Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) - SEBI - SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184

CIRCULAR SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184 December 31, 2024 To, All Alternative Investment Funds (AIFs) All Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs) All Clearing Corporations All Collective Investment Schemes (CIS) All Credit Rating Agencies (CRAs) All Custodians All Debenture Trustees (DTs) All Depositories All Designated Depository Participants (DDPs) All Depository Participants through Depositories All Investment Advisors (IAs) / Research Analysts (RAs) All KYC Registration Agencies (KRAs) All Merchant Bankers (MBs) All Mutual Funds (MFs)/ Asset Management Companies (AMCs) All Portfolio Managers All Registrar to an Issue and Share Transfer Agents (RTAs) All Stock Brokers through Exchanges All Stock Exchanges All Venture Capital Funds (VCFs) Dear Sir / Madam, Subject: Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) 1. Recognising the need for robust cybersecurity measures and protection of data and IT infrastructure, Securities and Exchange Board of India (SEBI) has issued Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 . This framework is a necessary evolution to the changing threat landscape and rapid technological advancements and designed to ensure that SEBI REs maintain robust cybersecurity posture, remain equipped with adequate cyber resiliency measures and can withstand, respond to, and recover from cyber threats effectively. 2. Upon receipt of various queries from REs seeking clarifications on the aforementioned circular, it has been decided to clarify as under: 2.1. Regulatory forbearance: With regard to the compliance requirements, which are effective from January 01, 2025 under the CSCRF, regulatory forbearance is provided till March 31, 2025. For any non-compliance during this period that comes to the notice of the regulator, no regulatory action shall be taken provided the REs are able to demonstrate meaningful steps taken / progress made in implementation of CSCRF. An opportunity shall be given to the REs to demonstrate the same before any regulatory action is considered by SEBI. 2.2. Extension of compliance dates for Regulated Entities (REs) : While the circular is effective from January 01, 2025, the date of compliance of CSCRF for following REs has been extended based on the feedback received on the rationalisation of categorisation of certain REs: a. KYC Registration Agencies (KRAs) : Compliance timeline is extended from January 01, 2025 to April 01, 2025. b. Depository Participants (DPs) : Compliance timeline is extended from January 01, 2025 to April 01, 2025. 2.3. Data Security Standard with regard to Data Localisation: Based on the feedback received on the provisions of Data Localisation, a need is felt for further consultations. Accordingly, the guidelines and provisions with regard to Data Localisation [Data Security standard (PR.DS.S2)] has been kept in abeyance until further notification. 3. The provisions of this Circular shall come into force with immediate effect. 4. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange of India Act, 1992 , to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. 5. This circular is issued with the approval of Competent Authority. 6. This circular is available on SEBI website at www.sebi.gov.in under the category Legal and drop Circulars . Yours faithfully, Shweta Banerjee General Manager Phone: 022-26449509 Email: [email protected]