SEBI Clarifies Cybersecurity Framework for Regulated Entities

The Securities and Exchange Board of India (SEBI) recently issued a clarification regarding the scope and applicability of its Cybersecurity and Cyber Resilience Framework (CSCRF). This announcement, made on a Thursday, is aimed at clarifying which systems fall under this regulatory framework, specifically focusing on those used solely for activities monitored by SEBI. The move has been designed to address concerns over potential overlaps with the responsibilities held by other regulatory bodies.

Key Focus Areas of the CSCRF Framework

One of the critical points emphasized by SEBI is that any shared infrastructure not already regulated by the Reserve Bank of India (RBI) or a comparable authority must adhere to the CSCRF audit requirements. This measure is aimed at ensuring that cybersecurity standards remain uniform across various system types. As institutions grow increasingly reliant on shared digital platforms, this consistency is essential for maintaining a secure operating environment.

In a notable concession, SEBI confirmed that regulated entities (REs) already compliant with existing cybersecurity directives from the RBI or other equivalent regulators would not be required to duplicate their efforts under the CSCRF. This streamlined approach is intended to ease the operational burdens often faced by entities subject to dual regulation.

Defining Critical Systems and Cybersecurity Practices

The CSCRF has delineated what constitutes a "critical system." According to the framework, critical systems include any that significantly impact core operations, store or transmit regulatory data, or support client-facing applications. To bolster cyber resilience, SEBI has urged REs to embrace zero-trust principles. These include strategies such as network segmentation, ensuring high availability, and eliminating single points of failure, all under the guidance of their IT Committees.

While the framework provides guidelines for mobile applications, it categorizes these as recommendatory rather than mandatory. In the event of a cyber crisis, REs are expected to act according to their internal Cyber Crisis Management Plan without issuing press releases during such incidents.

Encouragement of Risk Assessment Practices

SEBI encourages the use of tools like threat simulations, vulnerability assessments, and decoy systems to enhance cybersecurity practices. However, the regulator has clarified that these tools are not compulsory. It is essential, nonetheless, for entities to actively evaluate cybersecurity risks, particularly those arising from third-party vendors, in collaboration with their IT Committees.

Moreover, SEBI has highlighted the need for safeguarding cyber audit reports. The regulator has specified that stock exchanges and depositories must implement adequate measures to maintain the confidentiality and integrity of these reports as they handle submissions from their members.

Focus on Disaster Recovery Standards

As part of the CSCRF, SEBI has established stringent requirements for disaster recovery. Regulated entities must be capable of resuming critical operations within a two-hour timeframe (known as the Recovery Time Objective, or RTO) and must ensure that data can be recovered within 15 minutes (referred to as the Recovery Point Objective, or RPO). Entities are also advised to have contingency plans in place for situations where these recovery benchmarks cannot be met.

Revised Classification for Portfolio Managers and Merchant Bankers

In another development, SEBI has revised the classification thresholds for regulated entities under the CSCRF. Portfolio Managers with Assets Under Management (AUM) exceeding ₹10,000 crore will be recognized as Qualified REs. Those managing between ₹3,000 crore and ₹10,000 crore will be defined as Mid-size REs, while those managing less than ₹3,000 crore will fall into the small-size RE category. Portfolio Managers below this minimum threshold may benefit from simplified compliance requirements by being recognized as Self-certification REs.

For Merchant Bankers (MBs), SEBI clarified that all active MBs—those engaged in merchant banking functions during the designated period—will be classified as Small-size REs concerning compliance. In contrast, inactive MBs will be exempt from CSCRF obligations.

Through these initiatives and clarifications, SEBI aims to strengthen the cybersecurity framework for regulated entities while minimizing redundancy and operational burden. This approach not only enhances the resilience of individual entities but also contributes to the overall security of the financial market ecosystem.