Master the SEBI CSCRF Checklist: Ultimate Guide for 2025

August 20, 2025
Uncategorized
13 min read
SEBI's New Cybersecurity Guidelines
250

Downloads

SEBI CSCRF Cybersecurity Checklist: Your Guide to a Comprehensive Security

Start today for a safer, private, and uncompromised email experience

Download free SEBI Checklist

The Securities and Exchange Board of India (SEBI) has introduced a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) for its Regulated Entities (REs), effective August 20, 2024. This framework is designed to strengthen cybersecurity measures and ensure adequate cyber resilience within the Indian securities market.

What is SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) ?

SEBI initially established a cybersecurity and cyber resilience framework’s for Market Infrastructure Institutions (MIIs) in 2015. Subsequently, SEBI issued similar frameworks for other REs, including Stock Brokers, Depository Participants, Mutual Funds/Asset Management Companies (AMCs), KYC Registration Agencies (KRAs), Qualified Registrars to an Issue and Share Transfer Agents (QRTAs), and Portfolio Managers. Additionally, SEBI has consistently provided advisories on cybersecurity best practices to REs. The new CSCRF consolidates and enhances these existing provisions, aiming for uniformity of cybersecurity guidelines across all REs and a more robust mechanism to manage cyber risks, threats, and incidents. This framework was developed through extensive consultations with stakeholders such as MIIs, REs, industry associations, government organizations (like CERT-In), industry standard forums, and cybersecurity experts, and was reviewed by SEBI’s High Powered Steering Committee on Cybersecurity (HPSC-CS). The CSCRF supersedes all previous SEBI cybersecurity circulars, guidelines, advisories, and letters, a list of which is provided within the framework.

Objectives of the SEBI’s CSCRF

The primary objectives of the CSCRF are:

  • To address evolving cyber threats.
  • To align with industry standards.
  • To encourage efficient audits.
  • To ensure compliance by SEBI REs.
  • To provide standards and guidelines for strengthening cyber resilience and maintaining robust cybersecurity of SEBI REs.
  • To ensure that even smaller REs are equipped with adequate cybersecurity measures and achieve resilience against incidents. The framework also standardizes formats for reporting by REs.

Approach and Cyber Resilience Goals

The SEBI’s cybersecurity and cyber resilience framework (CSCRF) is based on a standards-based approach and broadly covers five cyber resiliency goals adopted from the Cyber Crisis Management Plan (CCMP) of the Indian Computer Emergency Response Team (CERT-In). These goals are crucial for countering cyber attacks and cyber terrorism. The five cyber resilience goals are:

  • Anticipate: Maintaining informed preparedness to prevent compromises of mission/business functions from adversary attacks. This goal is linked to the cybersecurity functions of Governance, Identify, and Protect.
  • Withstand: Continuing essential mission/business functions despite successful execution of an attack. This goal is linked to the cybersecurity function of Respond.
  • Contain: Localizing containment of crises and isolating trusted systems from untrusted systems to maintain essential business operations during cyber attacks. This goal is also linked to the cybersecurity function of Respond.
  • Recover: Restoring mission/business functions to the maximum extent possible after an attack. This goal is linked to the cybersecurity function of Recover.
  • Evolve: Changing mission/business functions and/or supporting cyber capabilities to minimize adverse impacts from actual or predicted adversary attacks. This goal stands on its own within the framework.

These cyber resiliency goals are integrated with key cybersecurity functions: Governance, Identify, Protect, Detect, Respond, and Recover. The framework outlines how these functions are to be implemented through various cybersecurity controls, categorized as objectives, standards, and guidelines.

Graded Approach and Categories of SEBI Regulated Entities

The CSCRF follows a graded approach, classifying REs into five categories based on their operational span and specific thresholds such as the number of clients, trade volume, and Assets Under Management (AUM). The category for qualified regulated entities is determined at the beginning of the financial year using data from the previous year and remains consistent throughout that year.

The five categories of REs are:

  1. Market Infrastructure Institutions (MIIs): This includes Stock Exchanges, Depositories, and Clearing Corporations. KRAs and QRTAs are also treated at par with MIIs for CSCRF applicability.
  2. Qualified REs.
  3. Mid-size REs.
  4. Small-size REs.
  5. Self-certification REs.

