SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) Announcement
Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) Summary:
The 206th Board meeting of SEBI held in Mumbai on June 27th approved the Cybersecurity and Cyber Resilience Framework (CSCRF), a standard-based approach designed to enhance cybersecurity and resilience among regulated entities (REs). The framework is based on five core goals: Anticipate, Withstand, Contain, Recover, and Evolve, derived from CERT-In’s Cyber Crisis Management Plan (CCMP).
Framework Highlights:
Classification of REs:
- Market Infrastructure Institutions (MIIs)
- Qualified REs
- Mid-size REs
- Small-size REs
- Self-certification REs
Structured Methodology:
Cyber Risk Governance and Management:
- Data Classification and Localization: Classifies data into ‘Regulatory Data’ (mandatory localization) and ‘IT and Cybersecurity Data’ (offshoring allowed with guardrails).
- Security Operations Centres (SOCs): Implementation and periodic efficacy measurement.
- API and Mobile Application Security: Guidelines provided.
- Cyber Capability Index (CCI): To assess cyber resilience.
- Software Bill of Materials (SBOM): To mitigate supply chain risks.
Compliance Timeline:
- Existing cybersecurity and cyber resilience circular entities: by January 01, 2025.
- New entities under CSCRF: by April 01, 2025.
This framework aims to strengthen the security posture of REs, ensuring robust cybersecurity and resilience against cyber threats.
References
-
SEBI Board Approval of CSCRF – https://www.sebi.gov.in/media-and-notifications/press-releases/jun-2024/sebi-board-meeting_84448.html
-
SEBI Consultation Paper on Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities https://www.sebi.gov.in/reports-and-statistics/reports/jul-2023/consultation-paper-on-consolidated-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities_73442.html