New Delhi: Market regulator Securities and Exchange Board of India has sought updates from banks on the implementation of the Cybersecurity and Cyber Resilience Framework (CSCRF).
Banks have been asked to share details on the number of CSCRF controls or standards they have adopted and to flag any ongoing challenges in ensuring full and timely implementation, said executives aware of the developments.
"We will be submitting the information by the end of this month. The regulator wants to ascertain the challenges and take appropriate action before full implementation becomes mandatory," said a bank executive, requesting anonymity.
As mandated by Sebi, the framework addresses evolving cyberthreats, requiring banks to submit audit reports. It also introduced a Cyber Capability Index (CCI) to rate and report cybersecurity readiness.
"Banker to an issue (BTI) and self-certified syndicate banks shall submit a certificate of compliance with CSCRF to Sebi on the cybersecurity guidelines issued by RBI (Reserve Bank of India). Wherever the bank is a listed entity, the above-mentioned certificate of compliance shall also be intimated to stock exchanges," Sebi stated in a circular in August 2024, when it announced the framework.
While it initially asked banks to comply by January 1, 2025, the deadline has since been extended twice, first to April 1, 2025 and then to June 30.
Self-certified syndicate banks are banks certified by Sebi to offer the Application Supported by Blocked Amount facility to their customers. Under this facility, when an investor applies for initial public offerings or other stock issues, the application money remains in the investor's bank account until finalisation of the share allotment. BTI refers to banks registered under Sebi regulations to manage issue-related tasks like accepting application and allotment money, processing refunds and handling dividend or interest payments.
"The regulator has made it clear that there will be no further extension and wants feedback from all stakeholders so that the implementation is not delayed any further," said another official, adding that Sebi has extended protection from any regulatory action provided the regulated entities are able to demonstrate meaningful steps taken or progress made in the implementation of CSCRF.
In its March 28 circular setting the new deadline of June 30, Sebi said it received multiple requests for extending the deadline to ensure ease of compliance for banks.
"Therefore, it has been decided to extend the compliance timelines by three months, till June 2025, to all REs, except market infrastructure institutions, KYC registration agencies, and qualified registrars to an issue and share transfer agents," it said in its circular.
Earlier banks through the Department of Financial Services in the finance ministry had made a representation to extend the implementation deadline till June, stating that there were some areas where a gap analysis study needed to be done to ascertain the measures that were required for the implementation.
CSCRF contains provisions with respect to various areas such as requirements of IT services, software-as-a-service (SaaS) solutions, hosted services, classification of data, audits for software solutions and applications and products used by regulated entities.
In a December 31, 2024 circular, Sebi stated that based on the feedback received on the provisions of data localisation, a need was felt for further consultations. "Accordingly, the guidelines and provisions with regard to data localisation have been kept in abeyance until further notification," it said.
Banks have been asked to share details on the number of CSCRF controls or standards they have adopted and to flag any ongoing challenges in ensuring full and timely implementation, said executives aware of the developments.
"We will be submitting the information by the end of this month. The regulator wants to ascertain the challenges and take appropriate action before full implementation becomes mandatory," said a bank executive, requesting anonymity.
As mandated by Sebi, the framework addresses evolving cyberthreats, requiring banks to submit audit reports. It also introduced a Cyber Capability Index (CCI) to rate and report cybersecurity readiness.
"Banker to an issue (BTI) and self-certified syndicate banks shall submit a certificate of compliance with CSCRF to Sebi on the cybersecurity guidelines issued by RBI (Reserve Bank of India). Wherever the bank is a listed entity, the above-mentioned certificate of compliance shall also be intimated to stock exchanges," Sebi stated in a circular in August 2024, when it announced the framework.
While it initially asked banks to comply by January 1, 2025, the deadline has since been extended twice, first to April 1, 2025 and then to June 30.
Self-certified syndicate banks are banks certified by Sebi to offer the Application Supported by Blocked Amount facility to their customers. Under this facility, when an investor applies for initial public offerings or other stock issues, the application money remains in the investor's bank account until finalisation of the share allotment. BTI refers to banks registered under Sebi regulations to manage issue-related tasks like accepting application and allotment money, processing refunds and handling dividend or interest payments.
"The regulator has made it clear that there will be no further extension and wants feedback from all stakeholders so that the implementation is not delayed any further," said another official, adding that Sebi has extended protection from any regulatory action provided the regulated entities are able to demonstrate meaningful steps taken or progress made in the implementation of CSCRF.
In its March 28 circular setting the new deadline of June 30, Sebi said it received multiple requests for extending the deadline to ensure ease of compliance for banks.
"Therefore, it has been decided to extend the compliance timelines by three months, till June 2025, to all REs, except market infrastructure institutions, KYC registration agencies, and qualified registrars to an issue and share transfer agents," it said in its circular.
Earlier banks through the Department of Financial Services in the finance ministry had made a representation to extend the implementation deadline till June, stating that there were some areas where a gap analysis study needed to be done to ascertain the measures that were required for the implementation.
CSCRF contains provisions with respect to various areas such as requirements of IT services, software-as-a-service (SaaS) solutions, hosted services, classification of data, audits for software solutions and applications and products used by regulated entities.
In a December 31, 2024 circular, Sebi stated that based on the feedback received on the provisions of data localisation, a need was felt for further consultations. "Accordingly, the guidelines and provisions with regard to data localisation have been kept in abeyance until further notification," it said.
You may also like
'Left no stone unturned in spreading rumours': Mallikarjun Kharge slams Centre over Waqf Act, National Herald case
Aaron Ramsey handed first management job as ex-Arsenal star bids to save club
Our Yorkshire Farm's Clive Owen addresses 'hard time' at Ravenseat as he looks to the future
Tiger panic in MP village ends with surprise return of missing man
'Relief camps turned into detention camps': Suvendu Adhikari accuses West Bengal Govt
