ARTICLE
30 June 2025

Catching The CSCRF Wave- A Compliance Imperative For Merchant Bankers

AA
Agama Law Associates

Contributor

Agama Law Associates logo
ALA is a boutique commercial law practice offering end-to-end corporate-commercial legal solutions to Indian and foreign businesses. We offer a wide range of services tailored across sectors for private clients, startups and mature businesses. We have a cost-effective technology based model supported by a large network of associates. Commercial transactions and advisory is our forte, which includes contract management and standardization. Our disputes profile is advising and strategizing from a pre-dispute stage, and managing and driving the litigation across all courts and tribunals including the High Court, the NCLT and SAT
Explore Firm Details
As key players in the Indian capital markets, Merchant Bankers perform essential functions like issue management, underwriting, portfolio management, and loan syndication.
India Technology
Nitin Jain and Sanchith Shetty
Your Author LinkedIn Connections

Introduction

As key players in the Indian capital markets, Merchant Bankers perform essential functions like issue management, underwriting, portfolio management, and loan syndication. Their work as intermediaries give them privileged access to immensely valuable and sensitive information of varied entities. Given their access to sensitive data including personal and financial information, merchant bankers carry an immense responsibility to protect such information. The financial services and capital markets sector face an evolving and complex threat landscape. The volatile nature of cyber threats, coupled with ongoing digital transformation and the increasing integration of Artificial Intelligence (AI), highlights the critical need for advanced cybersecurity measures. Considering these aggressive developments, the BFSI sector recognized the imperative to implement sophisticated defense mechanisms. These measures are essential to safeguard against persistent attempts by perpetrators to compromise systems, networks, and sensitive information worldwide. In pursuant to this, measures were implemented by the varied regulatory authorities acting as watchdogs for their respective sectors. The Reserve Bank of India (RBI), Insurance Regulatory and Development Authority of India (IRDAI) and Pension Fund Regulatory and Development Authority of India (PFRDA) were few of the first regulatory authorities to have their own specific cybersecurity regulations and guidelines.

The Securities and Exchange Board of India (SEBI) soon followed the coattails of other regulatory authorities and introduced the Cybersecurity and Cyber resilience Framework (CSCRF) ('SEBI CSCRF') for the entities regulated under its domain, with the intention of strengthening the cybersecurity measures in the capital and securities market while ensuring adequate cyber resiliency against cyber security attacks. With the onset of its implementation Merchant Bankers face numerous obligations and responsibilities conflicting with its traditional market roles.

SEBI CSCRF Regulations

Through a circular dated August 20, 2024, the SEBI introduced the CSCRF with the aim to enhance both cybersecurity and cyber resilience across the securities market. The framework is based on 5 cyber resiliency goals being, (i) anticipate (ii) withstand (iii) contain (iv) recover and (v) evolve. The cybersecurity approach under the regulations covers various aspects i.e., from governance to operational controls across identify, detect, protect, respond, respond and recover functions. The cybersecurity functions are to be implemented by Regulated Entities (REs) through various cybersecurity controls. The varied list of regulated entities governed by these regulations include Alternative Investment Funds (AIF), Bankers to the Issue (BTI), Clearing Corporations, Collective Investment Schemes (CIS), Depositories, Debenture Trustees, etc. including Merchant Bankers.

Need of the CSCRF regulations

SEBI plays an integral role in ensuring investor protection and with the purposes of taking forward this objective, the need of CSCRF arose. With rise on digital dependency, the need for data security and its effective management increased. It provides a standardized and comprehensive framework to enhance cyber resilience, protect sensitive investor data, and maintain market integrity. By mandating robust security measures and clear incident response protocols, the CSCRF ensures that India's financial ecosystem can anticipate, withstand, and recover from evolving cyberattacks, thereby safeguarding economic stability. By standardizing security measures and enforcing compliance across all REs, the framework ensures a unified approach to cyber protection. This means every investor's data is safeguarded with consistent, state of the art technology, dynamically adapting to market changes and maintaining investor confidence in this complex digital landscape. Hence the CSCRF provides for an effective and efficient supply chain risk management.

Merchant Bankers- Facilitators of Capital formation

Section 2(1)(cb) of the SEBI (Merchant Banker)Regulations, 1992 defines merchant banker's as any person engaged in the business of issue management either by making arrangements regarding selling, buying or subscribing to securities or acting as manager, consultant, advisor or rendering corporate advisory service in relation to such issue management. They primarily assist businesses in raising capital through varied means such as IPOs, FPOs and debt placements.

