SEBI CSCRF Compliance for Stock Brokers, AMCs, Mutual Funds, and Market Infrastructure Institutions

SEBI CSCRF is the Cyber Security and Cyber Resilience Framework issued by SEBI that mandates cybersecurity controls for all SEBI regulated entities. It applies to stock brokers, depository participants, asset management companies, mutual funds, market infrastructure institutions including stock exchanges, depositories, and clearing corporations, as well as registrars, transfer agents, investment advisers, research analysts, portfolio managers, and other SEBI registered intermediaries. The specific obligations vary by entity tier and systemic importance.

Yes, SEBI requires that cyber audits for regulated entities be conducted by CERT-In empanelled auditors. Security Brigade has been CERT-In empanelled since 2008, making us one of the longest-standing empanelled auditors in India. This empanelment is a statutory requirement, and audit reports from non-empanelled firms are not accepted by SEBI for compliance submissions.

Stock brokers and depository participants are required to undergo annual SEBI CSCRF cyber audits. The annual audit cycle requires a comprehensive assessment of all applicable SEBI CSCRF controls including SOC/M-SOC readiness, vulnerability management, DC/DR drills, incident handling, and governance reporting. Additional audits may be triggered by significant system changes or cyber incidents.

Market Infrastructure Institutions face the highest-tier SEBI CSCRF obligations because they are systemically important to capital markets. MIIs must maintain dedicated 24x7 SOC operations, conduct red team assessments, implement breach attack simulation, and demonstrate advanced threat intelligence capabilities. Stock brokers and depository participants have full CSCRF applicability but at a proportionately lower tier. The core controls around vulnerability management, incident handling, and governance reporting apply to both categories.

Yes, AMCs and mutual funds operate under a separate SEBI CSCRF circular that accounts for the distinct technology and operational landscape of the mutual fund industry. AMCs and mutual funds must also comply with AMFI cybersecurity guidelines, which introduce additional expectations around investor data protection, fund transaction security, and distributor ecosystem controls. Security Brigade addresses both SEBI CSCRF and AMFI requirements in a single engagement.

Full SEBI CSCRF compliance typically requires VAPT, attack surface management, SOC or M-SOC assessment, breach attack simulation, DC/DR validation, incident handling readiness, dark web monitoring, governance reporting, and the formal compliance audit. Security Brigade is the only vendor that delivers almost all of these services in-house through a single bundled engagement. Competitors typically need three to four vendors to cover the same scope.

Non-compliance with SEBI CSCRF can result in SEBI enforcement actions including monetary penalties, directions, show-cause notices, restrictions on trading activities or new client onboarding, and in severe cases, suspension or cancellation of SEBI registration. The severity depends on the entity type, the nature of the non-compliance, and whether the entity has a history of cybersecurity violations. Beyond regulatory penalties, non-compliance increases the risk of a cyber incident that damages investor trust and market reputation.

A typical SEBI CSCRF compliance engagement takes six to eight weeks from scoping through final report delivery. This includes entity classification and scope mapping, gap assessment, technical security testing including VAPT and BAS, remediation support with verified closure, and regulator-ready compliance reporting. Timeline may vary based on entity complexity, number of systems in scope, and remediation speed.

Yes, SEBI CSCRF mandates that regulated entities maintain visibility over their internet-facing attack surface and implement continuous monitoring. Security Brigade addresses this through ShadowMap, our proprietary attack surface management platform that provides continuous discovery of exposed assets, leaked credentials, dark web exposure, shadow IT, and third-party risk. ShadowMap also delivers Continuous Automated Red Teaming capabilities required under higher CSCRF tiers.

Yes, Security Brigade delivers SEBI CSCRF compliance for all categories of SEBI regulated entities including investment advisers, research analysts, portfolio managers, registrars and transfer agents, credit rating agencies, and merchant bankers. For smaller entities with lighter-tier obligations, we provide a right-sized engagement covering gap assessment, policy development, VAPT, and audit reporting proportionate to the entity's SEBI CSCRF tier.