The Securities and Exchange Board of India (SEBI) introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) in August 2024 to fortify the digital security of its regulated entities (REs). This framework aims to safeguard IT infrastructure, protect sensitive data, and ensure operational continuity in the face of cyber threats. Covering mutual funds, portfolio managers, stock exchanges, credit rating agencies, and others, the CSCRF mandates compliance from January 1, 2025, focusing on cyber hygiene, incident response, governance, and data protection.
In response to industry feedback, SEBI issued a clarification circular on December 31, 2024. It provided regulatory forbearance from January 1 to March 31, 2025, allowing entities to demonstrate meaningful progress in implementation without facing penalties. Furthermore, compliance deadlines for KYC Registration Agencies (KRAs) and Depository Participants (DPs) were extended to April 1, 2025. Provisions on data localisation have been temporarily suspended to address concerns regarding feasibility and cost, with further consultations planned.
The CSCRF emphasizes best practices such as regular vulnerability testing, multi-factor authentication (MFA), and continuous monitoring. It requires entities to appoint a Chief Information Security Officer (CISO), establish cybersecurity policies, and conduct awareness training. The framework also extends cybersecurity requirements to third-party vendors and enforces strict data protection standards, including encryption and access control.
Challenges in implementing the CSCRF include resource constraints, particularly for smaller entities like KRAs and DPs, the complexity of integrating new requirements with legacy systems, and financial burdens from cybersecurity investments. To mitigate these, SEBI’s phased implementation approach and regulatory forbearance offer flexibility, while its willingness to revise data localisation guidelines highlights its collaborative stance.
The CSCRF enhances resilience, builds trust, and aligns India’s financial systems with global cybersecurity standards. It ensures entities are better prepared to manage cyber risks, safeguarding investor interests and market stability. To align with the framework, entities should utilize the forbearance period to assess gaps, develop compliance roadmaps, and invest in training and governance.
In conclusion, SEBI’s CSCRF is a significant step toward securing India’s financial ecosystem. By addressing stakeholder concerns and enabling gradual implementation, the framework reinforces SEBI’s commitment to fostering a secure and robust financial market. This initiative positions India as a leader in financial cybersecurity, ensuring a resilient, investor-focused, and globally aligned regulatory environment.
