Cybersecurity blog

SEBI CSCRF: Cyber Security & Cyber Resilience Framework for Market Intermediaries

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

SEBI CSCRF: Cyber Security & Cyber Resilience Framework Guide for Market Intermediaries

The Securities and Exchange Board of India (SEBI) has moved its cybersecurity expectations from a patchwork of circulars to a single, consolidated rulebook: the Cyber Security and Cyber Resilience Framework (CSCRF). For SEBI Regulated Entities (REs) — from stock brokers and mutual funds to depositories and exchanges — CSCRF defines not just how to defend against cyber attacks, but how to keep critical market functions running through one.

This guide explains what CSCRF is, which entities it applies to, the graded approach that scales obligations to your size, the five cyber resilience goals, the key technical and audit requirements, and how to prepare for a clean compliance outcome. CyberSigma, a CERT-In empanelled cybersecurity firm, helps market intermediaries meet CSCRF end to end.

What Is SEBI CSCRF?

CSCRF is SEBI's unified Cyber Security and Cyber Resilience Framework. It consolidates and supersedes the earlier entity-specific cybersecurity circulars and introduces a structured model that is aligned with internationally recognised practices such as the NIST Cybersecurity Framework, while adding explicit cyber resilience expectations. The framework is mandatory for SEBI Regulated Entities, with obligations graded by the entity's category and scale.

Who Must Comply with CSCRF?

CSCRF applies across the SEBI-regulated ecosystem, with the depth of controls scaled to the entity:

  • Market Infrastructure Institutions (MIIs) — stock exchanges, clearing corporations, and depositories
  • Stock brokers and depository participants
  • Asset Management Companies (AMCs) and Mutual Funds
  • KYC Registration Agencies (KRAs), Registrars and Transfer Agents (RTAs)
  • Investment advisers, research analysts, merchant bankers, and portfolio managers
  • Alternative Investment Funds and other categories of SEBI Regulated Entities

The Graded Approach

Rather than applying one rigid standard to everyone, CSCRF uses a graded model so that obligations are proportionate to an entity's size, complexity, and systemic importance. REs are classified into categories — broadly Market Infrastructure Institutions, Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs — and the required controls, audit frequency, and reporting scale accordingly. Identifying your category correctly is the first step to a defensible compliance program.

The Five Cyber Resilience Goals

CSCRF frames its expectations around cyber resilience — the ability to keep operating through an attack — organised under goals that map to recognised security functions:

  • Anticipate — govern and identify cyber risks before they materialise
  • Withstand — protect critical systems and data with strong preventive controls
  • Contain — detect incidents quickly and limit their spread
  • Recover — restore critical operations within defined recovery objectives
  • Evolve — learn from incidents and continuously improve the security posture

Key CSCRF Requirements

While specifics vary by category, CSCRF typically expects Regulated Entities to implement and evidence:

  • A board-approved cyber security and cyber resilience policy with clear governance and a CISO function
  • Security operations and monitoring — through a dedicated SOC, a managed SOC, or the Market SOC facility for smaller REs
  • Regular Vulnerability Assessment and Penetration Testing (VAPT) by a CERT-In empanelled auditor
  • A comprehensive cyber audit, with reports submitted to SEBI on the prescribed cadence
  • Data classification, protection, and (for relevant categories) ISO 27001-aligned controls
  • Incident detection, response, and reporting within SEBI and CERT-In timelines
  • Software Bill of Materials (SBOM) and supply-chain controls for critical systems

The CSCRF Cyber Audit

A central obligation under CSCRF is independent assurance. Regulated Entities are required to undergo cyber audits and VAPT, and to submit the resulting reports to SEBI. The audit assesses whether the policy, technical controls, monitoring, and resilience capabilities are genuinely implemented and effective — not merely documented. Using a CERT-In empanelled auditor ensures the testing is recognised and the evidence stands up to supervisory review.

CSCRF Timelines

SEBI has rolled out CSCRF on a phased basis, with compliance dates differentiated by entity category and, in several cases, extended to give REs time to implement. Because timelines and category thresholds are periodically updated by SEBI, entities should confirm the current applicability dates for their category and begin readiness early rather than close to a deadline.

How to Prepare for CSCRF

  • Confirm your RE category and the exact CSCRF obligations that apply to it
  • Establish board-level governance, a cyber security policy, and an empowered CISO function
  • Stand up monitoring — own SOC, managed SOC, or the Market SOC — with log retention and alerting
  • Run VAPT and close findings with documented evidence and retests
  • Operationalise incident response aligned to SEBI and CERT-In reporting timelines
  • Engage a CERT-In empanelled auditor to run the gap assessment, testing, and audit

How CyberSigma Helps

CyberSigma helps SEBI Regulated Entities meet CSCRF from gap assessment through VAPT, cyber audit, and remediation. As a CERT-In empanelled firm staffed by senior auditors, we map your category's obligations to concrete controls, run the testing, and produce reports written for SEBI submission. Our reporting is structured so the same evidence supports ISO 27001, SOC 2, and customer assurance reviews — turning a regulatory requirement into reusable security maturity.

Conclusion

CSCRF raises the bar for cybersecurity and resilience across India's capital markets. Entities that treat it as a continuous program — governance, monitoring, testing, and resilience built into operations — pass audits smoothly and protect both investors and their own authorisation. If CSCRF compliance is on your roadmap, a structured readiness assessment with an empanelled partner is the fastest route to a clean outcome.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with RBI/SEBI cyber audits, VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205