SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) Announcement

Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) Summary:

The 206th Board meeting of SEBI held in Mumbai on June 27th approved the Cybersecurity and Cyber Resilience Framework (CSCRF), a standard-based approach designed to enhance cybersecurity and resilience among regulated entities (REs). The framework is based on five core goals: Anticipate, Withstand, Contain, Recover, and Evolve, derived from CERT-In’s Cyber Crisis Management Plan (CCMP).

Framework Highlights:

Classification of REs:

• Market Infrastructure Institutions (MIIs)
• Qualified REs
• Mid-size REs
• Small-size REs
• Self-certification REs

Structured Methodology:

Cyber Risk Governance and Management:

• Data Classification and Localization: Classifies data into ‘Regulatory Data’ (mandatory localization) and ‘IT and Cybersecurity Data’ (offshoring allowed with guardrails).
• Security Operations Centres (SOCs): Implementation and periodic efficacy measurement.
• API and Mobile Application Security: Guidelines provided.
• Cyber Capability Index (CCI): To assess cyber resilience.
• Software Bill of Materials (SBOM): To mitigate supply chain risks.

Compliance Timeline:

• Existing cybersecurity and cyber resilience circular entities: by January 01, 2025.
• New entities under CSCRF: by April 01, 2025.

This framework aims to strengthen the security posture of REs, ensuring robust cybersecurity and resilience against cyber threats.

References 

• SEBI Board Approval of CSCRF – https://www.sebi.gov.in/media-and-notifications/press-releases/jun-2024/sebi-board-meeting_84448.html

• SEBI Consultation Paper on Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities https://www.sebi.gov.in/reports-and-statistics/reports/jul-2023/consultation-paper-on-consolidated-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities_73442.html