SEBI CSCRF: Complete Compliance Guide for Regulated Entities (2025)

What Is SEBI CSCRF?

The Securities and Exchange Board of India (SEBI) introduced the Cyber Security and Cyber Resilience Framework (CSCRF) to establish a baseline for cybersecurity governance across the Indian capital markets ecosystem. Originally issued as a circular, it has evolved significantly over the years — and the 2024–2025 revision represents the most comprehensive and prescriptive version to date.

CSCRF is not optional. All entities regulated by SEBI — from stock exchanges to brokers, depositories, mutual funds, portfolio managers, and investment advisers — must comply with its requirements. Non-compliance can attract regulatory action, penalties, or operational restrictions.

Who Does SEBI CSCRF Apply To?

SEBI has segmented regulated entities (REs) into three tiers based on their systemic importance and operational scale:

Market Infrastructure Institutions (MIIs)

This tier includes stock exchanges (NSE, BSE), depositories (NSDL, CDSL), and clearing corporations (NSCCL, ICCL). MIIs face the most stringent requirements because disruption to their systems would have an outsized impact on the entire market ecosystem. They are required to maintain the highest levels of cyber resilience, including fully staffed Security Operations Centres (SOCs), comprehensive Business Continuity Plans (BCPs), and real-time threat intelligence sharing.

Qualified Regulated Entities (Qualified REs)

These are larger entities such as stock brokers with significant client bases (typically above a defined threshold of active clients), custodians, asset management companies, and other entities that handle substantial volumes of sensitive financial and personal data. Qualified REs are required to implement most of CSCRF's technical controls, though with some concessions on timing and self-certification pathways.

Mid and Small Regulated Entities

Smaller brokers, investment advisers, research analysts, and similar entities fall into this category. SEBI has provided a more proportionate approach for these entities — they are still required to comply, but the framework offers simplified checklists and extended timelines. The intent is to ensure cybersecurity is embedded across the industry without creating an undue burden on smaller participants.

Key Requirements Under SEBI CSCRF

CSCRF is structured around five domains, broadly aligned with the NIST Cybersecurity Framework. Each domain contains specific controls and sub-controls that entities must implement and evidence.

1. Governance

Every regulated entity must designate a Chief Information Security Officer (CISO) who reports to the Board or a senior committee. The CISO is responsible for the organisation's cybersecurity posture and must present periodic reports to the Board. Entities are also required to maintain a formal cybersecurity policy, reviewed and approved at the Board level at least annually. Smaller entities that cannot appoint a full-time CISO may be permitted to designate a responsible officer, but the accountability must rest at the senior management level.

2. Identify

Entities must maintain a comprehensive asset inventory — covering hardware, software, network devices, data stores, and cloud services. Risk assessments must be conducted periodically to identify threats, vulnerabilities, and the potential business impact of cyber incidents. For MIIs and Qualified REs, the risk assessment cycle is typically annual, with event-driven assessments triggered by significant infrastructure changes or incidents.

3. Protect

The Protect domain covers the majority of technical security controls. Key requirements include:

• Network segmentation and perimeter controls (firewalls, IDS/IPS)
• Endpoint protection across all devices accessing market-related systems
• Multi-factor authentication (MFA) for privileged access and remote access
• Encryption of data in transit and at rest for sensitive financial and client data
• Patch management and vulnerability management programmes with defined SLAs
• Secure software development lifecycle (SSDLC) practices for internally developed applications
• Third-party and vendor risk management — entities must assess and monitor the cybersecurity posture of critical technology vendors

4. Detect

SEBI CSCRF requires entities to have real-time or near-real-time detection capabilities. This typically means deploying a Security Information and Event Management (SIEM) system, or subscribing to a managed SOC service. All critical logs — including authentication events, administrative actions, and network flows — must be collected, retained for a minimum defined period (usually two years for MIIs and Qualified REs), and monitored for anomalous activity. Entities are also expected to participate in threat intelligence sharing through SEBI-designated platforms.

5. Respond and Recover

An Incident Response Plan (IRP) is mandatory. The IRP must define roles and responsibilities, escalation paths, communication protocols (including regulatory notification timelines), and recovery procedures. SEBI requires that cyber incidents above a certain severity threshold be reported to SEBI and to CERT-In within prescribed timelines — typically within six hours of detection for critical incidents. Post-incident reviews must be documented and remediation actions tracked.

