Lawgical Talk #25 | Navigating India's Labour Codes : A Comprehensive Overview for Businesses on May 29th @ 4 PM | Register NOW!

Cyber Security and Cyber Resilience

Framework for SEBI Regulated Entities (REs)

Priya Gandhi
Priya Gandhi

Published on: Sep 25, 2024

Khushboo Sharma
Khushboo Sharma

Updated on: May 14, 2025

(13 Ratings)
4285

Introduction:

Considering the rapid technological advancement in securities market, there was a greater need for maintaining robust cyber security and to have cyber resilience framework to protect integrity of data and guard against breaches of privacy. SEBI had issued CSCRF for MIIs in 2015. Subsequently, SEBI had issued other CSCRF in line with MIIs circular of 2015 for various other REs, as under:

July 06, 2015

Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporation and Depositories

September 08, 2017

Cyber Security and Cyber Resilience framework for RTAs

December 03, 2018

Cyber Security & Cyber Resilience framework for Stock Brokers / DPs

January 10, 2019

Cyber Security and Cyber Resilience framework for MFs / AMCs

October 15, 2019

Cyber Security & Cyber Resilience framework for KRAs

March 29, 2023

Cyber Security and Cyber Resilience framework for Portfolio Managers

August 20, 2024

Cyber Security and Cyber Resilience Framework for SEBI REs

The CSCRF notified on August 20, 2024, supersedes all the earlier framework, circulars, guidelines on the captioned subject, thereby bringing all the REs under a single umbrella of a consolidated framework, to align with the industry standards, encourage efficient audits and ensure compliance by SEBI REs.

Initial Implementation Period for CSCRF:

SEBI has provided two different dates for the applicability of the said CSCRF for different REs, as under:

January 01, 2025

Intermediaries for which CSCRF was existing:

  1. Stock Exchanges
  2. Clearing Corporations
  3. Depositories
  4. QRTAs
  5. Stock Brokers
  6. DPs
  7. MFs / AMCs
  8. KRAs
  9. Portfolio Managers

April 01, 2025

Intermediaries for which CSCRF was not existing:

  1. AIFs
  2. BTI and SCSBs
  3. CIS
  4. CRAs
  5. Custodians
  6. DTs
  7. IAs/ RAs
  8. MBs
  9. VCFs

Note:

  1. Securities and Exchange Board of India (SEBI) has issued a Circular No. SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184 dated December 31, 2024 vide which it has extended the compliance timelines for Cybersecurity and Cyber Resilience Framework (CSCRF) for KYC Registration Agencies (KRAs) and Depository Participants (DPs) from January 01, 2025 to April 01, 2025.
  2. Securities and Exchange Board of India (SEBI) has further issued a Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/45 dated March 28, 2025 vide which it has extended the compliance timelines for Cybersecurity and Cyber Resilience Framework (CSCRF) for all Regulated Entities (REs) except Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs) until June 30, 2025.

Categorization of Regulated Entities:

CSCRF follows a graded approach and classifies the REs, based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc., as under:

Entity Criteria Self-certification REs Small-size REs Mid-size REs Qualified REs
AIF & VCF* Sum of corpus of all AIFs, VCFs, and their schemes managed by a manager Rs. 3000 cr and below More than Rs. 3000 cr and less than Rs. 10,000 cr Rs. 10,000 cr and above NA
BTI and SCSBs Submit Certificate of Compliance with CSCRF to SEBI NA NA NA NA
Stock Brokers* Number of total registered clients More than 1,000 and up to 10,000 More than 10,000 and up to 1 lakh More than 1 lakh and up to 10 lakhs More than 10 lakhs
Clientele trading volume in a year (in cr) More than 1,000 and up to 10,000 More than 10,000 and up to 1,00,000 More than 1,00,000 and up to 10,00,000 More than 10,00,000
CIS Yes
CRAs Yes Rs. 10 Lakh cr and above
Custodians AUC NA Less than Rs. 1 Lakh cr Rs. 1 Lakh cr and above but less than INR 10 Lakh cr
DTs* Yes
DPs* DP also registered as Stock Broker To be classified as per the criteria followed for stock brokers
Other than Stock Brokers NA NA NA Yes
DDPs Highest category among DPs and Custodians will be applicable to DDPs
IAs* NA NA NA NA NA
RAs* NA NA NA NA NA
MBs NA NA All other MBs Engaged in any activity pertaining to issue management inter alia Public Issues (IPOs, FPOs, IPOs by SME), Public Offers by REITs/InvITs, Buy-Back of Securities, Delisting of Equity Shares, Open Offer under SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 2011 NA
MFs/ AMCs AUM NA Less than Rs. 10,000 cr Rs. 10,000 cr and above but less than Rs. 1 lakh cr Rs. 1 lakh cr and above
Portfolio Managers* AUM Rs. 3000 cr and below NA Above Rs. 3000 cr NA
RTAs* Servicing number of folios NA 10,000 and above but less than 1 cr 1 crore and above but less than 2 cr NA
KRAs NA NA NA NA NA

*Note:

