--- title: "SEBI’s Strategic Framework: Ensuring Cybersecurity and Resilience and Business Continuity in India’s Financial Sector" date: 2025-01-03 author: "Rahul Sundaram" url: https://www.indialaw.in/blog/civil/sebi-cybersecurity-business-finance/ --- # SEBI’s Strategic Framework: Ensuring Cybersecurity and Resilience and Business Continuity in India’s Financial Sector Posted On - 3 January, 2025 • By - [Rahul Sundaram](https://www.indialaw.in/people/rahul-sundaram/ "Posts by Rahul Sundaram") [![SEBI’s Strategic Framework: Ensuring Cybersecurity and Resilience and Business Continuity in India’s Financial Sector](https://www.indialaw.in/wp-content/uploads/5380642.jpeg)](https://www.indialaw.in/wp-content/uploads/5380642.jpeg) ## Introduction: Pioneering Cybersecurity Resilience The Securities and Exchange Board of India (SEBI) initially issued the **Cybersecurity and Cyber Resilience Framework (CSCRF)** for Regulated Entities (REs) on **August 20, 2024**, through circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113. This framework was designed to address the rapidly evolving cyber threat landscape and technological advancements. Its goal was to ensure that SEBI-regulated entities maintain robust cybersecurity postures, implement resilience measures, and effectively respond to and recover from cyber threats. Recognizing the need for further clarity and adjustments, SEBI issued an additional circular on **December 31, 2024** (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/184), to address queries and feedback from REs, providing key clarifications and adjustments to the framework. ## Background: Foundations of Cyber Resilience The CSCRF was developed to strengthen the cybersecurity and resilience standards for regulated entities in the securities market. The framework builds upon foundational guidelines issued in 2015 for Market Infrastructure Institutions (MIIs) and subsequent extensions to other REs. Over the years, SEBI has issued several advisories to promote best practices in cybersecurity. ## Key Objectives of the CSCRF: 1. Strengthening measures to mitigate cyber risks and ensuring robust cyber resilience. 2. Aligning with global cybersecurity standards, such as ISO 27001, NIST, and BIS guidelines. 3. Establishing uniformity in cybersecurity compliance across REs. The CSCRF supersedes earlier circulars and consolidates prior guidance into a unified approach. ## Objective: Strengthening Cybersecurity Frameworks The primary goals of the CSCRF include: 1. Mitigating risks from evolving cyber threats. 2. Strengthening cybersecurity frameworks for operational resilience. 3. Enhancing reporting formats for consistent and structured compliance. This ensures that all REs, regardless of size or scope, achieve adequate cybersecurity standards and are prepared for cyber incidents. ## Approach: A Two-Pronged Strategy The CSCRF is structured around two core approaches: 1. **Cybersecurity:** Focuses on governance, operational controls, and incident response mechanisms. 2. **Cyber Resilience:** Built upon five key goals: - **Anticipate:** Proactively preparing for potential threats. - **Withstand:** Maintaining operational continuity during attacks. - **Contain:** Isolating and neutralizing threats effectively. - **Recover:** Restoring normalcy post-incident. - **Evolve:** Continuously improving and adapting to new threats. ## Implementation: A Roadmap for Compliance The CSCRF outlines a phased and graded approach for REs based on their size and scope: 1. **Categorization of REs:** Divided into five categories (e.g., MIIs, Qualified REs, Mid-size REs). 2. **Compliance Reporting:** Standardized formats introduced for consistent compliance reporting. 