SEBI issues detailed FAQs on Cybersecurity & Cloud Adoption Framework clarifying governance, audits, data sovereignty and scope applicability for regulated entities

SEBI issues detailed FAQs on Cybersecurity & Cloud Adoption Framework clarifying governance, audits, data sovereignty and scope applicability for regulated entities

by | Jul 1, 2025 | Central, CORP | 0 comments

SEBI issues detailed FAQs on Cybersecurity & Cloud Adoption Framework clarifying governance, audits, data sovereignty and scope applicability for regulated entities

The Securities and Exchange Board of India (“SEBI”) has released an extensive set of Frequently Asked Questions (“FAQs”) to clarify various aspects of the Cybersecurity and Cyber Resilience Framework and the Framework for Adoption of Cloud Services by SEBI Regulated Entities (“REs”). These FAQs provide authoritative guidance on practical implementation issues raised by stakeholders across the industry.

Key clarifications:

1. Scope of Applicability & Classification of REs:

  • Categorization of REs shall be based on previous financial year data and remain unchanged throughout the year.
  • For REs with multiple registrations (e.g. bank, broker, mutual fund), the highest compliance category will apply.
  • Banks with SEBI registration need to comply only for the infrastructure relevant to RE-related activities.

2. Cybersecurity Governance and Role of CISO:

  • Group-level CISOs may be appointed across multiple small or mid-sized REs.
  • Remote CISOs can be appointed, but cannot serve multiple REs simultaneously.
  • Reporting to MD/CEO or equivalent (e.g. ED in banks) deemed compliant.

3. Audit and VAPT Requirements:

  • Half-yearly VAPT and cyber audit for Qualified Stock Brokers (QSBs) mandated.
  • Timelines for patch deployment (within 1 week for high severity) and vulnerability closure (within 3 months) clarified.
  • Common audit reports may be used for shared services across affiliate entities if certain conditions are met.

4. Cloud Services & Data Sovereignty:

  • Data encryption keys must remain within Indian jurisdiction. Routing through foreign servers may breach data localization requirements.
  • REs are accountable for ensuring subcontractors of Cloud Service Providers (CSPs) also comply with STQC/MeitY norms.
  • Cloud workloads permitted, but REs must document risk analysis and ensure contractual safeguards for audit access, forensic evidence, and data control.

5. Cyber Capability Index (CCI) & Security Operations Centre (SOC):

  • Mandatory automated dashboards and tools for MIIs and Qualified REs to support compliance submissions.
  • REs may leverage group/global SOCs if efficacy is proven, subject to periodic reporting requirements.
  • Small-size REs may opt to onboard with Market-SOC set up by NSE/BSE.

6. Software Bill of Materials (SBOM):

  • SBOMs are required for all critical applications (in-house and third-party).
  • Where SBOMs can’t be obtained for legacy software, Board-approved mitigation measures are necessary.

7. Cybersecurity Incident Handling:

  • For high/critical incidents, forensic audits are mandatory; for low/medium, only when RCA is inconclusive or directed by SEBI.
  • Use of in-house forensic teams is not permitted unless they are third-party or empanelled.

The FAQ is linked below, for your ease of reference.

Source: Securities and Exchange Board of India

Share this:

Related Posts:

Submit a Comment

Your email address will not be published. Required fields are marked *

Sign up for our

Newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

Lexplosion will use the information you provide on this form to be in touch with you and to provide updates and marketing.