Sebi has extended the deadline for regulated entities to adopt a cybersecurity framework to June 2025, citing requests for more time. The framework aims to enhance cyber resilience.
The decision follows feedback from stakeholders requesting more time to adapt to the Industry Standards, which outline the minimum information required for review by audit committees and shareholders approving related party transactions.
The framework is designed to ensure that Sebi-regulated entities (REs) maintain a robust cybersecurity posture, remain equipped with adequate cyber resiliency measures and can withstand, respond to, and recover from cyber threats, effectively.
The move came after Sebi received multiple requests for extension of timelines to ensure ease of compliance for them.
“Therefore, it has been decided to extend the compliance timelines by three (3) months, i.e., till June 30, 2025, to all REs, except Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs),” Sebi said in a circular.
Recognising the need for robust cybersecurity measures and protection of data and IT infrastructure, the Securities and Exchange Board of India (Sebi) issued the Cybersecurity and Cyber Resilience Framework (CSCRF) for its regulated entities in August 2024.
After receiving various queries from REs seeking clarification on the framework, Sebi issued a clarification in December.
The CSCRF is a significant step in adapting towards evolving cyber risks and technological advancements.
The regulator emphasised that the framework aims to enhance the resilience of regulated entities, enabling them to withstand and recover from cyber incidents effectively.
The cybersecurity framework outlines strict guidelines for data protection, incident response, and IT infrastructure security. It requires market participants to implement robust cybersecurity governance structures, conduct regular audits, and maintain strong defense mechanisms against cyber threats.
