TaxTMI 
TaxTMI 
TaxTMI 
Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)
X X X X Extracts X X X X
X X X X Extracts X X X X
....body- RAASB) Sir / Madam, Subject: Technical Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) 1. Recognising the need for robust cybersecurity measures and protection of data and IT infrastructure, Securities and Exchange Board of India (SEBI) has issued 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)' vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024. 2. Upon receipt of various queries from REs seeking extension and clarification on the aforementioned circular, SEBI has also issued following clarifications and Frequently Asked Questions (FAQs): S. No. Circular Title Circular Number Date of Issuance 1. Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF)for SEBI Regulated Entities (REs) SEBI/HO/ITD-1/ ITD_CSC_EXT/ P/CIR/2024/184 December 31, 2024 2. Extension towards Adoption and Implementation of Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) SEBI/HO/ITD-1/ ITD_CSC_EXT/ P/CIR/2025/45 March 28, 2025 3. Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ction scope by SEBI, if the same is not covered under audit/ inspection scope by primary regulator and their frameworks/ guidelines. Following are representative examples of the standards and corresponding guidelines as mentioned in CSCRF: Table 1: Representatives examples under Principle of Exclusivity S. No. CSCRF Standard/ Guidelines CSCRF Clause 1. Data Classification (Regulatory Data, and IT and Cybersecurity Data) and Data Localisation (currently in abeyance vide SEBI circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184 dated December 31, 2024) Box Item 9, Box Item 10, and PR.DS.S1-3 Guidelines (Page 107) 2. Definition and classification of Critical/ non-critical systems Definitions (Page 26), ID.AM.S1 and ID.AM.S4 Guidelines (Page 90) 3. VAPT scope Scope given in Annexure-A (Page 136), Annexure-L, and DE.CM.S5 Guideline 2 (Page 120) 4. Asset inventory updation timelines ID.AM.S1 and ID.AM.S4 Guidelines 3 (Page 90) 5. Patch management timelines PR.MA.S3 Guidelines 11 (Page 117-118) 6. SEBI Cloud circular compliance Annexure-J 7. Supply chain risk management GV.SC and corresponding guidelines 8. Requirements of log management and r....
X X X X Extracts X X X X
X X X X Extracts X X X X
....el (PR.AA.S4 and PR.AA.S5 guidelines - Page 97): "REs shall follow zero-trust security model in such a way that access (from within or outside REs' network) to their critical systems is denied by default and allowed only after proper authentication and authorization." Clarification: Above-mentioned guidelines shall now be read as under: REs shall implement suggested strategies/ methodologies such as Zero-trust networks, segmentation, no single point of failure, high availability, etc. Further, the same shall be approved by IT committee for REs. 6.3. Mobile Application Security guidelines (PR.AA.S16 and corresponding guidelines - Page 102-103) Clarification: Above-mentioned guidelines are recommendatory (not mandatory) in nature. 6.4. RS.CO.S2 guidelines (Page 124-125): "If the cyber-attack is of high impact and has a broad reach, the RE shall give a press release which shall include (but not limited to) a brief of the incident, actions taken to recover, normal operation resumption status (once achieved), etc. and inform all the affected customers/ stakeholders. If the cyber-attack is of low impact and has a narrow/low reach, the REs shall inform all the affected customers/ stak....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... June 11, 2025: Question: In a scenario where an RE falling under small-size or self-certification REs category has its own SOC, is it necessary for such REs to get onboarded to Market-SOC? Answer: It is imperative that setting up own SOC is a costly proposition. Hence, SEBI has mandated NSE and BSE to setup Market-SOC (M-SOC) where small-size REs and self-certification REs can get onboarded and take the benefit to stay cyber secure and resilient. However, REs who have their own SOC and falling under the category of small-size REs or self-certification REs by virtue of their regulatory activity may leverage their existing SOC. Further, such REs shall be required to submit the SOC efficacy report periodically as mandated in CSCRF 6.10. RC.RP.S2 guideline (Page 128-129): "In the event of disruption of any one or more of the critical systems, the RE shall, within 30 minutes of the incident, declare that incident as 'Disaster' based on the business impact analysis. Accordingly, the RTO shall be two (2) hours as recommended by IOSCO [Refer https://www.bis.org/cpmi/publ/d146.pdf.] for the resumption of critical operations. The RPO shall be 15 minutes for all REs. The recovery plan sha....