Sebi Clarifies Cybersecurity Framework

New Delhi, Aug 28 (PTI) Markets regulator Sebi on Thursday clarified that the cybersecurity and cyber resilience framework (CSCRF) applies only to systems used exclusively for its regulated activities.

Shared infrastructure will also be audited if not already covered by the RBI or another regulator.

Further, if regulated entities (REs) comply with RBI (or other regulator) cybersecurity rules that are equivalent to Sebi's, such compliance will be accepted by the markets watchdog.

In its circular, Sebi also elaborated on the definition of critical systems, stating that it includes all systems that affect core operations, store or transmit regulatory data, client-facing applications, internet-facing systems, and other systems on the same network.

REs have been asked to adopt zero-trust principles such as network segmentation, high availability, and avoiding single points of failure with approval from their IT Committees.

The regulator said that guidelines relating to mobile applications are recommendatory, not mandatory, while for cyber crisis response, entities must act as per their Cyber Crisis Management Plan instead of issuing press releases.

The regulator further clarified that deploying tools like threat simulations, vulnerability management, and decoy systems is encouraged but not compulsory.

Entities are also required to assess third-party/vendor risks in consultation with their IT Committees.

On audit-related matters, Sebi said, "While receiving and handling cyber audit reports submitted by their members, stock exchanges and depositories shall ensure that adequate safeguards are in place to maintain the confidentiality and integrity of such reports".

In terms of disaster recovery, REs must be capable of resuming critical operations within two hours (RTO), maintain a 15-minute Recovery Point Objective (RPO), and plan for scenarios where timelines are not met, Sebi said.

The regulator has also revised the thresholds and categorisation of regulated entities under the CSCRF. For Portfolio Managers, those with Assets Under Management (AUM) of Rs 10,000 crore and above will be categorised as Qualified REs, while those managing between Rs 3,000 crore and Rs 10,000 crore will fall under the Mid-size RE category.

Portfolio managers with AUM of Rs 3,000 crore or below will be treated as Small-size REs, and those below the minimum threshold may be classified as Self-certification REs with simplified compliance requirements.

For Merchant Bankers (MBs), all active MB-- those undertaking merchant banking activities during the relevant period--will be classified as Small-size REs for compliance purposes, while inactive MBs will be exempt from CSCRF provisions.