SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF) consolidates SEBI’s cyber expectations for its regulated entities into a single, structured framework built around the standard cyber-resilience functions plus governance, with graded requirements by entity classification.
Who must comply
- Market Infrastructure Institutions — stock exchanges, depositories, clearing corporations.
- Stock brokers, depository participants, mutual funds/AMCs.
- KYC Registration Agencies (KRAs), registrars and transfer agents, and other intermediaries.
Cyber-resilience goals
| Goal | Focus |
|---|---|
| Anticipate / Govern | Governance, policy, roles and risk management |
| Identify | Assets, data and risk identification |
| Protect | Access control, data security, hardening |
| Detect | Monitoring, SOC and anomaly detection |
| Respond & Recover | Incident response, recovery and reporting |
Key requirements
- Cyber security governance and a board/GB-approved policy.
- Graded controls based on entity classification (e.g., Market Infrastructure Institutions vs smaller intermediaries).
- SOC / security monitoring (own, group or managed).
- VAPT and periodic cyber audit.
- Incident reporting to SEBI within stipulated timelines.
- Data classification, protection and (where applicable) data-localisation considerations.
Implementation roadmap
- Classify the entity and determine applicable CSCRF requirements.
- Perform a gap assessment against the framework.
- Implement/strengthen governance, controls and monitoring.
- Conduct VAPT and the periodic cyber audit.
- Report compliance to SEBI and remediate findings.
Evidence checklist
- Board/GB-approved cyber security policy and governance records.
- Entity classification and applicability mapping.
- SOC/monitoring evidence.
- VAPT and cyber-audit reports.
- Incident register and SEBI reporting records.
- Remediation tracker.
How CyberSigma helps
We map your CSCRF applicability, run the gap assessment, VAPT and periodic cyber audit, and support SEBI reporting — as a CERT-In empanelled auditor.
Frequently asked questions
Who must comply with SEBI CSCRF?
SEBI-regulated intermediaries and market infrastructure institutions, with requirements graded by the entity’s classification and criticality.
Official documents
CyberSigma resources
Need help with SEBI CSCRF?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
