SEBI’s Cybersecurity clarifications: A step towards a smoother transition

Introduction

On 20 August 2024, the Securities and Exchange Board of India (SEBI) issued the Cybersecurity and Cyber Resilience Framework (Cybersecurity Framework) to provide standards and guidelines for strengthening cyber resilience and maintaining robust cyber security of SEBI regulated entities (REs). Please refer to our detailed analysis of the Cybersecurity Framework here.

Due to receipt of various queries from REs, SEBI issued a clarification on 31 December 2024, clarifying the following:

•   Regulatory forbearance

SEBI had initially prescribed that the following REs will be required to comply with the Cybersecurity Framework from 1 January 2025: (a) Market Infrastructure Institutions, (b) Stock-brokers and depository participants, (c) mutual funds / asset management companies, (d) KYC registration agencies, (e) qualified registrar to an issue and share transfer agents, and (f) portfolio managers (collectively, Previously Regulated REs). For all other REs, the effective date was 1 April 2025.

SEBI has now clarified that during the period from 1 January 2025 to 31 March 2025, SEBI will exercise regulatory forbearance. Any non-compliance with the requirements under the Cybersecurity Framework which were intended to come into effect on 1 January 2025, will not lead to any action from SEBI, if the relevant REs can: (i) demonstrate meaningful steps taken towards adoption of Cybersecurity Framework, and (ii) show evidence of progress in adoption of the Cybersecurity Framework.

This gives Previously Regulated REs more time to align their practices with the Cybersecurity Framework, without the threat of immediate regulatory action.

•   Extension of compliance dates

The compliance date for KYC registration agents and depository participants has been extended from 1 January 2025 to 1 April 2025.

The extension of the implementation date for KYC registration agents and depository participants indicates that KYC registration agents and depository participants, are not required to show steps toward adopting the Cybersecurity Framework for SEBI to grant regulatory forbearance. The Cybersecurity Framework will apply to them starting 1 April 2025.

SEBI appears to have taken the feedback received on the rationalisation of categorisation of certain REs, and has given these entities more time to meaningfully implement the Cybersecurity Framework.

• Data localization

Based on stakeholder feedback, SEBI has decided to keep the requirements in relation to data localization in abeyance, until further discussions with stakeholders. Data localization requires all data generated by REs to be kept within the boundaries of India. Given that several REs are reliant on third party service providers that may store data outside India, data localization was introduced to retain sovereign control over data, and to ensure SEBI has control over the data. SEBI’s move suggests an intent to consult stakeholders further to balance operational flexibility with data security.

Comment

The extension provided by the SEBI serves as a clear indication of the regulator’s commitment to a flexible, collaborative, and consultative approach in addressing critical aspects of cyber and data security. By offering this additional time, SEBI appears to acknowledge the complexities involved in developing and implementing robust security measures, and provides the REs with the necessary opportunity to establish well-structured and comprehensive processes. This will also ensure a more seamless and efficient transition toward stronger cyber security practices.

- Tanu Banerjee (Partner); Ishan Johri (Principal Associate) & Akriti Sirsalewala (Associate)

For any queries please contact: editors@khaitanco.com