Specific categorization criteria and thresholds are defined for various entities, including Alternative Investment Funds (AIFs), Bankers to an Issue (BTIs) and Self-Certified Syndicate Banks (SCSBs), Client-based and Proprietary Stock Brokers, Collective Investment Schemes (CIS), Credit Rating Agencies (CRAs), Custodians, Debenture Trustees (DTs), Depository Participants (DPs), Designated Depository Participants (DDPs), Investment Advisors (IAs)/Research Analysts (RAs), Merchant Bankers (MBs), Mutual Funds (MFs)/AMCs, Portfolio Managers, and Venture Capital Funds (VCFs). If an RE is registered under multiple categories, the provisions of the highest applicable category will apply.

Key Provisions and Highlights of Cybersecurity Framework

Governance and Risk Management

The framework emphasizes the importance of governance and supply chain risk management. It requires REs to establish clear cybersecurity risk management roles, responsibilities, and authorities, fostering accountability and continuous improvement. A comprehensive cybersecurity and cyber resilience policy must be documented and implemented with Board approval. MIIs, Qualified REs, and Mid-size REs are mandated to prepare a cyber risk management framework for continuous identification, analysis, evaluation, prioritization, response, and monitoring of cyber risks.

Cyber Capability Index (CCI)

 Applicable to MIIs and Qualified REs, the CCI is an index designed to help these REs monitor and assess their progress and cyber resilience periodically. MIIs must conduct third-party assessments of their cyber resilience using CCI on a half-yearly basis, while Qualified REs perform self-assessments annually. The CCI calculates a cybersecurity maturity level based on 23 weighted parameters, with ratings ranging from “Exceptional Cybersecurity Maturity” to “Fail”.

Security Operations Centre (SOC)

The CSCRF mandates that all REs establish appropriate security monitoring mechanisms through a Security Operations Centre (SOC). REs have the flexibility to onboard their own/group SOC, utilize a Market SOC, or engage a third-party managed SOC. Significantly, NSE and BSE are mandated to set up a Market SOC (M-SOC) to provide cybersecurity solutions, especially to smaller REs who may lack the knowledge, expertise, or resources to set up their own SOC. Small-size and Self-certification REs are specifically mandated to be onboarded onto the Market SOC. MIIs and Qualified REs must measure the functional efficacy of their SOC on a half-yearly basis, while other REs using third-party or Market SOC services must obtain an efficacy report annually. The M-SOC must be operational by January 01, 2025.

Data Security and Localization

The framework includes provisions for IT services, Software as a Service (SaaS) solutions, and hosted services. A key focus is on data classification and localization. REs are required to classify data into “Regulatory Data” and “IT and Cybersecurity Data”. Regulatory Data must be stored within the legal boundaries of India in an easily accessible, legible, and usable form. An exception is made for IT and Cybersecurity Data sent to global/international SOCs or SaaS-based cybersecurity solutions, which are exempted from being maintained within India’s legal boundaries, provided they are classified, assessed, and periodically reviewed by the RE’s IT Committee. REs must also conduct audits for software solutions/applications/products they use.

Application Programming Interface (API) Security

The CSCRF mandates the implementation of API security with rate limiting, throttling, and proper authentication and authorization mechanisms.

Vulnerability Assessment and Penetration Testing (VAPT)

 Periodic VAPT is mandatory for REs to detect vulnerabilities in their IT environment, covering all critical systems, infrastructure components, and other IT systems as defined in the framework. The VAPT scope is comprehensive, including infrastructure, applications, Wi-Fi, APIs, mobile applications, OS, DB, cloud implementations, and configuration audits. REs identified as ‘Protected systems’ and/or CII by NCIIPC must conduct VAPT at least twice a year, while others must do so at least once a year. VAPT reports, along with an MD/CEO declaration, must be submitted to the respective reporting authority within one month of completion, and findings must be closed within three months. Red Teaming under CSCRF is not mandatory.

