SEBI Issues Technical Clarifications on Cybersecurity and Cyber Resilience Framework for Regulated Entities [Read Circular]

The notification was released after SEBI received numerous queries and requests for clarity from market participants regarding the earlier framework issued on August 20, 2024.

Principles for Entities Regulated by Multiple Authorities

• Some SEBI REs are also regulated by RBI or other regulators (e.g., banks acting as custodians).
• Two guiding principles were introduced:
• Principle of Exclusivity: SEBI’s framework applies only to systems/processes used exclusively for SEBI-regulated activities.
• Principle of Equivalence: If another regulator (like RBI) already enforces equivalent cybersecurity controls, following those will be considered compliant with SEBI rules.

Want a deeper insight into the Income Tax Bill, 2025? Click here

Technical Clarifications

• Critical Systems: Must include all IT systems that impact core operations, store regulatory data, connect to critical systems, or are internet/client-facing.
• Zero Trust Security: Entities must adopt strategies like segmentation, high availability, and no single point of failure, approved by their IT Committee.
• Mobile App Security: Guidelines are recommendatory, not mandatory.
• Cyber Attack Reporting: Entities must follow their Cyber Crisis Management Plan (CCMP) instead of rigid press release rules.
• Audit Reports: Entities should submit only summaries of cyber audit/VAPT reports, not detailed vulnerabilities, unless specifically asked.
• Market-SOC Onboarding: Small-size entities and self-certification REs must join NSE/BSE’s Market-SOC (shared cyber monitoring system).
• Disaster Recovery: Entities must design systems to resume critical operations within 2 hours (RTO) and restore data within 15 minutes (RPO).
• ISO 27001 Certification: Recommended (not mandatory) for qualified REs.

Re-Categorisation

• Portfolio Managers: Categorised based on AUM (Assets Under Management).
• Mid-size REs: ₹10,000 Cr+
• Small-size REs: ₹3,000–10,000 Cr
• Self-certification REs: up to ₹3,000 Cr
• Merchant Bankers:
• Active MBs = Small-size REs (must comply with CSCRF).
• Inactive MBs = Exempt.

How to Audit Public Charitable Trusts under the Income Tax Act Click Here

Cybersecurity Audit: Entities must follow CERT-In’s Cyber Security Audit Policy Guidelines to ensure audits are effective, consistent, and secure.

The circular came into force immediately on its issuance, with SEBI exercising its powers under Section 11(1) of the SEBI Act, 1992, which empowers it to protect the interests of investors, regulate the securities market, and promote its orderly development.

Support our journalism by subscribing to Taxscanpremium. Follow us on Telegram for quick updates