SEBI CSCRF
Compliance Readiness
Checklist
A comprehensive readiness checklist for Market Infrastructure Institutions, stock brokers, depositories, clearing corporations, AMCs, RTAs, KRAs, custodians, and other SEBI-regulated entities preparing for full compliance with the Cybersecurity and Cyber Resilience Framework (CSCRF).
Overview
What is SEBI CSCRF?
Framework Overview
The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) is a comprehensive regulatory framework issued by the Securities and Exchange Board of India (SEBI) to establish baseline cyber security and cyber resilience standards across all regulated entities in the Indian securities market. The framework consolidates and supersedes previous SEBI circulars on cyber security, providing a unified and enhanced set of requirements.
Regulatory Authority & Enforcement
SEBI has the authority to impose penalties, issue directions, and take enforcement action against non-compliant entities under the SEBI Act, 1992 and the Securities Contracts (Regulation) Act, 1956. Non-compliance can result in monetary penalties, suspension of registration, restriction of activities, and reputational damage. SEBI conducts regular inspections and can mandate immediate corrective actions.
Effective Date
The CSCRF framework has been implemented in a phased manner. MIIs and larger entities had earlier compliance deadlines. All regulated entities including smaller stock brokers and mutual funds must now be fully compliant.
Who It Applies To
MIIs (stock exchanges, depositories, clearing corporations), stock brokers, depository participants, AMCs, mutual fund distributors, RTAs, KRAs, custodians, credit rating agencies, and other SEBI-registered intermediaries.
Non-Compliance Risk
Monetary penalties up to INR 1 crore or more per violation, suspension or cancellation of registration, mandatory corrective actions with timelines, enhanced regulatory scrutiny, and significant reputational harm in the market.
Entity Classification
Requirements by entity category
SEBI CSCRF requirements vary based on entity type and size. Identify your category to understand the specific compliance obligations applicable to your organisation.
| Entity Category | Applicable Entities | VAPT Frequency | SOC Requirement | CISO | Incident Reporting |
|---|---|---|---|---|---|
| Market Infrastructure Institutions (MIIs) | Stock exchanges (BSE, NSE, MSEI), Depositories (CDSL, NSDL), Clearing Corporations (NSCCL, ICCL, MCXCCL) | Quarterly VAPT + Annual Red Team | Mandatory 24x7 SOC | Dedicated CISO (not shared) | Within 6 hours to SEBI + CERT-In |
| Qualified Stock Brokers (QSBs) | Stock brokers meeting QSB criteria as defined by SEBI | Half-yearly VAPT | Mandatory 24x7 SOC | Dedicated CISO | Within 6 hours to SEBI + CERT-In |
| Stock Brokers (AUM > 100 Cr) | Stock brokers and depository participants with AUM exceeding INR 100 crore | Annual VAPT | SOC recommended (in-house or managed) | CISO or equivalent role designated | Within 6 hours to SEBI + CERT-In |
| Other Stock Brokers / Small DPs | Stock brokers with AUM below INR 100 crore, small depository participants | Annual VAPT | Basic monitoring required | IT security officer designated | Within 6 hours to SEBI + CERT-In |
| Mutual Funds / AMCs / RTAs / KRAs / Custodians | Asset Management Companies, Registrar and Transfer Agents, KYC Registration Agencies, Custodians of Securities | Annual VAPT | SOC recommended for large AMCs | CISO or equivalent role designated | Within 6 hours to SEBI + CERT-In |
Governance & Policy
Governance checklist
Foundational governance requirements that form the basis of CSCRF compliance. These must be established before technical controls can be effective.
Designated CISO appointed with direct reporting line to MD/CEO and board-level visibility
Cyber Security Committee constituted at board level with defined terms of reference
Comprehensive Cyber Security and Cyber Resilience Policy approved by the board of directors
Incident Response Plan (IRP) documented, approved, and tested at least annually
Cyber Crisis Management Plan (CCMP) aligned with SEBI and CERT-In guidelines
Dedicated annual cyber security budget allocation approved by the board
Cyber security awareness training program for all employees (mandatory quarterly)
Third-party/vendor cyber risk assessment policy and procedures in place
Cyber insurance coverage evaluated and procured as appropriate
Roles and responsibilities for cyber security clearly defined across the organisation
Technical Controls
Technical controls checklist
Detailed technical security controls required under SEBI CSCRF, organized by domain. Requirements vary by entity category — refer to the entity classification table above.
