Q&A Format for SEBI Cybersecurity and Cyber Resilience Framework (CSCRF)

Introduction

Q1: Why has SEBI introduced the Cybersecurity and Cyber Resilience Framework (CSCRF)?

SEBI introduced CSCRF to enhance cybersecurity and cyber resilience in the securities market, ensuring a uniform cybersecurity standard across all regulated entities (REs) and strengthening their ability to deal with cyber threats and incidents.

Q2: What are the key objectives of CSCRF?

The key objectives are:

• Address evolving cyber threats.
• Align with global cybersecurity standards.
• Encourage efficient audits.
• Ensure compliance among SEBI-regulated entities.
• Establish standardized formats for cybersecurity reporting.

Q3: What cybersecurity frameworks and standards influenced CSCRF?

CSCRF is influenced by industry standards such as ISO 27000 series, CIS v8, NIST 800-53, BIS Financial Stability Institute, and CPMI-IOSCO guidelines.

Q4: What are the main components of CSCRF?

CSCRF is divided into four main parts:

1. Objectives and Standards – Defines the goals and compliance measures. ‍
2. Guidelines – Provides recommendations and mandatory requirements. ‍
3. Structured Formats for Compliance – Standardized reporting templates. ‍
4. Annexures and References – Additional guidance and reference materials

2. Thresholds for REs’ Categorization

Q5: How are SEBI-regulated entities classified under CSCRF?

CSCRF classifies regulated entities into five categories based on operational scope, number of clients, trade volume, and assets under management (AUM):

1. Market Infrastructure Institutions (MIIs) ‍
2. Qualified REs ‍
3. Mid-size REs ‍
4. Small-size REs ‍
5. Self-certification REs

Q6: Why is categorization important?
 
Categorization ensures that cybersecurity requirements are proportionate to the entity’s size, complexity, and cyber risk exposure.

Q7: What factors determine an entity’s category?
 
Key factors include:

• Number of clients served ‍
• Trading volume and frequency ‍
• Asset under management (AUM) ‍
• Level of systemic importance in the securities market

3. IT Committee for REs

Q8: What is the role of the IT Committee under CSCRF?
 
The IT Committee is responsible for:

• Overseeing cybersecurity risk management.
• Ensuring compliance with CSCRF standards.
• Approving cybersecurity policies and incident response plans.
• Conducting periodic risk assessments and audits.
• Monitoring third-party IT service providers.

Q9: Which REs are required to establish an IT Committee?
 
Market Infrastructure Institutions (MIIs), Qualified REs, and Mid-size REs must establish an IT Committee, while smaller entities must ensure IT security oversight through alternative governance mechanisms.

Q10: How often should the IT Committee review cybersecurity policies?
 
The IT Committee should conduct reviews at least annually and after significant cybersecurity incidents or regulatory changes.

4. CSCRF Compliance, Audit Report Submission, and Timelines

Q11: What are the key compliance requirements for CSCRF?
 
Key compliance requirements include:

• Implementing cybersecurity controls and risk management measures.
• Conducting regular cybersecurity audits.
• Submitting cybersecurity reports in standard formats.
• Establishing a Security Operations Center (SOC) for continuous monitoring.

Q12: What are the deadlines for implementing CSCRF?

• January 1, 2025: For six categories of REs already covered under previous SEBI cybersecurity guidelines. ‍
• April 1, 2025: For all other REs newly covered under CSCRF.

Q13: What is the role of Market SOC (M-SOC)?
 
Market SOC, set up by NSE and BSE, provides centralized cybersecurity monitoring and response for smaller REs that may not have the resources to establish their own SOC.

Q14: How should REs report cybersecurity incidents?
 
REs must report incidents through SEBI’s incident reporting portal within the specified timelines.

5. Compliance with the Standards/ Guidelines

Q15: What are the core cybersecurity principles in CSCRF?
 
CSCRF is based on five cyber resilience goals:

1. Anticipate – Identify and prepare for cyber threats. ‍
2. Withstand – Maintain operations despite attacks. ‍
3. Contain – Limit the spread of cyber incidents. ‍
4. Recover – Restore systems and operations. ‍
5. Evolve – Continuously improve security posture.

Q16: How does CSCRF ensure cybersecurity compliance?
 
Compliance is ensured through:

• Mandatory security controls (e.g., access controls, encryption, monitoring). ‍
• Periodic cybersecurity audits. ‍
• Continuous monitoring through SOCs. ‍
• Structured reporting to SEBI.

6. Structured Formats for CSCRF Compliance

Q17: What structured formats are included in CSCRF for compliance reporting?
 
CSCRF includes standardized compliance report formats, covering:

• Audit reports ‍
• Incident reporting templates ‍
• Cybersecurity risk assessment reports ‍
• VAPT reports ‍
• Recovery plan templates

Q18: Why are structured formats necessary?
 
They simplify reporting, ensure consistency, and improve regulatory oversight of cybersecurity measures.

Q19: How often must REs submit compliance reports?
 
Reporting frequency depends on the entity category, but typically includes quarterly and annual submissions.

Q20: What happens if an RE fails to comply with CSCRF?
 
Non-compliance may result in regulatory actions, including penalties and increased scrutiny from SEBI.

Conclusion

The CSCRF is a comprehensive cybersecurity framework designed to enhance cyber resilience in SEBI-regulated entities. By classifying REs, implementing rigorous security controls, and enforcing structured compliance, SEBI aims to strengthen the Indian securities market’s defense against cyber threats.

‍