The definition of critical systems (clause f) has been revised to “Any other system which is on the same network segment where systems mentioned in para (a) to (e) are deployed” instead of including all ancillary systems.
  • The clause on zero-trust security now requires REs to implement strategies such as zero-trust networks, segmentation, high availability, and no single point of failure, with approval from the RE’s IT Committee thereby replacing the earlier default-deny model.
  • Mobile application security guidelines are recommendatory rather than mandatory.
  • Under RS.CO.S2, instead of issuing press releases or informing stakeholders directly, REs must act in line with their approved Cyber Crisis Management Plan (CCMP).
  • CM.S3 (3.c) now recommends that REs consider deploying a range of security solutions, in consultation with their IT Committee, rather than prescribing specific solutions.
  • Supplier and third-party assessments may be conducted in consultation with the IT Committee.
  • REs need not disclose explicit vulnerabilities in VAPT and cyber audit reports unless specifically requested by SEBI; only summaries must be submitted in the prescribed format.
  • Guidelines for the Protection of National Critical Information Infrastructure (NCIIPC) apply only to REs designated as Critical Information Infrastructure (CII) by NCIIPC.
  • Small-size or self-certification REs with their own SOC may continue using it instead of integrating with Market-SOC.
  • The requirement to resume critical systems within two hours after disruption extends to extreme but plausible scenarios, though REs must exercise judgment to avoid exacerbating risks.
  • ISO 27001 certification is recommended but not mandatory.
  • Stock Exchanges and Depositories must ensure confidentiality and integrity of cyber audit reports submitted by their members.
• The criteria and threshold for portfolio managers have been revised:
  • Small Size REs: INR 3,000 Cr – 10,000 Cr (earlier INR 1,000 Cr – 3,000 Cr)
  • Mid-Size REs: INR 10,000 Cr and above (earlier INR 3,000 Cr and above)
  • Self-Certification REs: INR 3,000 Cr and below (earlier INR 1,000 Cr and below)

The criteria and threshold for merchant bankers have been revised:

• • All active merchant bankers—classified as small-size REs
  • Inactive Merchant Bankers – exempt from CSCRF
• REs must follow the Cyber Security Audit Policy Guidelines issued by CERT-In. Stock Exchanges and Depositories, including BSE Limited, are directed to make the necessary amendments to implement these requirements.

In June 2025, SEBI had extended the deadline for compliance with the framework by two months. The threshold revision now lightens the compliance load for portfolio managers by reclassifying many mid-size entities as small-size and expanding the scope for self-certification. This may encourage compliance; however, with only a few days to go, the deadline may be further extended.