3. **Guidance and Standards:** REs must adhere to specific cybersecurity functions: - **Governance:** Establishing risk management frameworks, roles, and oversight policies. - **Identify:** Classifying assets and analysing threats and vulnerabilities. - **Protect:** Implementing network segmentation, data encryption, and secure development practices. - **Detect:** Utilizing Security Operations Centers (SOCs) for monitoring. - **Respond and Recover:** Developing incident response plans and recovery protocols. - **Evolve:** Incorporating adaptive controls and strategies. Additionally, MIIs and Qualified REs are required to conduct regular **Cyber Capability Index (CCI)** assessments. ## Key Standards and Guidelines: Best Practices in Cybersecurity The CSCRF emphasizes: - Implementation of internationally recognized standards, such as ISO 27001. - Regular assessments, including Vulnerability Assessment and Penetration Testing (VAPT). - Security-focused development practices, such as the Secure Software Development Lifecycle. Compliance mechanisms include audits, SOC effectiveness evaluations, and structured incident reporting. ## Clarifications: Updates in the December 31, 2024 Circular SEBI’s recent circular addresses key clarifications and adjustments: 1. **Regulatory Forbearance:** - Compliance with the CSCRF remains effective from **January 1, 2025**, but a grace period extends regulatory forbearance until **March 31, 2025**. - During this period, REs that demonstrate meaningful progress in implementing the framework will not face regulatory action. SEBI will evaluate their efforts before considering any penalties. 2. **Extension of Compliance Dates:** - **KYC Registration Agencies (KRAs):** Compliance deadline extended to **April 1, 2025**. - **Depository Participants (DPs):** Compliance deadline also extended to **April 1, 2025**. 3. **Data Localisation Guidelines:** - The implementation of Data Localisation standards (PR.DS.S2) has been deferred for further consultation. These provisions are on hold until SEBI provides additional guidance. ## Effective Date and Legal Basis: Ensuring Robust Governance - The December 31, 2024, circular is effective immediately, providing clarity on compliance timelines and regulatory measures. - Issued under **Section 11(1) of the SEBI Act, 1992**, the circular aims to protect investors, promote market development, and regulate the securities market. ## Conclusion: Paving the Way for Cybersecurity Excellence SEBI’s Cybersecurity and Cyber Resilience Framework reflects its commitment to securing the securities market against evolving cyber threats. By emphasizing robust compliance mechanisms, adaptive strategies, and international standards, SEBI ensures that all regulated entities are well-prepared to navigate the complexities of today’s digital landscape. The clarifications and adjustments in the recent circular demonstrate SEBI’s responsiveness to industry feedback, fostering a collaborative and resilient approach to cybersecurity. Together, these measures set a solid foundation for safeguarding the integrity and stability of India’s financial markets. For further details write to [contact@indialaw.in](mailto:contact@indialaw.in) --- # IndiaLaw LLP — Offices & Contact Details --- ## General Contact | | | |---|---| | **Website** | https://www.indialaw.in | | **Primary email** | contact@indialaw.in | | **Primary phone** | +91 836-9995919 | | **Contact form** | https://www.indialaw.in/connect/ | | **Careers (separate channel)** | https://www.indialaw.in/careers/ | --- ## All Offices (9 locations across 8 cities) ### 1. Mumbai — Registered Office & Head Office (Apeejay Chambers) | | | |---|---| | **Address** | Apeejay Chambers, Ground Floor, Wallace Street, Fort, Mumbai – 400 001 | | **Phone** | [022-6924-7400](tel:02269247400) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/mumbai/ | | **Practice focus** | Litigation · Arbitration · Insolvency & Bankruptcy · Corporate · Banking · Real Estate · IP | | **Notes** | The HQ. 5 partners based here. Handles PAN-India litigation, arbitration, corporate, banking, IP and real estate practice. Largest team across all offices. | ### 2. Mumbai — Non-Litigation Office (Excelsior, Fort) | | | |---|---| | **Address** | 4th Floor, New Excelsior Theatre Pvt. Ltd., Amrit Keshav Nayak Marg, Fort, Mumbai – 400 001 | | **Phone** | [022-697-40500](tel:022-697-40500) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/mumbai/ | | **Practice focus** | Non-litigation only — consultations, negotiations, transactional work | | **Notes** | Opened 2024. Litigation and arbitration remain at the Apeejay Chambers head office. | ### 3. Delhi | | | |---|---| | **Address** | Flat No. 1107 & 1108, Prakashdeep Building, Tolstoy Marg, Connaught Place, New Delhi – 110 001 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/delhi/ | | **Practice focus** | Litigation · Arbitration · Insolvency & Bankruptcy · Corporate · Banking · Real Estate | | **Notes** | 3 partners based here. Located near the Supreme Court of India, Delhi High Court and other appellate bodies. | ### 4. Kolkata | | | |---|---| | **Address** | Centre Point Building, Room No. 214, 2nd Floor, Premises No. 21, Hemanta Basu Sarani, Opp. Great Eastern Hotel, P.S. Hare Street, Kolkata – 700 001, West Bengal | | **Phone** | [+91 33 4813 1001](tel:+913348131001) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/kolkata/ | | **Practice focus** | Insolvency & Bankruptcy · Commercial & Civil Litigation · Arbitration · Banking Litigation · Real Estate · Labour & Employment · Consumer | | **Notes** | Advises banks, NBFCs, MSMEs and corporates on transactions and dispute resolution. Works in close coordination with the Mumbai HO. | ### 5. Chennai | | | |---|---| | **Address** | GF-A, 19 Casa Major Road, Egmore, Chennai – 600 008 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/chennai/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate | | **Notes** | Full-fledged office with experienced legal team. Supported by Mumbai HO. | ### 6. Bengaluru (Bangalore) | | | |---|---| | **Address** | INDIALAW LLP, No. 7 Chinnaswamy Mudaliar Road, Shivaji Nagar, Bangalore – 560 051 | | **Phone** | [080-4167-2444](tel:08041672444) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/bengaluru/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate · Family Laws · Labour | | **Notes** | Located near Bangalore High Court. Handles corporate, commercial, banking and matrimonial disputes. | ### 7. Hyderabad | | | |---|---| | **Address** | 403, 4th Floor, Sanatana Ecstasy Building, beside Tanishq Show Room, Himayathnagar, Hyderabad – 500 029, Telangana | | **Phone** | [040-6666-5166](tel:04066665166) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/hyderabad/ | | **Practice focus** | Litigation · Banking · Insolvency & Bankruptcy · Real Estate | | **Notes** | Particularly well known for complex banking matters and real estate transactions. | ### 8. Cochin (Kochi) | | | |---|---| | **Address** | Second Floor, Pulikkal Building, K.K. Padmanabhan Road, Ernakulam North – 682 018, Kerala | | **Phone** | [0484-3583961](tel:04843583961) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/cochin/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate | | **Notes** | Commercial disputes, property litigation, financial-claim arbitrations and real estate transactions. | ### 9. Noida (NCR) | | | |---|---| | **Address** | No. 16 & 17, Silver Offices, 17th Floor, Wave One, Sector 18, Noida – 201 301 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/noida/ | | **Practice focus** | Aviation · Insurance · Mergers & Acquisitions · Corporate | | **Office head** | **Mr. Dinesh Gupta** (joined August 2025 to lead and expand the corporate practice) | | **Notes** | Newest office. Sector-focused on highly regulated industries serving NCR-based clients. | --- ## Quick-Dial Phone List | Office | Phone | |---|---| | Mumbai HO (Apeejay) | 022-6924-7400 | | Mumbai Excelsior | 022-697-40500 | | Kolkata | +91 33 4813 1001 | | Bengaluru | 080-4167-2444 | | Hyderabad | 040-6666-5166 | | Cochin | 0484-3583961 | | **General / Marketing line** | **+91 836-9995919** | Delhi, Chennai and Noida route through the general number. --- ## Social Channels - LinkedIn: https://www.linkedin.com/company/indialaw - X / Twitter: https://twitter.com/Indialawmumbai - Facebook: https://www.facebook.com/indialawllp/ - Instagram: https://www.instagram.com/indialawllp ---