SEBI CSCRF: Cyber Security & Cyber Resilience Framework Guide for Market Intermediaries
The Securities and Exchange Board of India (SEBI) has moved its cybersecurity expectations from a patchwork of circulars to a single, consolidated rulebook: the Cyber Security and Cyber Resilience Framework (CSCRF). For SEBI Regulated Entities (REs) — from stock brokers and mutual funds to depositories and exchanges — CSCRF defines not just how to defend against cyber attacks, but how to keep critical market functions running through one.
This guide explains what CSCRF is, which entities it applies to, the graded approach that scales obligations to your size, the five cyber resilience goals, the key technical and audit requirements, and how to prepare for a clean compliance outcome. CyberSigma, a CERT-In empanelled cybersecurity firm, helps market intermediaries meet CSCRF end to end.
What Is SEBI CSCRF?
CSCRF is SEBI's unified Cyber Security and Cyber Resilience Framework. It consolidates and supersedes the earlier entity-specific cybersecurity circulars and introduces a structured model that is aligned with internationally recognised practices such as the NIST Cybersecurity Framework, while adding explicit cyber resilience expectations. The framework is mandatory for SEBI Regulated Entities, with obligations graded by the entity's category and scale.
Who Must Comply with CSCRF?
CSCRF applies across the SEBI-regulated ecosystem, with the depth of controls scaled to the entity:
- Market Infrastructure Institutions (MIIs) — stock exchanges, clearing corporations, and depositories
- Stock brokers and depository participants
- Asset Management Companies (AMCs) and Mutual Funds
- KYC Registration Agencies (KRAs), Registrars and Transfer Agents (RTAs)
- Investment advisers, research analysts, merchant bankers, and portfolio managers
- Alternative Investment Funds and other categories of SEBI Regulated Entities
The Graded Approach
Rather than applying one rigid standard to everyone, CSCRF uses a graded model so that obligations are proportionate to an entity's size, complexity, and systemic importance. REs are classified into categories — broadly Market Infrastructure Institutions, Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs — and the required controls, audit frequency, and reporting scale accordingly. Identifying your category correctly is the first step to a defensible compliance program.
The Five Cyber Resilience Goals
CSCRF frames its expectations around cyber resilience — the ability to keep operating through an attack — organised under goals that map to recognised security functions:
- Anticipate — govern and identify cyber risks before they materialise
- Withstand — protect critical systems and data with strong preventive controls
- Contain — detect incidents quickly and limit their spread
- Recover — restore critical operations within defined recovery objectives
- Evolve — learn from incidents and continuously improve the security posture
Key CSCRF Requirements
While specifics vary by category, CSCRF typically expects Regulated Entities to implement and evidence:
- A board-approved cyber security and cyber resilience policy with clear governance and a CISO function
- Security operations and monitoring — through a dedicated SOC, a managed SOC, or the Market SOC facility for smaller REs
- Regular Vulnerability Assessment and Penetration Testing (VAPT) by a CERT-In empanelled auditor
- A comprehensive cyber audit, with reports submitted to SEBI on the prescribed cadence
- Data classification, protection, and (for relevant categories) ISO 27001-aligned controls
- Incident detection, response, and reporting within SEBI and CERT-In timelines
- Software Bill of Materials (SBOM) and supply-chain controls for critical systems
The CSCRF Cyber Audit
A central obligation under CSCRF is independent assurance. Regulated Entities are required to undergo cyber audits and VAPT, and to submit the resulting reports to SEBI. The audit assesses whether the policy, technical controls, monitoring, and resilience capabilities are genuinely implemented and effective — not merely documented. Using a CERT-In empanelled auditor ensures the testing is recognised and the evidence stands up to supervisory review.
CSCRF Timelines
SEBI has rolled out CSCRF on a phased basis, with compliance dates differentiated by entity category and, in several cases, extended to give REs time to implement. Because timelines and category thresholds are periodically updated by SEBI, entities should confirm the current applicability dates for their category and begin readiness early rather than close to a deadline.
How to Prepare for CSCRF
- Confirm your RE category and the exact CSCRF obligations that apply to it
- Establish board-level governance, a cyber security policy, and an empowered CISO function
- Stand up monitoring — own SOC, managed SOC, or the Market SOC — with log retention and alerting
- Run VAPT and close findings with documented evidence and retests
- Operationalise incident response aligned to SEBI and CERT-In reporting timelines
- Engage a CERT-In empanelled auditor to run the gap assessment, testing, and audit
How CyberSigma Helps
CyberSigma helps SEBI Regulated Entities meet CSCRF from gap assessment through VAPT, cyber audit, and remediation. As a CERT-In empanelled firm staffed by senior auditors, we map your category's obligations to concrete controls, run the testing, and produce reports written for SEBI submission. Our reporting is structured so the same evidence supports ISO 27001, SOC 2, and customer assurance reviews — turning a regulatory requirement into reusable security maturity.
Conclusion
CSCRF raises the bar for cybersecurity and resilience across India's capital markets. Entities that treat it as a continuous program — governance, monitoring, testing, and resilience built into operations — pass audits smoothly and protect both investors and their own authorisation. If CSCRF compliance is on your roadmap, a structured readiness assessment with an empanelled partner is the fastest route to a clean outcome.
Liked the post? Share on:





Leave A Comment