Introduction:
Considering the rapid technological advancement in securities market, there was a greater need for maintaining robust cyber security and to have cyber resilience framework to protect integrity of data and guard against breaches of privacy. SEBI had issued CSCRF for MIIs in 2015. Subsequently, SEBI had issued other CSCRF in line with MIIs circular of 2015 for various other REs, as under:
July 06, 2015
Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporation and Depositories
September 08, 2017
Cyber Security and Cyber Resilience framework for RTAs
December 03, 2018
Cyber Security & Cyber Resilience framework for Stock Brokers / DPs
January 10, 2019
Cyber Security and Cyber Resilience framework for MFs / AMCs
October 15, 2019
Cyber Security & Cyber Resilience framework for KRAs
March 29, 2023
Cyber Security and Cyber Resilience framework for Portfolio Managers
August 20, 2024
Cyber Security and Cyber Resilience Framework for SEBI REs
The CSCRF notified on August 20, 2024, supersedes all the earlier framework, circulars, guidelines on the captioned subject, thereby bringing all the REs under a single umbrella of a consolidated framework, to align with the industry standards, encourage efficient audits and ensure compliance by SEBI REs.
Initial Implementation Period for CSCRF:
SEBI has provided two different dates for the applicability of the said CSCRF for different REs, as under:
January 01, 2025
Intermediaries for which CSCRF was existing:
- Stock Exchanges
- Clearing Corporations
- Depositories
- QRTAs
- Stock Brokers
- DPs
- MFs / AMCs
- KRAs
- Portfolio Managers
April 01, 2025
Intermediaries for which CSCRF was not existing:
- AIFs
- BTI and SCSBs
- CIS
- CRAs
- Custodians
- DTs
- IAs/ RAs
- MBs
- VCFs
Note:
- Securities and Exchange Board of India (SEBI) has issued a Circular No. SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184 dated December 31, 2024 vide which it has extended the compliance timelines for Cybersecurity and Cyber Resilience Framework (CSCRF) for KYC Registration Agencies (KRAs) and Depository Participants (DPs) from January 01, 2025 to April 01, 2025.
- Securities and Exchange Board of India (SEBI) has further issued a Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/45 dated March 28, 2025 vide which it has extended the compliance timelines for Cybersecurity and Cyber Resilience Framework (CSCRF) for all Regulated Entities (REs) except Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs) until June 30, 2025.
Categorization of Regulated Entities:
CSCRF follows a graded approach and classifies the REs, based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc., as under:
Entity | Criteria | Self-certification REs | Small-size REs | Mid-size REs | Qualified REs |
---|---|---|---|---|---|
AIF & VCF* | Sum of corpus of all AIFs, VCFs, and their schemes managed by a manager | Rs. 3000 cr and below | More than Rs. 3000 cr and less than Rs. 10,000 cr | Rs. 10,000 cr and above | NA |
BTI and SCSBs | Submit Certificate of Compliance with CSCRF to SEBI | NA | NA | NA | NA |
Stock Brokers* | Number of total registered clients | More than 1,000 and up to 10,000 | More than 10,000 and up to 1 lakh | More than 1 lakh and up to 10 lakhs | More than 10 lakhs |
Clientele trading volume in a year (in cr) | More than 1,000 and up to 10,000 | More than 10,000 and up to 1,00,000 | More than 1,00,000 and up to 10,00,000 | More than 10,00,000 | |
CIS | – | Yes | – | – | – |
CRAs | – | Yes | Rs. 10 Lakh cr and above | ||
Custodians | AUC | NA | Less than Rs. 1 Lakh cr | Rs. 1 Lakh cr and above but less than INR 10 Lakh cr | – |
DTs* | – | Yes | – | – | – |
DPs* | DP also registered as Stock Broker | To be classified as per the criteria followed for stock brokers | |||
Other than Stock Brokers | NA | NA | NA | Yes | |
DDPs | Highest category among DPs and Custodians will be applicable to DDPs | – | – | – | – |
IAs* | NA | NA | NA | NA | NA |
RAs* | NA | NA | NA | NA | NA |
MBs | NA | NA | All other MBs | Engaged in any activity pertaining to issue management inter alia Public Issues (IPOs, FPOs, IPOs by SME), Public Offers by REITs/InvITs, Buy-Back of Securities, Delisting of Equity Shares, Open Offer under SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 2011 | NA |
MFs/ AMCs | AUM | NA | Less than Rs. 10,000 cr | Rs. 10,000 cr and above but less than Rs. 1 lakh cr | Rs. 1 lakh cr and above |
Portfolio Managers* | AUM | Rs. 3000 cr and below | NA | Above Rs. 3000 cr | NA |
RTAs* | Servicing number of folios | NA | 10,000 and above but less than 1 cr | 1 crore and above but less than 2 cr | NA |
KRAs | NA | NA | NA | NA | NA |
*Note:
- SEBI has issued circular on Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (Res) vide SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60 dated April 30, 2025 and decided to revise the thresholds and categorization of REs which will continue to be updated as and when required.
- Category of REs shall be decided at the beginning of the FY based on the data of previous FY.
