Sebi issues clarification on cybersecurity norms for regulated entities

Sebi on Tuesday issued clarifications to its Cybersecurity and Cyber Resilience Framework for regulated entities, providing regulatory forbearance and extending compliance deadlines for select categories.

The clarification came after Sebi addressed queries from stakeholders regarding the framework introduced in August this year.

The framework is designed to ensure that Sebi-regulated entities (REs) maintain robust cybersecurity posture, remain equipped with adequate cyber resiliency measures and can withstand, respond to, and recover from cyber threats, effectively.

"With regard to the compliance requirements, which are effective from January 1, 2025, under the framework, regulatory forbearance is provided till March 31, 2025, Sebi said in a circular.

 

During this period, the entities will not face penalties for non-compliance, provided they demonstrate progress in implementing the framework, it added.

Further, the compliance deadline has been extended to April 1, 2025, for KYC registration agencies and depository participants, following feedback on the rationalisation of these categories, as per the circular.

In addition, guidelines related to data localisation under the framework have been put on hold for further consultations. The markets watchdog stated that these provisions, outlined as data security standard, would be notified later.

The CSCRF is a significant step in adapting towards evolving cyber risks and technological advancements.

The regulator emphasised that the framework aims to enhance the resilience of regulated entities, enabling them to withstand and recover from cyber incidents effectively.