The Securities and Exchange Board of India (SEBI) has issued a crucial set of technical clarifications to its Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities (REs), signalling a sharper focus on operational robustness, regulatory harmonization and market-wide cyber hygiene. This move is timely and necessary, given the increasing frequency of cyber incidents that threaten not just individual institutions but the systemic integrity of India’s capital markets.
Clearing the Fog
While SEBI first introduced CSCRF in August 2024, subsequent feedback from regulated entities spanning brokers, mutual funds, depositories, merchant bankers, portfolio managers and others highlighted the need for clarity. Many REs operates under multiple regulators, such as the Reserve Bank of India (RBI) or IRDAI, creating overlaps and compliance ambiguity.
SEBI’s latest circular streamlines implementation through two key principles: Exclusivity and Equivalence. Exclusivity restricts SEBI’s cyber audit to systems used solely for SEBI-regulated activities, while Equivalence accepts compliance with another regulator’s cyber norms as meeting SEBI’s requirements where frameworks align. This dual approach reduces duplication, improves audit efficiency and aligns Indian financial regulation with global best practices in supervisory coordination.
Sharpening Technical Standards
The clarifications also refine several key cybersecurity requirements:
- Critical System Definition: Any system on the same network segment as core business platforms now falls under the “critical” category, tightening perimeter controls.
- Zero-Trust Security: Instead of mandating a rigid model, SEBI allows entities to adopt strategies such as segmentation and high availability, subject to IT Committee approval.
- Audit Reporting Discipline: Entities must submit structured Vulnerability Assessment and Penetration Testing (VAPT) and cyber audit summaries in SEBI’s prescribed format, avoiding unnecessary exposure of sensitive vulnerabilities.
- Disaster Recovery and Resilience: Entities must demonstrate capability to resume critical operations within two hours of disruption, in line with IOSCO standards, while maintaining a 15-minute Recovery Point Objective (RPO).
- Market-SOC Onboarding: Smaller entities without dedicated Security Operations Centres (SOCs) can leverage NSE and BSE’s shared infrastructure for cost-efficient cyber resilience.
- ISO 27001 Certification: Recommended, but not mandatory, for qualified entities encouraging global-standard practices without overburdening smaller REs.
Importantly, SEBI has also aligned its cybersecurity audit guidelines with CERT-In’s latest policy framework, ensuring uniformity in risk assessment and incident response across India’s financial sector.
Re-Categorization of Portfolio Managers and Merchant Bankers
The circular revises thresholds for classifying Portfolio Managers and Merchant Bankers under CSCRF obligations. Large asset managers and active merchant bankers fall into higher-compliance categories, while inactive merchant bankers are exempt. This risk-based approach ensures regulatory focus remains proportionate to operational scale and market impact.
What This Means for the Financial Ecosystem
For India’s BFSI sector, fintech innovators, and SME-focused financial intermediaries, these clarifications are more than compliance instructions they are a call to build cyber resilience as a core business capability. With SEBI now scrutinizing IT governance structures, incident management protocols, and third-party risk assessments, entities can no longer treat cybersecurity as a checklist item.
Moreover, the principle of equivalence encourages entities to harmonize internal controls across regulatory domains, reducing inefficiency and aligning cybersecurity investments with enterprise-wide risk priorities. The circular also reinforces investor confidence by signalling that India’s securities markets are not only expanding but doing so on a foundation of robust digital governance.
From Compliance to Culture
The SEBI directive must be viewed as part of a larger shift from reactive compliance to proactive cyber culture. As financial markets digitize further integrating AI-driven trading systems, cloud-native infrastructure, and interconnected supply chains vulnerabilities will multiply. Regulators worldwide are converging on a central theme: resilience is no longer optional.
By tightening definitions, clarifying obligations, and embedding global standards, SEBI is preparing India’s capital markets to withstand cyber shocks without systemic disruption. The challenge now lies with market participants to not only meet the letter of the law but to internalize its spirit making cybersecurity and operational resilience part of their strategic DNA.