Given the massive amounts of sensitive personal and financial data which merchant bankers handle, the implication of CSCRF becomes essential. This compliance would ensure protection of such data and mitigate systemic risks by preventing cascading cyber incidents across the market thereby bolstering the overall market integrity and investor confidence. The applicability of various standards and guidelines in CSCRF is based on the category under which the RE would lie under, based on their span of operations and certain thresholds like number of clients, trade volume, asset under management, etc. Merchant Bankers are categorized under these regulations as follows:

S.No. Categorization of Merchant Bankers Category under CSCRF
Merchant Bankers involved in issue management activities, including Public Issues (IPOs, FPOs, SME IPOs), Public Offers by REITs/InvITs, Buy-Backs, Delisting of Equity Shares, and Open Offers under SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 2011 Mid-size REs
All other Merchant Banker Small-size REs


The Merchant Bankers are subject to the above categorization under the CSCRF which shall be set at the beginning of the financial year. This categorization relies on the previous financial year's data and once determined, will not change throughout that financial year.

CSCRF's implication on Merchant Bankers

Under the CSCRF, the responsibilities of merchant banker extend beyond the traditional roles they are accustomed to perform. Specifically, they are now tasked with installing and setting up of appropriate systems and procedures to ensure compliance by conducting cyber audits and subsequently submitting compliance reports according to the timelines stipulated under the regulations.

Establishment of a Securities Operation Centre (SOC)

Merchant bankers have several options for establishing a SOC to safeguard their critical systems and sensitive data. They can set up their own dedicated SOC, utilize a group SOC or engage a third-party SOC provider. Regardless of the chosen model, the primary function of these SOCs is to provide 24x7x365 proactive monitoring, prevention, detection, and response to cyber threats. While mid-size merchant bankers can setup SOCs based on the above, small size merchant bankers are mandated to opt for Market SOCs (M-SOC) which have been setup by BSE and NSE under the CSCRF. The functional efficacy of the SOC shall be measured and tested based on defined objectives and standards prescribed under guideline 4 of the CSCRF.

Formation of IT committee

As IT and technology related subject matter are averse to the standard roles and responsibilities of a Merchant Banker and other REs operating in the securities market, SEBI through CSCRF has herein mandated the formation of an IT committee. Only merchant bankers falling under the mid-size category mandatorily have to constitute an IT committee under the framework.

  • Mid-size merchant bankers: The CSCRF states that the formation of an IT committee would be done on similar basis as in case of Market Infrastructure Institutions (MIIs), Mutual Funds (MFs) and Asset Management Company (AMCs) in previously issued circulars wherein it provides for composition of Standing Technology of Committee (SCOT) and Technology Committee.

While referencing the abovementioned circulars for formation of SCOT and technology committee, it is pertinent to note that as per the circular dated June 25, 2024, the SCOT committee may include the Managing Director (MD), Non-Independent Directors (NIDs) other than Executive Director, at least 2 Independent External Professional (IEPs) who should be proficient in technology with at least one of them being an expert and practitioner in cyber security. The Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) should be invitees to the meetings of the committee. The chairman of the committee shall be a PID having tech expertise. The technology committee's formation was addressed in the circular dated April 11, 2019 for MFs and AMCs. It shall comprise of experts proficient in technology which shall include at least one independent external expert with adequate experience in technology in the MF industry/ BFSI.

The CSCRF envisages these committees to be termed as IT committee for the purposes of compliance under these regulations with an addition of a single external independent expert on cybersecurity.

  • Small size merchant bankers:Unlike mid-size merchant bankers and other regulated entities falling under other categories as bifurcated under the CSCRF, small size REs including merchant bankers falling under this domain do not need to setup such a committee but it is desirable to include an IT expert in decision making.

The IT Committee plays a crucial role in overseeing the CSCRF's implementation, reviewing cybersecurity incidents and their impact, and strategizing future resilience to prevent re-occurrences. For smaller REs, these responsibilities fall to the MD, CEO, Partners, or Board Members.

Cyber Audits

An audit conducted for the purposes of verifying compliance with CSCRF wherein it shall cover 100% of the critical systems and 25% of the non-critical systems, to be chosen on a sample basis. OnlyCERT-In empaneled IS auditing organizationsare authorized to conduct these cyber audits. Merchant bankers must ensure an audit is performed at least once annually, without skipping any cycles due to category changes and submit the reports to SEBI.

