Cybersecurity Framework (SEBI)
SEBI's Cyber Security and Cyber Resilience Framework (CSCRF) 2023 mandates that Market Infrastructure Institutions and other regulated entities implement structured cybersecurity governance, risk management, technology controls and incident response capabilities proportional to their systemic importance.
SEBI's engagement with cybersecurity regulation has evolved through successive circulars since 2015, culminating in the comprehensive Cyber Security and Cyber Resilience Framework (CSCRF) issued in 2023. The CSCRF replaced earlier piecemeal guidance with a unified, risk-based framework aligned to the NIST Cybersecurity Framework's five functions: Identify, Protect, Detect, Respond and Recover.
Market Infrastructure Institutions (MIIs) — which include recognised stock exchanges, depositories and clearing corporations — bear the most stringent obligations under the CSCRF given their systemic criticality. They are classified as the highest maturity tier and must meet requirements including maintaining a dedicated Security Operations Centre (SOC), conducting annual penetration testing by CERT-In-empanelled auditors, implementing a comprehensive Vulnerability Management Programme, ensuring data localisation of all market data within India, and maintaining detailed Technology Risk Management committees at the board level.
Brokers, portfolio managers, investment advisers, mutual funds and other regulated intermediaries are categorised in lower tiers with requirements scaled to their size and risk profile. All regulated entities must have a designated Chief Information Security Officer (CISO), a board-approved cybersecurity policy, an incident response plan tested through tabletop exercises, and must report cybersecurity incidents to SEBI and CERT-In within prescribed timelines.
The CSCRF also addresses supply chain risk. Regulated entities must assess the cybersecurity posture of their technology vendors and cloud service providers and ensure contractual protections for data and system access. Third-party risk management has become a significant compliance burden, particularly for entities using cloud infrastructure or outsourced technology services.
For publicly listed financial sector entities, cybersecurity incidents that materially affect operations or result in data breaches may constitute price-sensitive information requiring disclosure under the SEBI LODR Regulations. The CSCRF's increasing rigour reflects SEBI's recognition that a cyberattack on an MII or large intermediary could cause systemic disruption to market operations and investor confidence.