Circular
SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184 December 31, 2024
To,
All Alternative Investment Funds (AIFs)
All Bankers to an Issue (BTI) and Self- Certified Syndicate Banks (SCSBs)
All Clearing Corporations
All Collective Investment Schemes (CIS) All Credit Rating Agencies (CRAs)
All Custodians
All Debenture Trustees (DTs)
All Depositories
All Designated Depository Participants (DDPs)
All Depository Participants through Depositories
All Investment Advisors (lAs) / Research Analysts (RAs)
All KYC Registration Agencies (KRAs)
All Merchant Bankers (MBs)
All Mutual Funds (MFs)/ Asset Management Companies (AMCs)
All Portfolio Managers
All Registrar to an Issue and Share Transfer Agents (RTAs)
All Stock Brokers through Exchanges
All Stock Exchanges
All Venture Capital Funds (VCFs)
Dear Sir / Madam,
Subject: Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)
1. Recognising the need for robust cybersecurity measures and protection of data and IT infrastructure, Securities and Exchange Board of India (SEBI) has issued ‘Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs)’ vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024. This framework is a necessary evolution to the changing threat landscape and rapid technological advancements and designed to ensure that SEBI REs maintain robust cybersecurity posture, remain equipped with adequate cyber resiliency measures and can withstand, respond to, and recover from cyber threats effectively.
2. Upon receipt of various queries from REs seeking clarifications on the aforementioned circular, it has been decided to clarify as under:
2.1. Regulatory forbearance:
With regard to the compliance requirements, which are effective from January 01, 2025 under the CSCRF, regulatory forbearance is provided till March 31, 2025. For any non-compliance during this period that comes to the notice of the regulator, no regulatory action shall be taken provided the REs are able to demonstrate meaningful steps taken / progress made in implementation of CSCRF. An opportunity shall be given to the REs to demonstrate the same before any regulatory action is considered by SEBI.
2.2. Extension of compliance dates for Regulated Entities (REs):
While the circular is effective from January 01,2025, the date of compliance of CSCRF for following REs has been extended based on the feedback received on the rationalisation of categorisation of certain REs:
2.2.1 KYC Registration Agencies (KRAs): Compliance timeline is extended from January 01,2025 to April 01,2025.
2.2.2 Depository Participants (DPs): Compliance timeline is extended from January 01,2025 to April 01,2025.
2.3. Data Security Standard with regard to Data Localisation:
Based on the feedback received on the provisions of Data Localisation, a need is felt for further consultations. Accordingly, the guidelines and provisions with regard to Data Localisation [Data Security standard (PR.DS.S2)] has been kept in abeyance until further notification.
3. The provisions of this Circular shall come into force with immediate effect.
4. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
5. This circular is issued with the approval of Competent Authority.
6. This circular is available on SEBI website at www.sebi.gov.in under the category “Legal” and drop “Circulars”.
Yours faithfully,
Shweta Banerjee
General Manager
Phone: 022-26449509 / Email: [email protected]