Network Security
Next-generation firewall deployed at all network perimeters with rule review every quarter
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) deployed and monitored
Network segmentation implemented — critical systems isolated from general corporate network
DMZ architecture for all internet-facing applications and services
Network Access Control (NAC) implemented for all endpoint connections
Secure DNS configuration with DNS filtering and monitoring
VPN with strong encryption for all remote access — no split tunneling
Regular network architecture review and penetration testing of network controls
Access Control
Multi-Factor Authentication (MFA) enforced for all privileged and remote access
Privileged Access Management (PAM) solution deployed for all administrative accounts
Quarterly access reviews conducted for all critical systems and applications
Role-Based Access Control (RBAC) implemented with principle of least privilege
Password policy enforced — minimum 12 characters, complexity, 90-day rotation for privileged accounts
Automated deprovisioning process for separated employees (within 24 hours)
Service account inventory maintained with regular credential rotation
Session timeout and concurrent session controls implemented
Data Security
Encryption at rest (AES-256) for all sensitive and critical data stores
Encryption in transit (TLS 1.2+) for all internal and external communications
Data Loss Prevention (DLP) solution deployed for email, web, and endpoints
Data classification policy implemented — Public, Internal, Confidential, Restricted
Database Activity Monitoring (DAM) for all databases containing sensitive data
Secure data backup with encryption — offsite/air-gapped copies tested quarterly
Data retention and secure disposal policy aligned with SEBI record-keeping requirements
PII and sensitive data discovery and inventory completed across all systems
Application Security
VAPT conducted as per SEBI-mandated frequency (see VAPT Requirements section)
Secure Software Development Life Cycle (SSDLC) adopted for all in-house applications
Web Application Firewall (WAF) deployed for all internet-facing web applications
Static Application Security Testing (SAST) integrated into CI/CD pipeline
Dynamic Application Security Testing (DAST) performed before every major release
Open-source and third-party component vulnerability scanning (SCA) in place
API security testing and rate limiting implemented for all exposed APIs
Code review process with security-focused review for all production deployments
Endpoint Security
Endpoint Detection and Response (EDR) deployed on all endpoints including servers
Automated patch management — critical patches applied within 72 hours of release
System hardening baselines (CIS benchmarks) applied to all servers and workstations
Removable media controls — USB and external device usage restricted and monitored
Mobile Device Management (MDM) for all corporate and BYOD devices accessing systems
Application whitelisting on critical servers and trading systems
SOC & Monitoring
24x7 Security Operations Center (SOC) operational (mandatory for MIIs and QSBs)
SIEM solution deployed with correlation rules for SEBI-relevant threat scenarios
Log retention policy — minimum 5 years for all security-relevant logs as per SEBI mandate
Centralized log collection from all critical infrastructure, applications, and security devices
Threat intelligence feeds integrated and operationalized in SOC workflows
Security incident ticketing and tracking system with SLA-based escalation
Regular SOC maturity assessment and capability uplift program
Automated alerting for anomalous activities — brute force, lateral movement, data exfiltration
VAPT Requirements
SEBI-mandated VAPT requirements
Vulnerability Assessment and Penetration Testing is a core requirement under SEBI CSCRF. All VAPT must be conducted by a CERT-In empanelled auditor. Security Brigade has been continuously empanelled by CERT-In since 2008.
| Entity Type | VAPT Frequency | Red Team Exercise | Auditor Requirement | Scope |
|---|---|---|---|---|
| MIIs (Stock Exchanges, Depositories, Clearing Corps) | Quarterly VAPT | Annual Red Team Exercise | CERT-In empanelled auditor mandatory | All internet-facing + critical internal systems + trading infrastructure |
| Qualified Stock Brokers (QSBs) | Half-yearly VAPT | Recommended annually | CERT-In empanelled auditor mandatory | All internet-facing + trading platforms + client-facing applications |
| Stock Brokers (AUM > 100 Cr) | Annual VAPT | Recommended | CERT-In empanelled auditor mandatory | Internet-facing systems + trading systems + client portals |
| Other Stock Brokers / Small DPs | Annual VAPT | Optional | CERT-In empanelled auditor mandatory | Internet-facing systems + critical applications |
| Mutual Funds / AMCs / Others | Annual VAPT | Recommended for large AMCs | CERT-In empanelled auditor mandatory | Internet-facing + NAV computation + investor portals |
CERT-In Empanelled Auditor Mandatory
As per SEBI CSCRF, all VAPT engagements must be conducted by a CERT-In empanelled information security auditing organisation. The auditor must hold a valid empanelment certificate at the time of the assessment. Entities should verify the auditor's empanelment status on the CERT-In website before engagement.
Incident Reporting
Incident reporting obligations
SEBI CSCRF mandates strict timelines for reporting cyber security incidents. Failure to report within the stipulated timelines is itself a compliance violation.
