sebi

SEBI's New Cybersecurity Framework: Compliance and Key Features Explained

Introduction

On August 20, 2024, the Securities and Exchange Board of India (SEBI) introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) to strengthen cybersecurity protocols for all entities regulated under the Indian securities market. This updated framework replaces previous guidelines and seeks to address the increasing threat of cyber incidents while maintaining alignment with industry standards.

Overview of CSCRF

The CSCRF offers detailed guidelines aimed at assisting entities like stock brokers, mutual funds, and investment advisors to effectively anticipate, withstand, contain, recover from, and adapt to cyber threats. It categorizes entities based on size and operational scope, implementing a structured compliance methodology.

Key Features:

  • Security Operation Centres (SOC): Mandated establishment of SOCs, with options for self-management or external providers to support compliance for smaller entities.
  • Compliance Deadlines: Varying timelines exist, with non-Market Infrastructure Institutions (MIIs) required to comply by June 30, 2025, and MIIs, KRAs, QRTAs, and DPs by April 1, 2025.
  • Guideline Accessibility: Detailed compliance guidelines, including reporting formats, are available in the “Legal” section of the SEBI website.
    • Regulatory Forbearance: The Circular dated December 31, 2024 (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/184) allows forbearance until March 31, 2025, enabling regulated entities (REs) to show progress towards compliance without incurring penalties.
    • Data Localization Deferral: Requirements for data localization concerning "IT and Cybersecurity Data" have been deferred, permitting offshore storage with specific safeguards pending further consultation.
    • Retrospective Reassessment (Income Tax Bill 2025): Tax authorities are authorized to revisit time-barred cases (beyond five years) if related to GAAR-concerned impermissible avoidance arrangements.

Background

  1. SEBI initially issued a Cybersecurity and Cyber Resilience framework in 2015 focused on Market Infrastructure Institutions (MIIs), later expanding frameworks for other regulated entities, including stock brokers and mutual funds.
  2. Continuous advisories have been provided by SEBI to enhance cybersecurity practices across these entities.
  3. To establish a robust cybersecurity standard in the Indian securities market, the CSCRF was developed through extensive consultations with stakeholders, superseding existing guidelines.

Objective

The CSCRF primarily aims to:

  • Address emerging cyber threats.
  • Align with industry standards.
  • Promote effective audits.
  • Ensure stringent compliance among all SEBI-regulated entities.

Approach

The framework is standards-based and emphasizes five cyber resilience objectives from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In):

  1. Anticipate
  2. Withstand
  3. Contain
  4. Recover
  5. Evolve

These objectives relate to critical cybersecurity functions, including:

  • Governance
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Entity Classification and Compliance Structure

The CSCRF employs a graded classification approach for regulated entities (REs), dividing them into five distinct categories based on operational thresholds such as client volume and trade activity:

  1. Market Infrastructure Institutions (MIIs)
  2. Qualified REs
  3. Mid-Sized REs
  4. Small-Sized REs
  5. Self-Certified REs

Compliance methodologies within the framework are organized into four parts:

  • Part I: Objectives and Standards
  • Part II: Guidelines
  • Part III: Compliance Formats
  • Part IV: Annexures and References

The CSCRF underscores the significance of governance and managing supply chain risks, addressing advanced security measures, including data classification, API security, and SOC effectiveness.

Applicability

The CSCRF is applicable to a diverse array of entities, including but not limited to:

  • Alternative Investment Funds (AIFs)
  • Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs)
  • Clearing Corporations
  • Credit Rating Agencies (CRAs)
  • Mutual Funds (MFs) and Asset Management Companies (AMCs)

Implementation Timeline

The adoption timeline for the CSCRF provisions consists of:

  • For six categories with existing frameworks: Compliance by January 1, 2025.
  • For newly impacted REs: Compliance by April 1, 2025.

Entities must implement necessary systems to ensure compliance with the CSCRF provisions and submit cyber audit reports according to the specified timelines.

Conclusion

The CSCRF is designed to bolster cybersecurity for regulated entities within the Indian securities market, ensuring that entities of all sizes are well-prepared to confront cyber threats. This circular, effective from August 20, 2024, is issued under the provisions of Section 11 (1) of the Securities and Exchange of India Act, 1992, safeguarding investor interests and promoting market development.