SEBI, vide its circular dated August 29, 2025, has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs), supplementing earlier circulars and FAQs issued between August 2024 and June 2025. The clarifications cover principles for REs regulated by multiple regulators (Principle of Exclusivity & Equivalence), technical requirements (VAPT, audits, Market-SOC onboarding, ISO 27001 certification, disaster recovery timelines, applicability of NCIIPC guidelines), and confidentiality safeguards for cyber audit reports. Further, SEBI has revised the categorization thresholds for Portfolio Managers and Merchant Bankers under CSCRF and directed REs to follow CERT-In Cyber Security Audit Policy Guidelines. Stock Exchanges, Depositories, and BSE have been instructed to amend their byelaws, notify members (including IAs and RAs), and implement the directions with immediate effect to strengthen cyber resilience in the securities market.
About the Author
