Analysis Of Sebi’s Circular On Cybersecurity And Cyber Resilience Framework (CSCRF)

Introduction

The Cybersecurity and Crypto Resilience Framework (“CSCRF”) received detailed clarifications and technical directions vide SEBI’s circular SEB/HO/3C dated August 28, 2025. This circular was issued by the Securities and Exchange Board of India. By updating past guidance and frequently asked questions, this circular clarifies any confusion and offers comprehensive compliance advice to SEBI-regulated entities (“REs“). The cybersecurity threat to the securities market and its role in governance of market infrastructure are acknowledged by SEBIand is part of their efforts to address this issue. This article presents a comprehensive overview of the circular, with specialized attention given to its policy implications for RE’s. The article also discusses key directions and regulations that the regulation followed will impact India’s financial system in broader contexts as well.

Part A: Principles for REs under Multiple Regulators’ Purview

SEBI’s system recognizes the interdependence of regulators such as RBI and IRDAI. Many SEBI-regulated entities, such as custodians, depository participants, and merchant bankers, are also impacted by other regulatory regime changes at the same time. Two crucial principles of compliance, namely Exclusivity and Equivalence, are introduced by the circular.

CSCRF is only applicable to systems and processes that are regulated by SEBI, as defined by The Principle of Exclusivity. Even so SEBI is authorized to conduct audits on shared infrastructure if it falls outside the jurisdiction of the main regulator. It prevents any regulatory void from being created in the defense of critical IT assets.

If met with CSCRF standards, compliance with cybersecurity requirements issued by primary regulators is considered sufficient according to the Principle of Equivalence. Duplication of tasks, reduced compliance requirements and regulatory harmony are all avoided while minimum cybersecurity thresholds are maintained.

Part B: Technical Clarifications.

The circular offers comprehensive clarification on CSCRF’s technical aspects, ensuring that operational uncertainties don’t hinder compliance. Some key clarifications include:

• Critical Systems -A wider definition has been added for Critical Systems, allowing the definition to encompass any system that is on the same network segment.
• Zero Trust Security: Entities must embrace models like redundancy and segmentation with IT committee oversight, thereby eliminating the need for perimeter-based security models. This is known as zero trust security.
• Mobile Application Security: The guidelines for Mobile Application Security are recommended, as SEBI takes a pragmatic approach to managing compliance expenses while accounting for actual risk exposure.
• Cyber Crisis Management: The response to incidents must be in line with the entity’s Cyber Crisis Management Plan (“CCMP”), which ensures preemptive and coordinated responses.
• Vulnerability Assessment and Penetration Testing (“VAPT”): To ensure the protection of sensitive data and regulatory oversight, VAPT reports must be submitted in a condensed format, with fewer individual documents.
• Disaster Recovery: Disaster Recovery requires entities to design systems to resume critical operations within two hours, as per IOSCO guidelines, and with a Recovery Point Objective (“RPO”) of 15 minutes.
• ISO 27001 Certification: Certification is encouraged but not compulsory, with the understanding of the cost implications for smaller organizations.

The changes in SEBI’s approach indicate their desire to shift away from a strict compliance-driven model and towards an increasingly risk-based and context-sensitive approach. Indian market practices are also synchronized with global cybersecurity norms.

Part C: Re-categorization of Portfolio Managers and Merchant Bankers

To ensure proportionate compliance, SEBI has revised thresholds for categorizing Portfolio Managers and Merchant Bankers, there are two distinct categories now: Portfolio Managers and Merchant Bankers.

SEBI has introduced new criteria to classify Portfolio Managers and Merchant Bankers in order to ensure a fair compliance. Portfolio Managers are now categorized into Qualified, Mid-size, Small-sized, and Self-certification REs based on their AUM. However, Merchant Bankers are generally categorized as Small-size REs and inactive companies are not subject to CSCRF obligations. Why?

This reclassification represents a significant policy shift towards risk-based regulation. To prevent unnecessary burden on smaller entities, SEBI aims to adjust its obligations based on the size and nature of business activity while maintaining systemic resilience.

Part D: Cyber Security Audit Policy Guidelines from CERT-In

The circular integrates the Cyber Security Audit Policy Guidelines[1] issued by the Indian Computer Emergency Response Team (“CERT-In”). These guidelines serve two purposes. Firstly, they assist organizations being audited in preparing for audits, understanding requirements, and addressing deficiencies. Secondly, the guidelines provide auditing organizations with a structured framework to conduct rigorous, fair, and transparent cyber security audits. They outline the auditor’s responsibilities, methodologies, and best practices, enabling them to provide independent, impartial and constructive recommendations that strengthen the auditee’s cyber security.[2]

Stock Exchanges/ Depositories are directed to make necessary amendments to the relevant bylaws, rules and regulations for the implementation of the above direction while BSE Limited is directed to make necessary amendments to the relevant bylaws, rules and regulations for the implementation of the above direction and bring the provisions of this circulars to the notice of Investment Advisers (“IAs”) and Research Analysts (“RAs“) and both are also required to bring the provisions of this circulars to the notice of their members/ participants and also disseminate the same on their websites.[3]

Harmonization is employed to ensure the uniformity of cybersecurity audits among all SEBI-regulated entities. By requiring stock exchanges and depositories to protect the confidentiality and integrity of audit reports, SEBI underscores the sensitive nature of cybersecurity-related information.

Policy Implications

The August 2025 circular strengthens India’s financial sector cybersecurity framework in several ways. First, it introduces a coherent compliance framework that minimizes regulatory overlap and duplication. Second, by embedding risk-based clarifications, it ensures that cybersecurity expectations are realistic and achievable. Third, by aligning with IOSCO principles and international practices, SEBI enhances the global credibility of India’s market infrastructure.

However, challenges remain. Smaller entities may still find compliance resource-intensive despite proportionate categorization. Moreover, the success of the framework depends on the quality of audit processes and the ability of entities to integrate technical clarifications into daily operations. Continuous monitoring, capacity building, and inter-regulatory coordination will therefore be critical to sustaining the framework’s effectiveness.

Conclusion

SEBI’s August 2025 circular marks an important step in India’s growing cybersecurity rules. It brings clear guidelines along with some flexibility and balances proper regulation with keeping up with global standards. This helps build a strong, secure, and modern capital market. Now, the main task is to put these rules into practice, check how well they work, and update them as new cyber dangers and tech changes appear. The circular shows SEBI’s smart planning and its dedication to protecting investors and keeping the market stable in the digital world.

[1] https://www.cert-in.org.in/PDF/Comprehensive_Cyber_Security_Audit_Policy_Guidelines.pdf

[2] https://www.cert-in.org.in/PDF/Comprehensive_Cyber_Security_Audit_Policy_Guidelines.pdf

[3] https://www.sebi.gov.in/legal/circulars/aug-2025/technical-clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_96329.html