Introduction:
Considering the rapid technological advancement in securities market, there was a greater need for maintaining robust cyber security and to have cyber resilience framework to protect integrity of data and guard against breaches of privacy. SEBI had issued CSCRF for MIIs in 2015. Subsequently, SEBI had issued other CSCRF in line with MIIs circular of 2015 for various other REs, as under:
July 06, 2015
Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporation and Depositories
September 08, 2017
Cyber Security and Cyber Resilience framework for RTAs
December 03, 2018
Cyber Security & Cyber Resilience framework for Stock Brokers / DPs
January 10, 2019
Cyber Security and Cyber Resilience framework for MFs / AMCs
October 15, 2019
Cyber Security & Cyber Resilience framework for KRAs
March 29, 2023
Cyber Security and Cyber Resilience framework for Portfolio Managers
August 20, 2024
Cyber Security and Cyber Resilience Framework for SEBI REs
The CSCRF notified on August 20, 2024, supersedes all the earlier framework, circulars, guidelines on the captioned subject, thereby bringing all the REs under a single umbrella of a consolidated framework, to align with the industry standards, encourage efficient audits and ensure compliance by SEBI REs.
Implementation Period for CSCRF:
SEBI has provided two different dates for the applicability of the said CSCRF for different REs, as under:
January 01, 2025
Intermediaries for which CSCRF was existing:
- Stock Exchanges
- Clearing Corporations
- Depositories
- QRTAs
- Stock Brokers
- DPs
- MFs / AMCs
- KRAs
- Portfolio Managers
April 01, 2025
Intermediaries for which CSCRF was not existing:
- AIFs
- BTI and SCSBs
- CIS
- CRAs
- Custodians
- DTs
- IAs/ RAs
- MBs
- VCFs
Categorization of Regulated Entities:
CSCRF follows a graded approach and classifies the REs, based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc., as under:
| Entity | Criteria | Self-certification REs | Small-size REs | Mid-size REs | Qualified REs |
|---|---|---|---|---|---|
| AIF | AUM | Less than Rs. 100 cr | Rs. 100 cr and above but less than Rs. 500 cr | Rs. 500 cr and above but less than Rs. 1000 cr | Rs. 1000 cr and above |
| BTI and SCSBs | Submit Certificate of Compliance with CSCRF to SEBI | NA | NA | NA | NA |
| Stock Brokers | Active Client base as per UCC | Less than or equal to 10,000 active clients and not providing IBT or Algo trading facility | More than 10,000 and up to 50,000 | More than 50,000 and up to 5,00,000 | More than 5,00,000 |
| Less than or equal to 10,000 active clients and providing IBT or Algo trading facility | |||||
| CIS | – | Yes | – | – | – |
| CRAs | – | Yes | Rs. 10 Lakh cr and above | ||
| Custodians | AUC | NA | Less than Rs. 1 Lakh cr | Rs. 1 Lakh cr and above but less than INR 10 Lakh cr | – |
| DTs* | – | Yes | – | – | – |
| DPs | Type of DP | NA | NA | Non-institutional DP | Institutional DP |
| DDPs | Highest category among DPs and Custodians will be applicable to DDPs | – | – | – | – |
| IAs* | Individual/ Non-Individual | NA | Non-Individual IAs shall be categorized as Small-size REs | NA | NA |
| RAs* | Registration in Other Category of REs | NA | Yes | Yes | Yes |
| MBs | NA | NA | All other MBs which are not covered in Mid-size REs and Qualified REs | Engaged in any activity pertaining to issue management inter alia Public Issues (IPOs, FPOs, IPOs by SME), Public Offers by REITs/ InvITs, Buy-Back of Securities, Delisting of Equity Shares, Open Offer | Entity or its parent/ subsidiary/ associate company which is a part of a conglomerate/ Systemically Important Financial Institutions |
| MFs/ AMCs | AUM | NA | Less than Rs. 10,000 cr | Rs. 10,000 cr and above but less than Rs. 1 lakh cr | Rs. 1 lakh cr and above |
| Portfolio Managers | AUM | Less than Rs. 1000 cr | Rs. 1000 cr and above but less than Rs. 3000 cr | Rs. 3000 cr and above | NA |
| RTAs* | Servicing number of folios | NA | 10,000 and above but less than 1 cr | 1 crore and above but less than 2 cr | NA |
| VCFs | Sum of corpus of all schemes of VCF | Less than Rs. 100 cr | Rs. 100 cr and above but less than Rs. 500 cr | Rs. 500 cr and above but less than Rs. 1000 cr | Rs. 1000 cr and above |
*Note:
- Category of REs shall be decided at the beginning of the FY based on the data of previous FY.