Incident Management and Response

 All cybersecurity incidents must be reported in a timely manner via the SEBI incident reporting portal. Critical incidents must be reported to SEBI and CERT-In within 6 hours of detection. REs are required to establish a comprehensive Incident Response Management plan and an up-to-date Cyber Crisis Management Plan (CCMP) with scenario-based SOPs. In the event of an incident, Root Cause Analysis (RCA) is mandatory, and if inconclusive, a forensic analysis must be undertaken. Post-incident activities, including lessons learned, are to be incorporated into plans for continuous improvement.

ISO 27001 Certification

 MIIs and Qualified REs are mandated to obtain ISO 27001 (latest version) certification within one year of the CSCRF’s issuance, as it provides essential security standards for Information Security Management Systems (ISMS).

IT Committee for REs

MIIs, Qualified REs, and Mid-size REs are required to constitute an ‘IT Committee’ that must include at least one external independent expert on cybersecurity. This committee undertakes periodic reviews of cybersecurity policies, incidents, and compliance with CSCRF, making recommendations to the Board. While not mandatory for Small-size and Self-certification REs, it is desirable to include an IT expert, and compliance for these categories must be reviewed and approved by the MD/CEO/Board member/Partners/Proprietor.

Red Teaming and Threat Hunting

MIIs and Qualified REs must conduct goal-based adversarial simulation red teaming exercises periodically to identify weaknesses in cyber defenses. They also need to perform threat hunting and compromise assessment regularly.

SEBI CSCRF Checklist

The SEBI CSCRF (Compliance and Surveillance of Corporate Governance) checklist is a comprehensive tool designed to ensure that companies adhere to the regulatory framework set by the Securities and Exchange Board of India (SEBI). This checklist helps organizations maintain transparency and accountability in their operations.

Key Components of the SEBI CSCRF Checklist

  • Corporate Governance Principles
  • Disclosure Requirements
  • Compliance with Regulations
  • Internal Control Mechanisms
  • Risk Management Framework

Importance of the SEBI CSCRF Checklist

Utilizing the SEBI CSCRF checklist is crucial for companies to ensure compliance with regulatory standards. It helps in identifying potential areas of risk and ensuring that adequate measures are in place to mitigate them.

You can download SEBI CSCRF compliance requirements using “SEBI CSCRF Checklist Excel

Applicability and Implementation Timelines

The framework applies to a wide range of REs, including Alternative Investment Funds (AIFs), Bankers to an Issue (BTI), Self-Certified Syndicate Banks (SCSBs), Clearing Corporations, Collective Investment Schemes (CIS), Credit Rating Agencies (CRAs), Custodians, Debenture Trustees (DTs), Depositories, Designated Depository Participants (DDPs), Depository Participants, Investment Advisors (IAs), Research Analysts (RAs), Merchant Bankers (MBs), Mutual Funds (MFs)/Asset Management Companies (AMCs), Portfolio Managers, Registrar to an Issue and Share Transfer Agents (RTAs), Stock Brokers, Stock Exchanges, and Venture Capital Funds (VCFs).

The implementation of CSCRF provisions will follow a phased approach:

  • By January 01, 2025: For the six categories of REs where cybersecurity and cyber resilience circulars already exist.
  • By April 01, 2025: For other REs where CSCRF is being issued for the first time.

REs are required to establish appropriate systems and procedures to ensure compliance with CSCRF provisions and conduct cyber audits according to the framework after these timelines.

SEBI CSCRF Circular Extension

  • SEBI has provided extensions for the implementation of the Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities (REs).
  • These extensions are granted to account for the complexities of system upgrades, technical adjustments, and the time required for effective implementation.
  • A notable extension moved the compliance deadline for a broad segment of REs to August 31, 2025.
  • It’s important to note that these extensions typically do not apply to critical market participants like Market Infrastructure Institutions (MIIs), KYC Registration Agencies (KRAs), and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs).

