SEBI/HO/ ITD -1/ITD_CSC_EXT/P/CIR/2025/119

rules · 1992 · State unknown

Download PDF Parent Act Back to Subordinates

Parent: THE SECURITIES AND EXCHANGE BOARD OF INDIA ACT, 1992 (7c4c1f5343adab106c3a94cafc08a5ecf5957ae7)

Text

/ CIRCULAR SEBI/HO/ ITD -1/ITD_CSC_EXT/P/CIR/2025/119 To, All Alternative Investment Funds (AIFs) All Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs) All Clearing Corporations All Collective Investment Schemes (CIS) All Credit Rating Agencies (CRAs) All Custodians All Debenture Trustees (DTs) All Depositories All Designated Depository Participants (DDPs) All Depository Participants through Depositories All Investment Advisors (IAs) / Research Analysts (RAs) All KYC Registration Agencies (KRAs) All Merchant Bankers (MBs) All Mutual Funds (MFs)/ Asset Management Companies (AMCs) All Portfolio Managers Association of Portfolio Managers in India (APMI) All Registrar to an Issue and Share Transfer Agents (RTAs) All Stock Brokers through Exchanges All Stock Exchanges All Venture Capital Funds (VCFs) BSE Limited (Investment Adviser Administration and supervisory body- IAASB) BSE Limited (Research Analysts Administration and supervisory body- RAASB) August 28, 2025 Sir / Madam, Subject: Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) Recognising the need for robust cybersecurity measures and protection of data and IT infrastructure, Securities and Exchange Board of India (SEBI) has issued ' Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)' vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024. Upon receipt of various queries from REs seeking extension and clarification on the aforementioned circular, SEBI has also issued following clarifications and Frequently Asked Questions (FAQs): Based on further discussions, technical clarifications are being issued with respect to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI

Rule TOC

3 · 1.Part -A: Principles for REs under multiple regulators' purview

3 · 2.Part -B: Technical clarifications

3 · 3.Part -C: Re -categorisation of Portfolio Managers and Merchant Bankers

3 · 4.Part -D: Cyber Security Audit Policy Guidelines from CERT-In

5 · 1.There are various standards and corresponding guidelines mentioned in CSCRF which REs need to implement and comply with in a certain manner. For the ease of compliance and clarity of implementation, following Principle of Exclusivity and Principle of Equivalence have been formulated. During submission of CSCRF compliance, REs need to demonstrate that they follow

5 · 2.Principle of Exclusivity: The scope of CSCRF shall be limited to only those systems/ applications/ infrastructure/ processes which are exclusively used for SEBI regulated activities. Further, the shared infrastructure/ network/ technology stack, security solutions shall be included in the audit/ inspection scope by SEBI, if the same is not covered under audit/ inspection scope by primary regulator and their frameworks/ guidelines.

5 · 3.Principle of Equivalence: CSCRF controls which have an equivalence in other regulators' cybersecurity frameworks/ guidelines shall be deemed compliant provided that the frameworks/ guidelines issued by primary regulator are adhered by such REs.

6 · 1.Critical Systems definition (Page 26): Entities shall identify and classify their critical IT systems. Following systems shall be included in critical systems (both on premise and cloud):

6 · 2.Zero -trust security model (PR.AA.S4 and PR.AA.S5 guidelines – Page 97): "REs shall follow zero -trust security model in such a way that access (from within or outside REs' network) to their critical systems is denied by default and allowed only after proper authentication and authorization."

6 · 3.Mobile Application Security guidelines (PR.AA.S16 and corresponding guidelines – Page 102-103)

6 · 4.RS.CO.S2 guidelines (Page 124-125): "If the cyber-attack is of high impact and has a broad reach, the RE shall give a press release which shall include (but not limited to) a brief of the incident, actions taken to recover, normal operation resumption status (once achieved), etc. and inform all the affected customers/ stakeholders. If the cyber-attack is of low impact and has a narrow/low reach, the REs shall inform all the affected customers/ stakeholders."

6 · 5.DE.CM.S3 guidelines (3.c) (Page 119): "REs shall deploy solutions such as BAS, CART, decoy, vulnerability management, etc. to enhance their cybersecurity posture."

6 · 6.GV.SC.S2 (Page 56): "Suppliers and third-party service providers of information systems, components, and services shall be identified, prioritized, and assessed using a cyber-supply chain risk assessment process."

6 · 7.Submission of VAPT and Cyber audit report (Section 4.3-4.4 - Page 48-52, Annexure -A, Annexure-B )

6 · 8.GV.PO – Guideline 11 (Page 85): "The cybersecurity policy shall encompass the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO), GoI in the report titled 'Guidelines for Protection of National Critical Information Infrastructure' and subsequent revisions, if any, from time to time." Clarification: The above -mentioned clause is applicable only on REs which have been identified as Critical Information Infrastructure (CII) by NCIIPC.

6 · 9.On boarding to Market-SOC (Box Item 11)

1 · Refer https://www.sebi.gov.in/sebi_data/faqfiles/jun-2025/1749647139924.pdf

6 · 10. RC.RP.S2 guideline (Page 128-129): "I "In the event of disruption of any one or more of the critical systems, the RE shall, within 30 minutes of the incident, declare that incident as 'Disaster' based on the business impact analysis. Accordingly, the RTO shall be two (2) hours as recommended by IOSCO 2 for the resumption of critical operations. The RPO shall be 15 minutes for all REs. The recovery plan shall be scenario-based and in line with the RTO and RPO specified."

6 · 11. Requirement of ISO 27001 certification for Qualified REs (PR.IP.S16 (Page 66) and corresponding guideline (Page 115), and Section 4.2 - Page 47) Clarification: Qualified REs are encouraged and recommended (not mandatory) to obtain ISO 27001 certification.

6 · 12. While receiving and handling cyber audit reports submitted by their members, Stock Exchanges and Depositories shall ensure that adequate safeguards are in place to maintain the confidentiality and integrity of such reports.

2 · Refer https://www.bis.org/cpmi/publ/d146.pdf .

3 · Refer https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf

4 · Refer https://www.sebi.gov.in/legal/circulars/mar-2021/guidelines-for-business-continuity-plan-bcp-anddisaster -recovery -dr -of -market -infrastructure -institutions -miis -_49601.html

7 · 1.Portfolio Managers

7 · 2.Merchant Bankers (MBs)

5 · https://www.cert-in.org.in/PDF/Comprehensive_Cyber_Security_Audit_Policy_Guidelines.pdf

9 · 1.Make necessary amendments to the relevant byelaws, rules and regulations for the implementation of the above direction and

9 · 2.Bring the provisions of this circulars to the notice of their members/ participants and also disseminate the same on their websites.

10 · BSE Limited is directed to:

10 · 1. Make necessary amendments to the relevant byelaws, rules and regulations for the implementation of the above direction and

10 · 2.Bring the provisions of this circulars to the notice of Investment Advisers (IAs) and Research Analysts (RAs) and also disseminate the same on their websites.

11 · The provisions of this Circular shall come into force with immediate effect.

12 · This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.

13 · This circular is issued with the approval of Competent Authority.

14 · This circular is available on SEBI website at www.sebi.gov.in under the category "Legal" and drop "Circulars".