Penetration Testing and Vulnerability Assessment Requirements

CSCRF mandates periodic vulnerability assessments and penetration testing (VAPT) for all regulated entities. For MIIs and Qualified REs, application-level penetration testing and infrastructure VAPT must be conducted at least annually by a CERT-In empanelled information security auditor. For mid and small REs, SEBI has provided more flexible pathways, though testing is still required. The scope of VAPT must cover all internet-facing systems and critical internal systems, and the findings must be tracked through to closure with documented remediation plans.

SOC Requirements

Market Infrastructure Institutions are required to operate a dedicated Security Operations Centre — either in-house or through a managed service provider (MSSP). Qualified REs may use a shared or managed SOC. The SOC must monitor critical systems 24x7, maintain playbooks for common attack scenarios, and have defined escalation procedures. SOC analysts must be certified in relevant disciplines (e.g., CEH, CISSP, or equivalent). For smaller entities, subscription to a managed SOC service from a reputable MSSP is an acceptable alternative to building an in-house function.

CSCRF Compliance Timelines (2025)

SEBI has issued revised timelines for compliance with the updated CSCRF requirements. While specific deadlines are communicated through SEBI circulars (and entities should always check the latest circulars directly), the general trajectory as of early 2025 is:

• MIIs: Required to be fully compliant with all controls, including advanced SOC capabilities, threat intelligence integration, and Board-level reporting mechanisms.
• Qualified REs: Required to submit self-certification of compliance for core controls and to engage CERT-In empanelled auditors for VAPT and gap assessments.
• Mid and Small REs: A phased approach is available. Priority controls — governance, asset inventory, incident response, and basic access controls — must be implemented first, with more advanced technical controls to follow within defined windows.

How to Achieve SEBI CSCRF Compliance: A Practical Roadmap

Achieving CSCRF compliance is a structured process. Here is a practical roadmap for regulated entities approaching compliance for the first time or preparing for a SEBI audit:

Step 1: Conduct a Gap Assessment

Begin with an honest assessment of your current state against each CSCRF control. Engage a qualified cybersecurity firm or CERT-In empanelled auditor to conduct a structured gap analysis. The output should be a prioritised list of gaps with a risk-based remediation plan.

Step 2: Appoint a CISO and Establish Governance

If you do not already have a designated CISO or equivalent responsible officer, appoint one. Ensure that a cybersecurity policy is in place and has been approved by the Board. Document the governance structure clearly.

Step 3: Build or Subscribe to Detection Capabilities

For most mid-sized regulated entities, building a full in-house SOC is not practical. Engaging a managed SOC provider or a managed SIEM service is the pragmatic route. Ensure that your provider can meet CSCRF's logging and monitoring requirements and can provide the evidence needed for regulatory reporting.

Step 4: Conduct VAPT and Close Findings

Commission a VAPT through a CERT-In empanelled auditor. Use the findings to drive remediation. Track all findings in a risk register and close them within the defined SLAs. Retain the VAPT reports as evidence of compliance.

Step 5: Implement and Test the Incident Response Plan

Document your IRP, ensure it covers SEBI's notification requirements, and conduct tabletop exercises to validate it. Update the plan after each exercise or incident.

Step 6: Submit Self-Certification and Audit Reports

SEBI requires regulated entities to submit periodic compliance reports. Ensure that your self-certification is accurate and supported by evidence. For Qualified REs, the external audit report from a CERT-In empanelled auditor must accompany the submission.

Consequences of Non-Compliance

SEBI takes cybersecurity compliance seriously. Entities that fail to comply with CSCRF requirements risk regulatory censure, financial penalties, and — in severe cases — operational restrictions. More practically, inadequate cybersecurity controls increase the likelihood of a breach, which can result in significant financial losses, reputational damage, and civil liability to affected clients.

How InfraDefend Can Help

InfraDefend specialises in helping SEBI-regulated entities navigate CSCRF compliance. Our services include gap assessments, managed SOC, VAPT (conducted by CERT-In empanelled professionals), incident response planning, and ongoing compliance monitoring. We understand the specific requirements of the capital markets ecosystem and can tailor our services to your entity's tier and risk profile. Contact us to discuss your CSCRF compliance roadmap.