Market Regulator SEBI's Cybersecurity Framework

The Securities and Exchange Board of India (SEBI) has requested updates from banks on the implementation of the Cybersecurity and Cyber Resilience Framework (CSCRF).

Key Requirements and Implementation Deadlines

• Banks are required to report the number of CSCRF controls adopted and highlight ongoing challenges.
• The deadline for full implementation has been extended twice, now set for June 30, 2025.

Framework Objectives and Requirements

• The framework aims to address evolving cyber threats and requires audit reports submission.
• Introduction of a Cyber Capability Index (CCI) to assess cybersecurity readiness.
• Compliance certificates with CSCRF must be submitted to SEBI and, if listed, to stock exchanges.

Specific Banking Roles and Responsibilities

• Self-certified syndicate banks offer the Application Supported by Blocked Amount facility.
• Banker to an issue (BTI) manages tasks such as application processing and handling financial transactions related to stock issues.

Implementation Challenges and Extensions

• SEBI has granted protection from regulatory action if meaningful progress is demonstrated.
• Banks cited the need for a gap analysis study for effective implementation.
• The previous deadline was extended based on multiple requests for compliance ease.

Provisions and Future Considerations

• The framework includes IT service requirements, SaaS solutions, data classification, and software audits.
• Data localization guidelines have been temporarily suspended pending further consultation.