The Securities and Exchange Board of India (SEBI) issued a clarification on Thursday regarding the scope and applicability of its Cybersecurity and Cyber Resilience Framework (CSCRF). According to the markets regulator, the framework applies strictly to systems used exclusively for SEBI-regulated activities, alleviating concerns around overlapping responsibilities with other regulatory bodies.
SEBI emphasized that shared infrastructure, if not already overseen by the Reserve Bank of India (RBI) or another competent authority, will still fall under the CSCRF audit requirements. This ensures a consistent cybersecurity standard across all system types, especially as institutions increasingly rely on common digital platforms.
Importantly, SEBI acknowledged that regulated entities (REs) already complying with cybersecurity norms issued by the RBI or any equivalent regulator will not need to duplicate efforts. Such existing compliance will be accepted under SEBI’s framework, reducing operational burdens on dual-regulated entities, as reported by The Economic Times.
Critical Systems, Zero Trust, and Disaster Recovery Guidelines
The CSCRF circular expanded on what constitutes a “critical system,” identifying it as any system that affects core operations, stores or transmits regulatory data, hosts client-facing or internet-facing applications, or resides on the same network as such systems. To strengthen resilience, SEBI urged REs to implement zero-trust principles, like network segmentation, high availability, and eliminating single points of failure, with oversight from their IT Committees.
In terms of mobile applications, the framework’s guidelines are considered recommendatory rather than mandatory. Meanwhile, for cyber crises, REs must act based on their internal Cyber Crisis Management Plan, avoiding the issuance of press releases during such events.
While tools such as threat simulations, vulnerability assessments, and decoy systems are encouraged, SEBI clarified that their use is not compulsory. However, entities must actively assess cybersecurity risks arising from third-party vendors in coordination with their IT Committees.
SEBI also stressed the importance of protecting cyber audit reports. “While receiving and handling cyber audit reports submitted by their members, stock exchanges and depositories shall ensure that adequate safeguards are in place to maintain the confidentiality and integrity of such reports,” the regulator said.
For disaster recovery, regulated entities must be able to resume critical operations within two hours (Recovery Time Objective – RTO) and ensure data recovery within 15 minutes (Recovery Point Objective – RPO). Entities must also plan for contingencies in cases where these benchmarks cannot be achieved.
Revised CSCRF Categorization for Portfolio Managers and Merchant Bankers
SEBI has revised the classification thresholds for regulated entities under the CSCRF. Portfolio Managers with Assets Under Management (AUM) of ₹10,000 crore and above will now be categorized as Qualified REs.
Those managing between ₹3,000 crore and ₹10,000 crore will be tagged as Mid-size REs, while those below ₹3,000 crores fall into the small-size RE category. Portfolio Managers under the minimum threshold may be recognized as Self-certification REs, benefiting from simpler compliance requirements.
In the case of Merchant Bankers (MBs), SEBI clarified that all active MBs—defined as those carrying out merchant banking functions during the relevant period—will be treated as Small-size REs for compliance purposes. Inactive MBs, however, will be exempt from CSCRF obligations.