The timelines for the audits are:

  1. Cyber Audit Report submission: The final cyber audit report shall be submitted after approval from the respective IT Committee for the REs within one month from the completion of the cyber audit.
  2. Closure of findings identified during cyber audit: Within a period of three months of submitting the audit report the closure of findings shall be filed. While filing the closure report, a graded approach shall be followed on the basis of the criticality of the observations.
  3. Follow-on-audit: The follow-on audit shall be completed within five months of completion of the cyber audit.

The compliances under CSCRF

The CSCRF is structured into three parts: Part I outlines the objectives and standards for proactively enhancing REs (including merchant bankers) security against cyber incidents; Part II provides implementation guidelines for these mandatory standards; and Part III details the structured formats for compliance. The CSCRF sets extensive, mandatory guidelines for mid-size and small-size merchant bankers, requiring monthly, bi-annual, and annual compliance. These guidelines mandate that all merchant bankers understand, manage, and adhere to applicable cybersecurity and data protection mandates, including government guidelines, policies, laws, circulars, and regulations issued by SEBI and the Government of India. This specifically includes the IT Act 2000, the Digital Personal Data Protection Act 2023 (DPDP Act), and any future relevant laws or rules.

Few of the compliances and to dos under the CSCRF are as follows:

  1. Merchant bankers must create, share, and enforce an organizational cybersecurity policy, to be reviewed annually. This policy should align with the organisation's context and cybersecurity strategy. Any differences from the CSCRF need to be explained within the policy itself.
  2. The RE shall appoint a Designated Officer who shall assess, identify and reduce cybersecurity risks, respond to incidents, establish apt standards and controls and direct the establishment and implementation of CSCRF. The
  3. An up-to-date Cyber Crisis Management Plan (CCMP) must be formulated which shall be in line with national CCMP of CERT-In.
  4. Vulnerability Assessment and Penetration Testing (VAPT) shall be done to detect vulnerabilities in the IT environment for all critical systems, infrastructure components and other IT systems.
  5. Merchant Banker shall report cybersecurity incidents in a timely manner through SEBI incident reporting panel and shall also establish a comprehensive incident response management plan along with its corresponding SOPs.
  6. Merchant bankers utilizing third party SOC facilities and market SOC shall obtain the SOC efficacy report from the respective SOC providers on an annual basis. The REs utilizing third party facilities shall be solely accountable for all aspects including confidentiality, integrity, availability, nonrepudiation, security of their data and logs and also ensuring compliance with the framework.
  7. Merchant bankers shall regularly conduct cybersecurity audit and VAPT to detect vulnerabilities in the IT environment.
  8. The principle of Least Privilege and Segregation of Duties shall be followed for access of REs systems. The access shall be only for certain purposes and for a specific duration utilizing effective authentication mechanisms. The usage of zero trust model is recommended while providing access to critical systems and the same shall only be allowed post authentication and authorization.
  9. Periodic reviews must be taken for user access rights of critical systems including privilege access

The CSCRF provides for an exhaustive list of guidelines solely with the objective of protecting and securing data of participants participating in the Indian capital markets.

Reporting of Cybersecurity incident

It is mandatory for the merchant bankers that in case of any cyber-attack, cybersecurity incident and/ or breach, falling under the CERT-In Cybersecurity directions shall be notified to SEBI and CERT-In within 6 hours of noticing/ detecting such incidents or being brought to notice about such incidents. This information shall be shared with SEBI through themkt_incidents@sebi.gov.inwithin 6 hours. However, necessary details of the incidents shall be reported on SEBI Incident Reporting Portal within 24 hours. The merchants shall ensure to submit quarterly reports to SEBI detailing cyber-attacks, threats, incidents, and breaches, along with mitigation measures and information on bugs/vulnerabilities useful to other REs and SEBI which are due within 15 days of the quarter ending June, September, December, and March.

In Sum

With the CSCRF coming into force on 30 June 2025, merchant bankers are entering uncharted territory, facing both new compliance demands and significant legislative complexities. While the framework aims to strengthen cybersecurity and resilience across India's capital markets, gaps and ambiguities especially around enforcement and technical complexities still subsist. But the most immediate and crucial step for the authorities is to spread awareness and provide clear guidance to all regulated entities about the CSCRF's requirements and implementation. Without broad understanding and education, inconsistent compliance and operational challenges are extremely likely to occur.

Looking ahead, as digital threats evolve, merchant bankers and other REs must adapt quickly, invest in robust security measures, and foster a culture of proactive compliance. The framework's success will depend on ongoing collaboration, regulatory support, and a shared commitment to building a secure, resilient financial ecosystem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Nitin Jain
Nitin Jain
Person photo placeholder
Sanchith Shetty
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More