India’s Market Regulator Issues Detailed Clarifications on Cybersecurity and Cyber Resilience Framework for SEBI-Regulated Entities

Image Source : YourStory.com

The Securities and Exchange Board of India (SEBI), the primary market regulator, has released comprehensive clarifications and updates to its Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI-regulated entities. These clarifications come as a timely move to enhance the cyber resilience of India’s securities markets while addressing concerns and questions raised by market participants since the original CSCRF release in August 2024. The updated guidelines reflect SEBI’s intent to balance stringent cybersecurity standards with practical compliance modalities based on the varied sizes and operational complexities of regulated entities.

Key Highlights of the Clarifications

Regulated entities (REs) will now be categorized at the start of each financial year based on the previous year's data; this category will remain unchanged during the financial year regardless of operational changes.

Compliance categorization for Alternative Investment Fund (AIF) managers will be done at the investment manager level instead of at the individual fund level, with clear thresholds based on the corpus under management.

Specific exemptions have been introduced, including exemption from mandatory Market Security Operations Centre (M-SOC) framework for smaller investment managers with fewer than 100 clients.

The regulator has extended the compliance deadline to August 31, 2025, giving entities additional time to align their cybersecurity systems with the framework.

Enhanced guidance has been provided on governance, including the role and level of Chief Information Security Officers (CISO) within organizations, emphasizing accountability and operational clarity.

SEBI encourages the adoption of cloud services and has issued frameworks to help regulated entities navigate cloud adoption securely.

Understanding the Updated Framework

The CSCRF is designed to strengthen cybersecurity architecture among entities like stock brokers, mutual funds, portfolio managers, depositories, and other SEBI-regulated participants. It mandates a structured risk-based approach to assess cyber risks, implement controls, perform continuous monitoring, and report cyber incidents effectively.

SEBI’s clarification emphasizes that the categorization of entities is fundamental to determining the specific cybersecurity obligations applicable to them. The categories broadly include:

Qualified REs: Entities with large client bases or trading volumes — subject to the highest compliance requirements and security monitoring protocols.

Mid-size REs: Entities with moderate scale and exposure, required to implement standard cybersecurity safeguards and reporting.

Small-size REs: Smaller entities with lighter obligations but still accountable for a baseline cybersecurity posture.

Self-certification REs: The smallest entities, often exempt from certain mandates but required to submit self-certification declarations.

These classifications enable SEBI to apply nuanced and scalable cybersecurity requirements rather than a “one-size-fits-all” regime. For example, stock brokers are classified based on the number of clients or trading volume, whichever is higher, ensuring that systemic importance and actual risk exposure drive regulatory oversight.

Governance and Cybersecurity Leadership

The clarifications provide detailed guidelines on the governance structure, particularly concerning the appointment and role of Chief Information Security Officers (CISOs). SEBI mandates that the CISO should hold a senior-level position equivalent to or higher than that of a Chief Technology Officer or similar roles in organizational hierarchy. Group-level CISOs are permitted to oversee multiple entities within the same group, and remote CISOs can be appointed provided they serve only one entity exclusively without juggling multiple responsibilities.

Operational and Technical Provisions

Entities categorized under higher thresholds, such as Qualified REs and Market Infrastructure Institutions (MIIs), must deploy advanced cybersecurity measures including mandatory implementation of Hardware Security Modules (HSMs) and participation in Market Security Operations Centre (M-SOC).

For investment advisers, research analysts, and Portfolio Managers, compliance depends on their role and scale of operations, with many smaller advisers exempted from the strictest obligations. KYC Registration Agencies (KRAs) have been reclassified as Qualified REs subject to full compliance.

SEBI also underscores the importance of cybersecurity audits, expected to commence from Financial Year 2025-26, ensuring entities align with the CSCRF and its clarifications through independent assessments.

Cloud Adoption Framework

Recognizing the shift in technology trends, SEBI has introduced a framework guiding regulated entities in securely adopting cloud computing solutions. The framework highlights best practices, risk management strategies, and compliance requirements related to cloud services, providing clarity and confidence for digital transformation initiatives in this sector.

Compliance Timeline and Transition Period

SEBI has extended the compliance deadline for all regulated entities except Market Infrastructure Institutions, KYC Registration Agencies, and Qualified Registrars to an Issue and Share Transfer Agents, allowing them until August 31, 2025, to fully implement the framework. This extension aims to facilitate smoother transition and adherence without compromising the overall objective of cyber resilience.

Conclusion

SEBI’s latest clarifications on the Cybersecurity and Cyber Resilience Framework mark a significant step toward strengthening India’s securities market ecosystem against evolving cyber threats. By tailoring requirements based on entity size and operational risk, and by providing practical timelines and governance guidelines, SEBI ensures a resilient and secure trading environment benefiting investors and the broader economy.

Sources: SEBI Circular April 30, 2025; AZB Partners; Economic Times; NSDL