In an important development for financial market participants, the Securities and Exchange Board of India (SEBI) has announced a three-month extension for compliance with its Cybersecurity and Cyber Resilience Framework (CSCRF). The updated deadline for implementation is now June 30, 2025.
Background: What is the SEBI Cybersecurity and Cyber Resilience Framework (CSCRF)?
On August 20, 2024, SEBI introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) through circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113. This framework is a significant step aimed at fortifying the cybersecurity posture of SEBI-regulated entities (REs), given the growing threats to IT infrastructure and sensitive data in the financial sector.
The Cybersecurity and Cyber Resilience Framework (CSCRF) mandates comprehensive security measures, including risk assessments, monitoring, incident response, recovery mechanisms, and governance structures. It aims to ensure that entities not only defend against cyber threats but also have the resilience to recover quickly in the event of a breach.
SEBI followed this with a clarification circular on December 31, 2024 (Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/184) to address implementation queries from stakeholders.
Whom is the Cybersecurity and Cyber Resilience Framework (CSCRF) Applicable To?
The original Cybersecurity and Cyber Resilience Framework (CSCRF) framework is applicable to a wide range of SEBI-regulated entities, including:
- Alternative Investment Funds (AIFs)
- Mutual Funds / AMCs
- Credit Rating Agencies (CRAs)
- Venture Capital Funds (VCFs)
- Stock Brokers
- Portfolio Managers
- Investment Advisors / Research Analysts
- Depositories and Depository Participants
- Merchant Bankers, Custodians, and more
This wide net ensures a consistent and robust cybersecurity approach across India’s capital markets ecosystem.
What’s New in the March 2025 Circular?
The latest circular, issued on March 28, 2025 | Circular No.: SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/45 responds to several requests from entities seeking more time to comply with the framework.
Acknowledging the need for smooth implementation, SEBI has extended the compliance deadline by three months, up to June 30, 2025.
However, this extension does not apply to:
- Market Infrastructure Institutions (MIIs) such as stock exchanges and clearing corporations
- KYC Registration Agencies (KRAs)
- Qualified Registrars to an Issue and Share Transfer Agents (QRTAs)
These entities are expected to adhere to the original deadlines, likely due to their critical roles in market operations and data integrity.
What Should Regulated Entities Do Now?
Entities benefiting from the extension must use this additional time wisely. They should:
- Complete risk assessments and gap analyses
- Finalize and operationalize their cybersecurity frameworks
- Ensure training, awareness, and internal controls are in place
- Prepare to submit compliance status to SEBI and relevant exchanges or depositories
Final Thoughts
SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) initiative is a timely and essential move to protect the integrity of India’s financial markets from increasing cyber threats. The recent extension is a recognition of practical challenges but should not be mistaken for leniency. The June 30, 2025 deadline gives entities a final window to align with best-in-class cybersecurity practices.
Recent Comments