The Securities and Exchange Board of India (SEBI) has recently provided crucial clarifications regarding the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs). This update aims to ensure compliance with evolving cybersecurity requirements and addresses the queries raised by stakeholders. Below, we break down these updates for a clear understanding of their implications.
Regulatory Forbearance Period
SEBI has introduced a regulatory forbearance period from January 1, 2025, to March 31, 2025. During this period, any non-compliance brought to SEBI’s attention will not lead to regulatory action, provided that the REs can demonstrate:
Meaningful steps towards implementation of CSCRF requirements.
Progress made in achieving compliance.
This forbearance allows REs to refine their cybersecurity measures without immediate punitive consequences, offering them the opportunity to present evidence of their efforts before any action is considered.
Extended Compliance Deadlines
For certain entities, SEBI has extended the compliance deadline based on stakeholder feedback:
KYC Registration Agencies (KRAs): New deadline – April 1, 2025.
Depository Participants (DPs): New deadline – April 1, 2025.
This extension acknowledges the challenges faced by these entities in aligning with the framework and provides additional time to meet the prescribed standards.
Data Localisation Standards on Hold
SEBI has deferred the implementation of Data Localisation standards (PR.DS.S2) due to the need for further consultations. This pause reflects SEBI’s commitment to ensuring that these guidelines are practical and effective before they are enforced.
Key Takeaways for Regulated Entities
Immediate Action Required: Although the forbearance period provides some leeway, entities should proactively initiate and demonstrate progress in CSCRF implementation.
Stay Updated on Data Localisation: Entities should monitor updates from SEBI regarding the pending Data Localisation standards to prepare for eventual compliance.
Utilize the Extended Deadlines Wisely: KRAs and DPs should use the additional time to address compliance gaps and enhance their cybersecurity frameworks.
Why This Matters
The CSCRF framework is a critical step in fortifying the cybersecurity posture of entities operating in India’s financial markets. It ensures resilience against the dynamic threat landscape, bolstering investor confidence and safeguarding the integrity of IT infrastructure.
Next Steps
Regulated Entities should:
Conduct a thorough assessment of their current cybersecurity measures.
Develop a clear roadmap to achieve compliance within the specified timelines.
Leverage this regulatory forbearance to align their systems and processes with SEBI’s expectations.
Stay Ahead with Expert Guidance
Navigating these requirements can be complex. For comprehensive support and actionable insights, connect with Zeron’s experts to ensure your cybersecurity framework meets regulatory standards while optimizing for operational resilience.