- REs excluded from submission of compliance with CSCRF:
- FPIs
- FVCI
- IAs
- RAs who are not registered in other categories of REs
- LPCC
- QDPs
- REITs/ InvITs
- RTAs servicing less than 10,000 folios
- Vault Managers
- In case RE is registered under more than 1 category, then provision of highest category under which such RE falls shall be applicable to that RE.
- Categorization shall be determined at the level of the fund manager rather than at the individual AIF level. In cases where the same manager oversees both AIFs and Venture Capital Funds (VCFs), the corpus of all VCF schemes managed by the manager shall be aggregated with that of the AIFs for the purpose of assessing threshold limits. Accordingly, the criteria and thresholds applicable to AIFs and VCFs shall be consolidated.
- Stock Brokers with less than 1,000 cr clientele trading volume (in a year) and less than 1,000 total registered clients are exempted from CSCRF.
- Managers of AIFs/ VCFs and Portfolio Managers who fall under self-certification REs category and have less than 100 clients shall be exempted from the requirement of mandatory Market-SOC (M-SOC).
- RTAs & DPs having clients less than 100 shall be exempted from the requirement of SOC services or on-boarding to Market-SOC (M-SOC).
Brief Look into Key Compliance Obligations under CSCRF:
Constitution of IT Committee
Constitute IT Committee including at least 1 external independent expert on cybersecurity
ISO Audit and Certification
Obtain ISO 27001 certificate (latest version) until August 20, 2025
VAPT
- VAPT activity atleast once or twice in a FY (basis category)
- Submit report within 1 month of completion of VAPT activity
Cyber Audit
- Cyber Audit atleast once or twice in a year (basis category)
- Submit report within 1 month of completion of Cyber Audit
Other Key Audits/ Exercise Requirements
- Cyber Resilience Third Party Assessment using CCI
- Risk Assessment (Threat Based)
- Cyber Security Training Program
- Red Teaming Excercise
- Threat Hunting
- Cyber Security scenario based drill exercise
Challenges in Implementing the Framework:
While the framework offers comprehensive guidelines, there are several challenges in its implementation. These include:
- Resource Constraints: Smaller entities may face financial and technical challenges in implementing advanced cyber security measures
- Evolving Threat Landscape: Cyber Threats are continuously evolving, and the framework must be regularly updated to addressed new vulnerabilities and attack vectors
- Talent Shortage: There is a shortage of skilled professionals in the cyber security domain, making it difficult for some entities to find the expertise needed to meet the framework’s requirement
- Compliance Burden: The extensive requirements of the framework may pose a compliance burden on entities, particularly when it comes to documentation and reporting obligations.
Conclusion:
In todays’ digital age, financial markets heavily depend on technology to operate smoothly and efficiently. This dependence however, comes with its own set of challenges, particularly concerning the security and resilience of these digital infrastructures. The increasing complexity and frequency of cyber threats have made it imperative for regulatory bodies to introduce robust security measures.
CSCRF for SEBI REs is a critical step in strengthening the financial sector’s defense against cyber threats. As cyber threats continue to evolve, it is essential for financial institutions to remain vigilant, continuously improve their security measures, and foster a culture of cyber awareness to ensure the safety and integrity of the entire financial ecosystem.
Abbreviations Used
Entity | Description |
---|---|
SEBI | Securities and Exchange Board of India |
CSCRF | Cyber Security and Cyber Resilience Framework |
REs | Regulated Entities |
MIIs | Market Infrastructure Institutions |
QRTAs | Qualified Registrar to an Issue and Share Transfer Agents |
DPs | Depository Participants |
MFs / AMCs | Mutual Funds / Asset Management Companies |
KRAs | KYC Registration Agencies |
AIFs | Alternative Investment Funds |
BTI and SCSBs | Bankers to an Issue and Self-Certified Syndicate Banks |
CIS | Collective Investment Schemes |
CRAs | Credit Rating Agencies |
DTs | Debenture Trustees |
IAs/ RAs | Investment Advisors / Research Analysts |
MBs | Merchant Bankers |
VCFs | Venture Capital Funds |
FVCI | Foreign Venture Capital Investors |
FPI | Foreign Portfolio Investors |
DDP | Designated Depository Participants |
LPCC | Limited Purpose Clearing Corporation |
QDPs | Qualified Depository Participants |
REITs/ InvITs | Real Estate Investment Trust/ Infrastructure Investment Trust |
AUM | Asset Under Management |
CCI | Cyber Capability Index |
UCC | Unique Client Code |
AUC | Asset Under Custody |
FY | Financial Year |
CR | Crore(s) |
IBT | Internet Based Trading |
IPO | Initial Public Offer |
FPO | Follow-on Public Offer |
SME | Small and Medium Enterprises |
ISO | International Organization for Standardization |
VAPT | Vulnerability Assessment & Penetration Testing |
- https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html
- https://www.sebi.gov.in/reports-and-statistics/reports/jul-2023/consultation-paper-onconsolidated-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities_73442.html
- https://www.sebi.gov.in/legal/circulars/dec-2024/clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_90401.html
- https://www.sebi.gov.in/legal/circulars/mar-2025/extension-towards-adoption-and-implementation-of-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_93146.html
- https://www.sebi.gov.in/legal/circulars/apr-2025/clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_93734.html
Disclaimer
The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.