Within 6 hours of detection
Required Details
Nature of incident, systems affected, impact assessment, immediate actions taken
Follow-up
Detailed incident report within 14 days; quarterly summary report
Within 6 hours (as per CERT-In Directions April 2022)
Required Details
Type of incident, affected systems/IPs, estimated impact, remediation steps
Follow-up
Root cause analysis and lessons learned within 30 days
Immediately upon detection
Required Details
If the incident impacts market operations, trading, or settlement systems
Follow-up
Continuous updates until resolution
Key Incident Reporting Checklist
Incident response team activated and incident commander designated
Incident classified by severity — Critical / High / Medium / Low
Initial notification sent to SEBI within 6 hours of detection
CERT-In notified within 6 hours as per CERT-In Directions (April 2022)
Relevant stock exchange / depository notified if market operations impacted
Incident details documented — nature, timeline, affected systems, impact scope
Containment measures implemented and documented
Evidence preserved for forensic analysis — logs, memory dumps, disk images
Detailed incident report submitted to SEBI within 14 days
Root cause analysis completed and shared with CERT-In within 30 days
Remediation actions implemented and verified
Quarterly incident summary report prepared for SEBI submission
Compliance Calendar
Annual audit & compliance calendar
A structured quarterly plan to ensure continuous CSCRF compliance throughout the financial year. Adjust timelines based on your entity category and specific SEBI requirements.
Q1 (April - June)
Annual VAPT cycle initiation for all entity categories
Cyber security policy annual review and board approval
Annual cyber security budget review and allocation
Cyber security awareness training — Q1 session
SEBI annual compliance report submission (for previous financial year)
Third-party vendor risk reassessment initiation
Q2 (July - September)
Half-yearly VAPT for Qualified Stock Brokers
SOC effectiveness audit and maturity review
Business Continuity Plan (BCP) review and update
Cyber security awareness training — Q2 session
Access review — half-yearly comprehensive review
Incident response plan tabletop exercise
Q3 (October - December)
Quarterly VAPT for MIIs (second cycle)
Disaster Recovery (DR) drill and documentation
Cyber crisis simulation exercise
Cyber security awareness training — Q3 session
Network architecture and firewall rule review
Threat landscape assessment and control update
Q4 (January - March)
Annual comprehensive compliance assessment
Board-level cyber security review presentation
Next financial year cyber security roadmap and budget proposal
Cyber security awareness training — Q4 session
Annual red team exercise (MIIs)
Compliance gap remediation verification and closure
VAPT remediation status review — all open findings
Gap Assessment
Gap assessment template
Use this template to assess your current compliance posture against SEBI CSCRF requirements. Identify gaps, assign remediation ownership, and track progress to full compliance.
| CSCRF Requirement | Current Status | Gap Description | Remediation Action | Owner | Deadline |
|---|---|---|---|---|---|
| CISO Appointment & Reporting Structure | Compliant / Partial / Non-Compliant | ||||
| Board-Level Cyber Security Committee | Compliant / Partial / Non-Compliant | ||||
| Cyber Security Policy (Board Approved) | Compliant / Partial / Non-Compliant | ||||
| Incident Response Plan | Compliant / Partial / Non-Compliant | ||||
| Network Security Controls (FW, IDS/IPS, Segmentation) | Compliant / Partial / Non-Compliant | ||||
| Multi-Factor Authentication | Compliant / Partial / Non-Compliant | ||||
| Data Encryption (At Rest & In Transit) | Compliant / Partial / Non-Compliant | ||||
| VAPT by CERT-In Empanelled Auditor | Compliant / Partial / Non-Compliant | ||||
| SOC / 24x7 Monitoring | Compliant / Partial / Non-Compliant | ||||
| Log Retention (5 Years) | Compliant / Partial / Non-Compliant | ||||
| Incident Reporting Process (6-Hour SLA) | Compliant / Partial / Non-Compliant | ||||
| DR/BCP Testing | Compliant / Partial / Non-Compliant | ||||
| Cyber Security Awareness Training | Compliant / Partial / Non-Compliant | ||||
| Third-Party Risk Management | Compliant / Partial / Non-Compliant | ||||
| Annual Compliance Reporting to SEBI | Compliant / Partial / Non-Compliant |
This template covers key CSCRF requirements. Extend with additional rows specific to your entity category and business context. Print this page (Ctrl+P / Cmd+P) to use as a working document.
Need help with SEBI CSCRF compliance?
Security Brigade has been CERT-In empanelled since 2008 and has conducted 6,700+ security assessments for 700+ clients including major BFSI institutions.
We provide end-to-end CSCRF compliance support — gap assessment, VAPT, policy development, SOC setup advisory, and ongoing compliance management.