Sebi’s Tech Overhaul: A Move to Simplify Cybersecurity Norms for MIIs

The market regulator is looking to clear the clutter in its rulebook by merging fragmented IT and cybersecurity mandates for India’s critical financial infrastructure.

The regulatory landscape for India’s stock exchanges, clearing corporations, and depositories is set for a significant pruning. Sebi, the market regulator, has unveiled a proposal to consolidate its sprawling IT and cybersecurity norms for Market Infrastructure Institutions (MIIs). For years, compliance officers at these institutions have navigated a maze of overlapping master circulars; the new plan aims to replace this patchwork with a single, unified framework.

Cutting Through the Compliance Clutter

Currently, MIIs must balance disparate instructions across multiple master circulars covering everything from commodity derivatives to core technology standards. By merging these into one comprehensive document, the regulator intends to eliminate the redundancy that has long burdened the sector. The proposed consolidation focuses on critical pillars: cyber resilience, annual system audits, disaster recovery, and capacity planning.

A major goal of this exercise is to remove repeated, fragmented references to the Cyber Security and Cyber Resilience Framework (CSCRF). Because the CSCRF already applies directly to MIIs and intermediaries, Sebi argues that echoing these requirements across various circulars is unnecessary. This shift is not about weakening oversight, but rather sharpening it by removing the "noise" that often accompanies heavy-handed compliance.

Hardening the Infrastructure

The proposals also introduce a more rigid approach to capacity management. Under the new draft, if any IT component hits a 75% utilization threshold, the MII must trigger immediate corrective action. These instances will fall under the scanner of the Standing Committee on Technology (SCOT). Where an institution sees repeated breaches of this capacity ceiling, it will be mandated to initiate specific augmentation plans to ensure the markets don't buckle under high-frequency trading volumes.

Why it Matters

This move reflects a broader shift in how Sebi is managing the "ease of doing business" narrative in the financial markets. By harmonizing requirements across exchanges and depositories, the regulator is acknowledging that the current fragmented structure is not just inefficient—it can be a blind spot for oversight. Consolidating these rules allows for a more standardized audit trail and ensures that when a systemic tech failure occurs, there is no ambiguity about which standards were breached.

Ultimately, this is about modernizing the plumbing of the Indian stock market. As digital footprints grow, the regulator is betting that a streamlined, centralized rulebook will allow MIIs to focus less on administrative paperwork and more on the actual robustness of their systems. If implemented, this shift will provide much-needed clarity for institutional players who have long sought a single source of truth for their technology and security mandates.