admissions@cyberlawacademy.com | +91-XXXXXXXXXX
DPDPA ResourcesLegal Services
Part 4 of 6

SEBI Cyber Security Circular

Master SEBI's Cyber Security and Cyber Resilience Framework (CSCRF) for market infrastructure institutions, stockbrokers, depositories, and other regulated entities in the capital markets.

Duration: ~80 minutes Sections: 4 Quiz: 10 Questions

4.1 Covered Entities

SEBI's cyber security framework applies to all market infrastructure institutions and intermediaries. The requirements vary based on the category and systemic importance of the entity.

Market Infrastructure Institutions (MIIs)

  • Stock Exchanges: NSE, BSE, MSEI, commodity exchanges
  • Clearing Corporations: NSCCL, ICCL, MCX-CCL
  • Depositories: NSDL, CDSL
Critical Infrastructure

MIIs are designated as Critical Information Infrastructure under IT Act Section 70. This imposes additional obligations including NCIIPC compliance and enhanced security requirements.

SEBI Registered Intermediaries

CategoryExamplesCSCRF Applicability
StockbrokersFull service, discount brokersFull CSCRF
Depository ParticipantsDP services providersFull CSCRF
Mutual Funds/AMCsAsset management companiesFull CSCRF
Portfolio ManagersPMS providersProportionate
Investment AdvisersRegistered RIAsProportionate
Credit Rating AgenciesCRISIL, ICRA, CAREFull CSCRF
Merchant BankersCategory I, II, IIIProportionate
KRAsKYC Registration AgenciesFull CSCRF

Qualified Registered Market Intermediaries (QRMIs)

SEBI has introduced a tiered approach. Qualified RMIs based on certain thresholds face enhanced requirements:

  • Stockbrokers: Based on trading volume, client base, assets handled
  • DPs: Based on number of demat accounts, assets under custody
  • AMCs: Based on AUM thresholds

4.2 CSCRF Framework

The Cyber Security and Cyber Resilience Framework (CSCRF) provides a comprehensive structure for managing cyber risks in capital market entities. It emphasizes both prevention and recovery capabilities.

Key Framework Components

  1. Governance: Board oversight, cyber security policy, risk management committee
  2. Identify: Asset management, risk assessment, threat intelligence
  3. Protect: Access control, data security, security awareness training
  4. Detect: Continuous monitoring, anomaly detection, security event management
  5. Respond: Incident response, communications, mitigation
  6. Recover: Recovery planning, improvements, communications

Governance Requirements

Board Responsibility
The Board of Directors is responsible for approving the cyber security policy, allocating adequate resources, and reviewing the overall cyber security posture at least annually. For MIIs, a dedicated Technology Committee of the Board is mandatory.

Chief Information Security Officer (CISO)

  • Mandatory appointment for MIIs and Qualified RMIs
  • Full-time dedicated role (not combined with other IT functions)
  • Reports to MD/CEO with dotted line to Board/Audit Committee
  • Responsible for policy implementation, incident management, compliance

Technical Controls

Control AreaRequirements
Network SecurityFirewalls, IDS/IPS, network segmentation, DMZ architecture
Endpoint SecurityAnti-malware, host-based IPS, application whitelisting
Access ControlMFA for critical systems, privileged access management, periodic access reviews
Data ProtectionEncryption at rest and transit, DLP, secure key management
Application SecuritySecure SDLC, code reviews, VAPT before production deployment
Security MonitoringSIEM, 24x7 SOC (for MIIs), log management, threat intelligence

Cyber Resilience Requirements

Recovery Objectives

MIIs must maintain Recovery Time Objective (RTO) of near-zero for critical systems. Business Continuity Plan must be tested at least annually with full DR drills. Secondary site must be able to handle full production load.

  • BCP/DR: Documented plans, regular testing, secondary data centers
  • Data Backup: Regular backups, offsite storage, encryption of backup media
  • Incident Recovery: Playbooks for various scenarios, golden images for quick rebuild
  • Communication: Crisis communication plans for stakeholders, regulators, public

4.3 Audit Requirements

SEBI mandates regular audits of cyber security controls. Different categories of entities have varying audit frequencies and scope requirements.

System Audit

Annual System Audit
All regulated entities must conduct an annual System Audit by a CERT-In empaneled auditor. The audit scope covers IT governance, security controls, application controls, and compliance with SEBI circulars.

VAPT Requirements

Entity TypeFrequencyScope
MIIsQuarterlyAll internet-facing and critical internal systems
Qualified RMIsHalf-yearlyAll internet-facing and trading systems
Other IntermediariesAnnuallyInternet-facing systems

Audit Firm Requirements

  • CERT-In Empanelment: System auditors must be on CERT-In empaneled list
  • Independence: Auditor should not have provided implementation services
  • Rotation: MIIs must rotate auditors periodically
  • Qualifications: Lead auditor must have relevant certifications (CISA, CISSP, etc.)

Audit Report Submission

Submission Timeline

System Audit reports must be submitted to SEBI within 3 months of the audit period end. MIIs must also submit quarterly compliance reports and immediate notification of critical findings.

4.4 Reporting Obligations

SEBI has established specific reporting requirements for cyber incidents, system downtime, and periodic compliance. Timely reporting is critical to avoid regulatory action.

Incident Reporting

Incident TypeReport ToTimeline
Critical cyber attack (data breach, system compromise)SEBI, CERT-In, NCIIPC (for MIIs)Within 6 hours
Trading system outage > 30 minutesSEBI, Stock ExchangeImmediate + detailed within 24 hours
Attempted attack (blocked)Internal CISO, included in periodic reportMonthly summary
Vulnerability discoveredCISO, action plan within defined timelineAs per severity

Periodic Reporting

  • Quarterly Reports: Cyber security status, incidents summary, audit findings status
  • Half-Yearly Reports: VAPT summary, access review reports, training completion
  • Annual Reports: System Audit report, BCP/DR drill results, policy review completion

NCIIPC Reporting (For MIIs)

NCIIPC Compliance

Market Infrastructure Institutions designated as Critical Information Infrastructure must additionally report to NCIIPC (National Critical Information Infrastructure Protection Centre). This includes threat intelligence sharing, vulnerability disclosure, and incident coordination.

Non-Compliance Consequences

  • Warning Letters: For minor or first-time violations
  • Monetary Penalties: For repeated or significant non-compliance
  • Business Restrictions: Suspension of specific activities
  • Registration Action: Cancellation in severe cases
  • Personal Liability: Action against Key Management Personnel

Key Takeaways

  • SEBI CSCRF applies to all MIIs and registered intermediaries with tiered requirements
  • MIIs (exchanges, clearing corps, depositories) are designated Critical Information Infrastructure
  • CISO appointment is mandatory for MIIs and Qualified RMIs
  • Annual System Audit by CERT-In empaneled auditor is mandatory
  • VAPT frequency varies: quarterly for MIIs, half-yearly for QRMIs, annually for others
  • Critical incidents must be reported within 6 hours to SEBI and CERT-In
  • MIIs must also comply with NCIIPC reporting requirements

Part 4 Assessment Quiz

Test Your Knowledge

10 questions on SEBI Cyber Security requirements

0/10
Questions Correct