Categories
Corporate Law SEBI

SEBI Update – Clarifications to Cybersecurity and Cyber Resilience Framework for SEBI Regulated Entities

SEBI Update – Clarifications to Cybersecurity and Cyber Resilience Framework for SEBI Regulated Entities

The Securities Exchange Board of India (“SEBI”), in exercise of powers conferred under Section 11(1) of the Securities and Exchange of India Act, 1992, issued a circular, vide Circular No. SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184[1] dated December 31, 2024, regarding the clarifications for Cybersecurity and Cyber Resilience Framework (“CSCRF”) for SEBI regulated entities (“REs”). The provisions of this circular shall come into force with immediate effect.

On August 20, 2024, SEBI issued a circular on CSCRF for SEBI REs vide Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, recognising the need for robust cybersecurity measures and protection of data and IT infrastructure. This framework represents an essential evolution in response to the threat landscape and rapid technological advancements. It is designed to ensure that SEBI REs maintain robust cybersecurity posture, remain equipped with adequate cyber resiliency measures and can withstand, respond to, and recover from cyber threats effectively. In response to the said circular dated August 20, 2024, SEBI has further provided the following clarifications:

  1. Regulatory Forbearance:

SEBI has granted regulatory forbearance for compliance requirements under the CSCRF, which is set to come into effect on January 1, 2025. The forbearance period shall run till March 31, 2025. It is clarified that SEBI shall not take any regulatory action against any REs for non-compliance during the forbearance period, provided the REs demonstrate meaningful progress in implementing the CSCRF framework. SEBI shall provide an opportunity to the REs to demonstrate their progress before considering any regulatory action.

  1. Extension of compliance dates for REs:

While the provisions of the circular dated August 20, 2024, are effective from January 1, 2025, SEBI has extended the compliance deadlines for the entities mentioned below. This extension is based on feedback related to the rationalization of the categorization of specific SEBI REs:

  • KYC Registration Agencies (KRAs): Compliance timeline is extended till April 01, 2025.
  • Depository Participants (DPs): Compliance timeline is extended till April 01, 2025.
  1. Data Security Standard regarding Data Localisation:

SEBI has noted the need for further consultations regarding the provisions on Data Localization under the Data Security Standard (PR.DS.S2). As a result, the guidelines and provisions related to Data Localization have been kept in abeyance until further notice.


[1]https://www.sebi.gov.in/legal/circulars/dec-2024/clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_90401.html