- REs excluded from submission of compliance with CSCRF:
- FPIs
- FVCI
- Individual IAs
- RAs who are not registered in other categories of REs
- LPCC
- QDPs
- REITs/ InvITs
- RTAs servicing less than 10,000 folios
- Vault Managers
- KRAs shall be treated at par with MIIs category for the applicability of CSCRF.
- In case RE is registered under more than 1 category, then provision of highest category under which such RE falls shall be applicable to that RE.
Brief Look into Key Compliance Obligations under CSCRF:
Constitution of IT Committee
Constitute IT Committee including at least 1 external independent expert on cybersecurity
ISO Audit and Certification
Obtain ISO 27001 certificate (latest version) until August 20, 2025
VAPT
- VAPT activity atleast once or twice in a FY (basis category)
- Submit report within 1 month of completion of VAPT activity
Cyber Audit
- Cyber Audit atleast once or twice in a year (basis category)
- Submit report within 1 month of completion of Cyber Audit
Other Key Audits/ Exercise Requirements
- Cyber Resilience Third Party Assessment using CCI
- Risk Assessment (Threat Based)
- Cyber Security Training Program
- Red Teaming Excercise
- Threat Hunting
- Cyber Security scenario based drill exercise
Challenges in Implementing the Framework:
While the framework offers comprehensive guidelines, there are several challenges in its implementation. These include:
- Resource Constraints: Smaller entities may face financial and technical challenges in implementing advanced cyber security measures
- Evolving Threat Landscape: Cyber Threats are continuously evolving, and the framework must be regularly updated to addressed new vulnerabilities and attack vectors
- Talent Shortage: There is a shortage of skilled professionals in the cyber security domain, making it difficult for some entities to find the expertise needed to meet the framework’s requirement
- Compliance Burden: The extensive requirements of the framework may pose a compliance burden on entities, particularly when it comes to documentation and reporting obligations.
Conclusion:
In todays’ digital age, financial markets heavily depend on technology to operate smoothly and efficiently. This dependence however, comes with its own set of challenges, particularly concerning the security and resilience of these digital infrastructures. The increasing complexity and frequency of cyber threats have made it imperative for regulatory bodies to introduce robust security measures.
CSCRF for SEBI REs is a critical step in strengthening the financial sector’s defense against cyber threats. As cyber threats continue to evolve, it is essential for financial institutions to remain vigilant, continuously improve their security measures, and foster a culture of cyber awareness to ensure the safety and integrity of the entire financial ecosystem.
Abbreviations Used
| Entity | Description |
|---|---|
| SEBI | Securities and Exchange Board of India |
| CSCRF | Cyber Security and Cyber Resilience Framework |
| REs | Regulated Entities |
| MIIs | Market Infrastructure Institutions |
| QRTAs | Qualified Registrar to an Issue and Share Transfer Agents |
| DPs | Depository Participants |
| MFs / AMCs | Mutual Funds / Asset Management Companies |
| KRAs | KYC Registration Agencies |
| AIFs | Alternative Investment Funds |
| BTI and SCSBs | Bankers to an Issue and Self-Certified Syndicate Banks |
| CIS | Collective Investment Schemes |
| CRAs | Credit Rating Agencies |
| DTs | Debenture Trustees |
| IAs/ RAs | Investment Advisors / Research Analysts |
| MBs | Merchant Bankers |
| VCFs | Venture Capital Funds |
| FVCI | Foreign Venture Capital Investors |
| FPI | Foreign Portfolio Investors |
| DDP | Designated Depository Participants |
| LPCC | Limited Purpose Clearing Corporation |
| QDPs | Qualified Depository Participants |
| REITs/ InvITs | Real Estate Investment Trust/ Infrastructure Investment Trust |
| AUM | Asset Under Management |
| CCI | Cyber Capability Index |
| UCC | Unique Client Code |
| AUC | Asset Under Custody |
| FY | Financial Year |
| CR | Crore(s) |
| IBT | Internet Based Trading |
| IPO | Initial Public Offer |
| FPO | Follow-on Public Offer |
| SME | Small and Medium Enterprises |
| ISO | International Organization for Standardization |
| VAPT | Vulnerability Assessment & Penetration Testing |
Disclaimer
The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.
