In the rapidly evolving digital financial landscape, timely and regular reporting is crucial for maintaining robust cybersecurity practices. The Securities and Exchange Board of India (SEBI) has established specific timelines for various cybersecurity assessments and reports under its Cyber Security and Cyber Resilience Framework (CSCRF). This guide breaks down the reporting periodicities for different categories of regulated entities.
SEBI has categorized regulated entities into different tiers, each with specific reporting requirements:
MIIs and Qualified REs must:
SEBI has categorized regulated entities into five distinct tiers: MarketInfrastructure Institutions (MIIs), Qualified Regulated Entities, Mid-sizeRegulated Entities, Small-size Regulated Entities, and Self-certificationRegulated Entities. Each category has specific reporting requirements appropriate to their size and risk profile.
The categorization is typically based on factors like assets under management, client base, or transaction volume. Regulated Entity should review the specific thresholds outlined in the CSCRF circular to determine its classification. The category is decided at the beginning of the financial year based on data from the previous financial year and remains unchanged through out the year regardless of parameter changes.
No. Once the category of Regulated Entity is decided at the beginning of the financial year based on previous year's data, it remains in the same category throughout the financial year, regardless of any changes in parameters during the year. The category is validated by the respective reporting authority at the time of compliance submission.
If Regulated Entity is classified as an MII or Qualified RE, quarterly requirements include IT Committee Meetings, Privileged Users' ActivitiesReview, and Threat Hunting Exercises. For all other categories, IT CommitteeMeetings are required quarterly (except for Small-size and Self-certificationREs, which are exempt from forming an IT Committee).
Half-yearly requirements vary by category. For MIIs, these include CyberResilience Third-party Assessment (CCI), Risk Assessment, Third-party SystemsReview, SOC Efficacy Review, Red Teaming, Cybersecurity Drills, and contingency plan reviews. For other categories, requirements may include User Access RightsReview and Privileged Users' Activities Review, depending on Regulated Entity's classification.
All categories, including Regulated Entity, must conduct annualCybersecurity and Cyber Resilience Policy Reviews, Cybersecurity RiskManagement Policy Reviews, and Cybersecurity Training Programs. Additional requirements based on category may include Cyber Resilience Self-assessment(for Qualified REs) and Evaluation of Cyber Resilience Posture (for Mid-size and Small-size REs).
The VAPT frequency depends on Regulated Entity's classification. If identified as a Protected System by NCIIPC, VAPT must be conducted at least twice per year (one in each half of the financial year). For other categories,VAPT must be conducted at least once per year, commencing in the first quarter of the financial year.
Regulated Entity must submit the VAPT report within one month of completion after approval from the IT Committee. Findings must be closed within three months of report submission, with revalidation completed within five months of VAPT completion. A graded approach based on vulnerability criticality should be followed for closure.
Regulated Entity must engage only CERT-In empanelled IS auditing organizations for conducting VAPT. For Regulated Entity's VAPT reporting, theCERT-In empanelled auditor should submit findings to the appropriate authority(SEBI, Stock Exchanges, or Depositories) depending on Regulated Entity's regulatory category.
While VAPT focuses specifically on identifying vulnerabilities and testing penetration capabilities, Cyber Audit is broader and verifies RegulatedEntity's compliance with the entire CSCRF framework. Cyber audit covers 100% of critical systems and 25% of non-critical systems chosen on a sample basis.
Regulated Entity can engage a CERT-In empanelled IS auditing organization for a maximum period of three consecutive years. Subsequently, that organization will only be eligible to audit Regulated Entity again after a cooling-off period of two years.
Regulated Entity must submit a declaration from the ManagingDirector/CEO along with the cyber audit report. For MIIs and Qualified REs, evidence of ISO 27001 certification must also be submitted with the cyber audit report.
It depends on Regulated Entity's classification. If Regulated Entity is categorized as an MII or Qualified RE, ISO 27001 certification is mandatory.For other categories (Mid-size, Small-size, and Self-certification REs), ISO certification is optional but recommended.
If required, Regulated Entity must obtain ISO 27001 certification within one year of CSCRF issuance. The evidence of certification must be submitted along with the cyber audit report to the appropriate regulatory authority.
The scope for ISO 27001 certification must include but is not limited to the Primary Data Center (PDC) site, Disaster Recovery (DR) site, Near DisasterRecovery (NDR) site, Security Operations Center (SOC), and Colocation facility if applicable to Regulated Entity.
The Market SOC implementation deadline is January 1, 2025. Regulated Entity should prepare for integration with this timeline in mind.
If Regulated Entity is an MII or Qualified RE, SOC efficacy must be reviewed and reported half-yearly. For other REs utilizing third-party managedSOC or Market SOC services, annual reporting is required.
Yes, Regulated Entity can utilize third-party managed SOC or Market SOC services. If doing so, Regulated Entity must still report on the functionalefficacy of the SOC annually to demonstrate proper security monitoring.
If Regulated Entity falls into the MII, Qualified RE, or Mid-size RE categories, it must constitute an IT Committee. For Small-size REs andSelf-certification REs, forming an IT Committee is not mandatory but is considered desirable.
Regulated Entity's IT Committee must include at least one external independent expert on cybersecurity matters. This requirement applies to all categories that must form an IT Committee (MIIs, Qualified REs, and Mid-sizeREs).
If Regulated Entity is a Small-size RE or Self-certification RE and doesn't have an IT Committee, the compliance to CSCRF shall be reviewed andapproved by the MD/CEO/Board member/Partners/Proprietor instead.
Non-compliance with CSCRF requirements may result in regulatory actions, potential suspension of services, operational risks, and reputational damage toRegulated Entity. SEBI has the authority to take appropriate enforcement actions for non-compliance.
Regulated Entity should create a comprehensive reporting calendar, set internal deadlines earlier than regulatory deadlines, implement automated reminders, maintain readily available documentation, and conduct regular status checks on report preparation and submission.
Yes, SEBI has extended the compliance timeline for all REs (except MIIs,KRAs, and QRTAs) until June 30, 2025. This gives Regulated Entity additional time to implement the necessary controls if it falls into an eligible category.
Acronis End Point Protection can help Regulated Entity meet severalCSCRF requirements related to endpoint security, data protection, anti-malware capabilities, and security training. This comprehensive security solution addresses many of the mandatory controls required under the Protection (PR)domain of the framework.
Cloudflare Access ZTNA helps Regulated Entity implement Zero TrustNetwork Access, which aligns with CSCRF requirements for user access controls, secure remote access, and network security. This solution can help satisfy several mandatory controls under the Access Authorization (PR.AA) standards of the framework.
Ofofo.ai, as an agentic AI company specializing in CSCRF compliance, can help Regulated Entity streamline compliance through automated assessment tools, compliance tracking dashboards, and integration with security tools like Acronis and Cloudflare. Ofofo.ai's platform can help Regulated Entity manage the complex periodicities and reporting requirements more efficiently.
Meeting SEBI's reporting periodicities is crucial for maintaining compliance and demonstrating commitment to cybersecurity. By understanding and planning for these reporting requirements, regulated entities can ensure timely submission of all required reports and assessments.
Remember that these reporting requirements are not static and may be updated by SEBI from time to time. It's essential to stay informed about any changes to the reporting periodicities.