SEBI’s New Cybersecurity Mandate

INTRODUCTION: SEBI’S NEW CYBERSECURITY MANDATE

The Securities and Exchange Board of India (SEBI) has introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) to enhance cyber defences across the financial ecosystem. As cyber threats continue to evolve, this mandate ensures that SEBI-regulated entities implement stringent cybersecurity measures to protect sensitive financial data.

With compliance deadlines approaching in 2025, organisations must act swiftly to align their cybersecurity policies with CSCRF requirements. TÜV SÜD, a global leader in cybersecurity assessments and compliance, is here to help businesses navigate these regulations effectively.

WHO NEEDS TO COMPLY WITH SEBI’S CSCRF?

The CSCRF applies to a wide range of SEBI-regulated entities, including:

• Stock exchanges
• Clearing corporations
• Depositories
• Stockbrokers
• Depository participants
• Asset Management Companies (AMCs)
• Mutual funds
• KYC Registration Agencies (KRAs)
• Portfolio managers
• Alternative Investment Funds (AIFs)
• Investment advisers
• Credit rating agencies
• Market intermediaries

Compliance with CSCRF is mandatory to avoid penalties and operational disruptions if your organisation falls under any of these categories.

KEY COMPONENTS OF SEBI’S CYBERSECURITY AND CYBER RESILIENCE FRAMEWORK (CSCRF)

The CSCRF mandates a structured approach to cybersecurity, covering six key areas:

1. Governance
   
   • Establish a Cybersecurity Governance Framework
   • Form a Cybersecurity Committee at the board level to oversee cyber risk management
   • Develop and implement cybersecurity policies approved by the board
2. Identification
   
   • Maintain an inventory of critical assets and data
   • Conduct regular risk assessments to identify vulnerabilities
   • Classify data based on sensitivity and criticality
3. Protection
   
   • Implement access controls and authentication mechanisms
   • Deploy encryption for sensitive data (at rest and in transit)
   • Ensure secure configuration of systems and applications
   • Provide cybersecurity training and awareness programs for employees
4. Detection
   
   • Establish Security Operations Centers (SOCs) for continuous monitoring
   • Implement intrusion detection and prevention systems (IDPS)
   • Utilise Security Information and Event Management (SIEM) tools
5. Response
   
   • Develop and maintain an incident response plan
   • Establish timely reporting procedures for cyber incidents to SEBI and other stakeholders
   • Conduct regular incident response drills and simulations
6. Recovery
   
   • Implement business continuity and disaster recovery (BCDR) plans
   • Ensure regular backups of critical data and systems
   • Periodically test recovery procedures for effectiveness

CSCRF COMPLIANCE DEADLINES

SEBI has provided a phased implementation plan for different entities:

Organisations must act now to ensure compliance within the stipulated timeline.

HOW TÜV SÜD ENSURES COMPLIANCE WITH SEBI’S CSCRF

At TÜV SÜD, we provide expert cybersecurity audits and assessments to help organisations achieve full compliance with SEBI’s CSCRF. Our services are designed to address all CSCRF components, ensuring a secure and resilient IT infrastructure.

1. Cybersecurity Regulatory Audits
   
   • In-depth assessments tailored to SEBI’s CSCRF compliance requirements
   • Review of existing cybersecurity policies, procedures, and governance structures
   • Gap analysis and customised compliance roadmap
2. Data Protection and Digital Privacy (DPDP) Compliance
   • Align your data privacy policies with India's Digital Personal Data Protection (DPDP) Act
   • Implement data classification and encryption strategies
   • Ensure secure handling of customer and financial data
3. Third-Party Vendor Risk Assessments
   • Evaluate third-party cybersecurity risks to prevent supply chain vulnerabilities
   • Implement vendor security standards and monitoring mechanisms
   • Conduct regular audits of third-party vendors handling critical data
4. PCI DSS Compliance for Financial Institutions
   • Assist payment service providers in complying with PCI DSS standards
   • Ensure secure transaction processing to prevent fraud
   • Implement network security controls for payment systems
5. Security Awareness and Training Programs
   • Conduct employee training sessions on cyber threats and incident response
   • Develop cyber hygiene best practices for secure data handling
   • Implement phishing simulation exercises to strengthen cybersecurity awareness

WHY CHOOSE TÜV SÜD FOR CSCRF COMPLIANCE?

TÜV SÜD has a proven track record in cybersecurity and regulatory compliance. Here’s why we are the best partner for your CSCRF compliance journey:

• Global expertise – Decades of experience in cybersecurity and compliance audits
• Tailored solutions – Customised assessments based on your organisation’s risk profile
• SEBI compliance focus – Specialised services for CSCRF compliance
• End-to-end support – From risk assessment to implementation and monitoring

By partnering with TÜV SÜD, you can ensure seamless compliance with SEBI’s CSCRF, safeguarding your organisation against cyber threats and regulatory penalties.

FREQUENTLY ASKED QUESTIONS (FAQS)

1. What is SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF)?
   SEBI’s CSCRF is a mandatory cybersecurity framework designed to enhance the cyber resilience of financial entities under SEBI’s regulation. It includes governance, protection, detection, response, and recovery guidelines from cyber threats.
2. Which entities must comply with CSCRF?
   Stock exchanges, clearing corporations, depositories, brokers, asset management companies, mutual funds, portfolio managers, and other market intermediaries must comply with CSCRF by 1 January 2025 (Phase 1) or 1 April 2025 (Phase 2).
3. How can TÜV SÜD help with CSCRF compliance?
   TÜV SÜD provides cybersecurity audits, compliance assessments, third-party risk evaluations, and security training programs to ensure full alignment with SEBI’s CSCRF.
4. What are the penalties for non-compliance with CSCRF?
   Non-compliance may lead to regulatory penalties, reputational damage, operational disruptions, and financial losses due to cybersecurity incidents.
5. How can my organisation start the CSCRF compliance process?
   You can start by conducting a cybersecurity gap assessment with TÜV SÜD to evaluate your current security posture and create a compliance roadmap.
   

FINAL THOUGHTS: ACT NOW FOR A SECURE FUTURE

With SEBI’s CSCRF compliance deadlines approaching, organisations must proactively implement cybersecurity measures. TÜV SÜD is here to help with expert cybersecurity assessments, compliance audits, and regulatory guidance to ensure your business remains secure, compliant, and resilient in the face of evolving cyber threats. Click here to know more.

Contact us here today to begin your CSCRF compliance journey.