Knowledge Center / SEBI CSCRF
SEBI · India

SEBI CSCRF

SEBI’s Cyber Security and Cyber Resilience Framework for regulated entities.

SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF) consolidates SEBI’s cyber expectations for its regulated entities into a single, structured framework built around the standard cyber-resilience functions plus governance, with graded requirements by entity classification.

Who must comply

  • Market Infrastructure Institutions — stock exchanges, depositories, clearing corporations.
  • Stock brokers, depository participants, mutual funds/AMCs.
  • KYC Registration Agencies (KRAs), registrars and transfer agents, and other intermediaries.

Cyber-resilience goals

GoalFocus
Anticipate / GovernGovernance, policy, roles and risk management
IdentifyAssets, data and risk identification
ProtectAccess control, data security, hardening
DetectMonitoring, SOC and anomaly detection
Respond & RecoverIncident response, recovery and reporting

Key requirements

  • Cyber security governance and a board/GB-approved policy.
  • Graded controls based on entity classification (e.g., Market Infrastructure Institutions vs smaller intermediaries).
  • SOC / security monitoring (own, group or managed).
  • VAPT and periodic cyber audit.
  • Incident reporting to SEBI within stipulated timelines.
  • Data classification, protection and (where applicable) data-localisation considerations.

Implementation roadmap

  1. Classify the entity and determine applicable CSCRF requirements.
  2. Perform a gap assessment against the framework.
  3. Implement/strengthen governance, controls and monitoring.
  4. Conduct VAPT and the periodic cyber audit.
  5. Report compliance to SEBI and remediate findings.

Evidence checklist

  • Board/GB-approved cyber security policy and governance records.
  • Entity classification and applicability mapping.
  • SOC/monitoring evidence.
  • VAPT and cyber-audit reports.
  • Incident register and SEBI reporting records.
  • Remediation tracker.
How CyberSigma helps
We map your CSCRF applicability, run the gap assessment, VAPT and periodic cyber audit, and support SEBI reporting — as a CERT-In empanelled auditor.

Frequently asked questions

Who must comply with SEBI CSCRF?
SEBI-regulated intermediaries and market infrastructure institutions, with requirements graded by the entity’s classification and criticality.

Need help with SEBI CSCRF?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.