  1. SEBI has issued circular on Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (Res) vide SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60 dated April 30, 2025 and decided to revise the thresholds and categorization of REs which will continue to be updated as and when required.
  2. Category of REs shall be decided at the beginning of the FY based on the data of previous FY.
  3. REs excluded from submission of compliance with CSCRF:
    • FPIs
    • FVCI
    • IAs
    • RAs who are not registered in other categories of REs
    • LPCC
    • QDPs
    • REITs/ InvITs
    • RTAs servicing less than 10,000 folios
    • Vault Managers
  4. In case RE is registered under more than 1 category, then provision of highest category under which such RE falls shall be applicable to that RE.
  5. Categorization shall be determined at the level of the fund manager rather than at the individual AIF level. In cases where the same manager oversees both AIFs and Venture Capital Funds (VCFs), the corpus of all VCF schemes managed by the manager shall be aggregated with that of the AIFs for the purpose of assessing threshold limits. Accordingly, the criteria and thresholds applicable to AIFs and VCFs shall be consolidated.
  6. Stock Brokers with less than 1,000 cr clientele trading volume (in a year) and less than 1,000 total registered clients are exempted from CSCRF.
  7. Managers of AIFs/ VCFs and Portfolio Managers who fall under self-certification REs category and have less than 100 clients shall be exempted from the requirement of mandatory Market-SOC (M-SOC).
  8. RTAs & DPs having clients less than 100 shall be exempted from the requirement of SOC services or on-boarding to Market-SOC (M-SOC).

Brief Look into Key Compliance Obligations under CSCRF:

Constitution of IT Committee

Constitute IT Committee including at least 1 external independent expert on cybersecurity

ISO Audit and Certification

Obtain ISO 27001 certificate (latest version) until August 20, 2025

VAPT

  1. VAPT activity atleast once or twice in a FY (basis category)
  2. Submit report within 1 month of completion of VAPT activity

Cyber Audit

  1. Cyber Audit atleast once or twice in a year (basis category)
  2. Submit report within 1 month of completion of Cyber Audit

Other Key Audits/ Exercise Requirements

  1. Cyber Resilience Third Party Assessment using CCI
  2. Risk Assessment (Threat Based)
  3. Cyber Security Training Program
  4. Red Teaming Excercise
  5. Threat Hunting
  6. Cyber Security scenario based drill exercise

Challenges in Implementing the Framework:

While the framework offers comprehensive guidelines, there are several challenges in its implementation. These include:

  1. Resource Constraints: Smaller entities may face financial and technical challenges in implementing advanced cyber security measures
  2. Evolving Threat Landscape: Cyber Threats are continuously evolving, and the framework must be regularly updated to addressed new vulnerabilities and attack vectors
  3. Talent Shortage: There is a shortage of skilled professionals in the cyber security domain, making it difficult for some entities to find the expertise needed to meet the framework’s requirement
  4. Compliance Burden: The extensive requirements of the framework may pose a compliance burden on entities, particularly when it comes to documentation and reporting obligations.

Conclusion:

In todays’ digital age, financial markets heavily depend on technology to operate smoothly and efficiently. This dependence however, comes with its own set of challenges, particularly concerning the security and resilience of these digital infrastructures. The increasing complexity and frequency of cyber threats have made it imperative for regulatory bodies to introduce robust security measures.

CSCRF for SEBI REs is a critical step in strengthening the financial sector’s defense against cyber threats. As cyber threats continue to evolve, it is essential for financial institutions to remain vigilant, continuously improve their security measures, and foster a culture of cyber awareness to ensure the safety and integrity of the entire financial ecosystem.

Abbreviations Used

Entity Description
SEBI Securities and Exchange Board of India
CSCRF Cyber Security and Cyber Resilience Framework
REs Regulated Entities
MIIs Market Infrastructure Institutions
QRTAs Qualified Registrar to an Issue and Share Transfer Agents
DPs Depository Participants
MFs / AMCs Mutual Funds / Asset Management Companies
KRAs KYC Registration Agencies
AIFs Alternative Investment Funds
BTI and SCSBs Bankers to an Issue and Self-Certified Syndicate Banks
CIS Collective Investment Schemes
CRAs Credit Rating Agencies
DTs Debenture Trustees
IAs/ RAs Investment Advisors / Research Analysts
MBs Merchant Bankers
VCFs Venture Capital Funds
FVCI Foreign Venture Capital Investors
FPI Foreign Portfolio Investors
DDP Designated Depository Participants
LPCC Limited Purpose Clearing Corporation
QDPs Qualified Depository Participants
REITs/ InvITs Real Estate Investment Trust/ Infrastructure Investment Trust
AUM Asset Under Management
CCI Cyber Capability Index
UCC Unique Client Code
AUC Asset Under Custody
FY Financial Year
CR Crore(s)
IBT Internet Based Trading
IPO Initial Public Offer
FPO Follow-on Public Offer
SME Small and Medium Enterprises
ISO International Organization for Standardization
VAPT Vulnerability Assessment & Penetration Testing
  1. https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html
  2. https://www.sebi.gov.in/reports-and-statistics/reports/jul-2023/consultation-paper-onconsolidated-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities_73442.html
  3. https://www.sebi.gov.in/legal/circulars/dec-2024/clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_90401.html
  4. https://www.sebi.gov.in/legal/circulars/mar-2025/extension-towards-adoption-and-implementation-of-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_93146.html
  5. https://www.sebi.gov.in/legal/circulars/apr-2025/clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_93734.html

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.

Tell us how helpful was this post?

Subscribe Newsletter Request a demo Contact Us