On June 28, 2025, the Securities and Exchange Board of India (SEBI) announced a two-month extension for its Cybersecurity and Cyber Resilience Framework (CSCRF) compliance. The new deadline for most SEBI-regulated entities (REs) is now August 31, 2025, giving organizations more time to align with the framework’s robust cybersecurity mandates.
“Therefore, it has been decided to extend the compliance timelines by two months, i.e., till August 31, 2025, to all REs, except Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs),” SEBI noted in its official circular.
This marks the second extension granted by the regulator—underscoring SEBI’s recognition of the genuine operational challenges faced by mutual funds, brokers, portfolio managers, custodians, AIFs, and research analysts in achieving cybersecurity readiness.
Why Did SEBI Grant an Extension?
SEBI extended the deadline not to dilute the urgency of cybersecurity, but to ensure that companies implement strong, effective, and sustainable defenses, rather than rushing to meet a deadline.
The key challenges raised by REs include:
- Shortage of trained cybersecurity personnel
- Limited budgets and cybersecurity investments
- Legacy or outdated IT infrastructure
- Difficulty aligning with global standards (ISO 27001, NIST, etc.)
This extension provides companies with an opportunity to build cybersecurity from the ground up, rather than checking boxes superficially.
Important: The extended timeline does not apply to MIIs, KRAs, and QRTAs. These systemically important institutions must still comply by June 30, 2025.
What Does SEBI’s CSCRF Require?
SEBI’s Cybersecurity and Cyber Resilience Framework outlines a five-step approach:
- Anticipate: Ongoing risk identification, threat intelligence, and proactive defense
- Withstand: Implementation of strong preventive controls (MFA, firewalls, encryption)
- Contain: Mechanisms to isolate, detect, and stop ongoing attacks
- Recover: Clear backup and disaster recovery protocols
- Evolve: Continuous improvement through regular testing, updates, and employee training
This framework demands comprehensive documentation, incident response planning, technical controls, and cybersecurity awareness—not just tools, but a strategic, people-process-technology approach.
How Should Companies Use This Extra Time?
SEBI has given the industry an important chance, but time is limited. Here’s how your organization can take advantage of the extension:
- Conduct a Gap Assessment: Identify weaknesses in your current cybersecurity posture, from access controls to third-party risks.
- Strengthen Technical Defenses: Implement updated firewalls, endpoint security, anti-malware, MFA, and secure configurations.
- Train Employees: Equip staff to recognize social engineering attacks, phishing emails, and unsafe behavior.
- Build Incident Response Plans: Prepare a documented plan for how your team will respond to and recover from attacks.
- Align with Industry Standards: Use global standards such as ISO 27001, NIST Cybersecurity Framework, and SOC 2 for structured implementation.
What Threatsys Can Do for SEBI-Regulated Entities
At Threatsys, we specialize in helping financial institutions, intermediaries, and regulated entities meet SEBI’s CSCRF requirements—from the technical to the strategic.
We offer a complete compliance and protection package, including:
- Vulnerability Assessment & Penetration Testing (VAPT): We identify and exploit potential vulnerabilities across web applications, APIs, networks, and endpoints—simulating real-world attacks to uncover weak spots before attackers do. Our reports include clear remediation steps to help you fix the gaps quickly.
- Security Operations Center (SOC) as a Service: Our fully managed 24/7 SOC monitors your systems around the clock using advanced threat detection, log correlation, and SIEM tools. We deliver real-time alerts, incident analysis, and expert guidance to mitigate risks as they happen, minimizing downtime and damage.
- Red Team Assessments: We perform simulated, targeted cyberattacks on your infrastructure to assess the strength of your security posture. This includes testing your ability to detect, respond, and recover, going beyond compliance to measure true resilience.
- SEBI CSCRF Audits: We conduct end-to-end cybersecurity audits tailored for SEBI-regulated entities. From readiness assessment to final compliance reporting, we ensure your submission meets the expectations of stock exchanges like BSE, NSE, and MCX.
- Comprehensive Documentation Support: Our team develops all essential documentation needed for compliance and audits, including:
-
Cybersecurity policies and SOPs
-
Incident response and recovery plans
-
Network/system architecture diagrams
-
Risk assessments and audit-ready reports
-
All content is tailored to your organization and regulatory requirements.
ISO 27001 Implementation & Certification Support
We guide your organization through the full ISO 27001 journey—from initial gap analysis and control implementation to internal audits and certification prep. We align your processes with international standards to build long-term trust and resilience.
Not Yet Compliant? Don’t Wait.
If your organization has not yet started—or is behind on SEBI CSCRF compliance—Threatsys can help you fast-track your journey.
Our expert consultants will:
- Evaluate your current readiness
- Prioritize key actions
- Implement both technical and policy-based controls
- Ensure you’re audit-ready before August 31, 2025
Conclusion :
Cybersecurity is no longer optional—it’s a regulatory and reputational imperative.SEBI’s CSCRF is not about just meeting compliance—it’s about protecting India’s financial infrastructure from evolving cyber threats. The extension to August 31, 2025, is an opportunity, not a reason to delay.
At Threatsys, we don’t just help you check boxes. We help you build resilience.
“SEBI Cybersecurity Made Easy with Threatsys“