Compliance and Audit

Compliance reporting for CSCRF will be done by REs to their respective authorities (e.g., MIIs to SEBI, stock brokers to stock exchanges) in standardized formats. Cyber audits are mandated to verify compliance with CSCRF, covering 100% of critical systems and 25% of non-critical systems selected on a sample basis. MIIs and Qualified REs, along with Mid-size and Small-size REs providing IBT or Algo trading facilities, must undergo cyber audits at least twice a year. The rest of the REs need to conduct it at least once a year. Cyber audit reports, along with an MD/CEO declaration, are to be submitted within one month of completion, with findings closed within three months. Self-certification REs are only required to conduct VAPT audits through CERT-In empanelled IS auditing organizations and submit a self-certification for compliance with applicable CSCRF provisions.

Future-proofing of SEBI CSCRF

The framework recognizes that technologies like quantum computing may pose significant cybersecurity threats in the future by potentially breaking current encryption schemes. To address “harvest now – decrypt later” attacks, CSCRF includes provisions for continuous risk assessment and robust data protection measures. The framework is designed to be continuously updated based on technological maturity and RE adoption to meet future cybersecurity needs of the securities market.

Structure of the CSCRF Document

For ease of understanding and compliance, the CSCRF document is divided into four main parts:

  • Part I: Objectives and Standards – Contains definitions, compliance matrix, audit report timelines, and the core objectives and standards.
  • Part II: Guidelines – Provides recommendations and mandatory measures on how to achieve specific outcomes and implement standards.
  • Part III: Structured Formats for Compliance – Includes standard formats for VAPT and cyber audit compliance reports.
  • Part IV: Annexures and References – Contains additional guidelines for auditors, scenario-based cyber resilience testing, the Cyber Capability Index (CCI), functional efficacy of SOC, and

Cyber Security tools recommended by SEBI CSCRF Framework

Below is a comprehensive table outlining key cybersecurity tools and compliance mechanisms recommended or mandated by the SEBI CSCRF framework, along with their applicability across the different categories of REs:

Cybersecurity Tools for SEBI CSCRF Compliance

This table provides a concise overview of the varying cybersecurity tool and compliance requirements as stipulated by the SEBI CSCRF framework, emphasizing the graded approach based on the RE’s category.

SEBI CSCRF Framework Consulting

Given the technical complexity and broad scope of the CSCRF, many REs, particularly those with limited in-house cybersecurity expertise or resources, turn to specialized consulting firms. These firms offer a range of services to help REs achieve and maintain compliance, reduce cyber risks, and build true cyber resilience. Their services typically include gap assessments, policy and framework development, implementation support for security controls, vulnerability assessment and penetration testing (VAPT), incident response planning, and ongoing compliance monitoring. They often bring deep regulatory knowledge, technical expertise, and an understanding of the unique challenges faced by financial institutions.

List of Consulting Firms

While the choice of a consulting firm depends on specific organizational needs, budget, and the scale of operations, several reputable firms in India offer services related to SEBI CSCRF compliance. This list is illustrative and not exhaustive, nor does it constitute an endorsement:

Big Four Consulting Firms:

  • EY (Ernst & Young): Known for comprehensive cybersecurity advisory services, including regulatory compliance, risk management, and security transformation.
  • KPMG: Offers SEBI CSCRF-specific consulting, including cyber maturity assessments, governance, and implementation support, leveraging their global network and expertise.
  • PricewaterhouseCoopers (PwC): Provides integrated cybersecurity solutions covering strategy, technology, and management consulting, aiding in regulatory adherence.
  • Deloitte: Offers a broad spectrum of cyber risk services, including regulatory compliance and cybersecurity program development.

Specialized Cybersecurity & Advisory Firms:

  • InCorp Advisory: Offers expert-led SEBI CSCRF compliance consulting services, including gap assessments, policy development, implementation support, and training.
  • Triflo: Specializes in IT Regulatory Compliance for SEBI, RBI, and IRDAI, providing end-to-end services for SEBI CSCRF consultation and implementation.
  • Cybercommand: A Managed Security Services Provider (MSSP) offering end-to-end SEBI CSCRF compliance, security management, and certification audit support.
  • Whitehats Technologies: Provides end-to-end solutions for seamless adherence to CSCRF, focusing on enhancing cybersecurity posture and promoting cyber resilience.
  • INFOCUS IT: Offers specialized SEBI CSCRF consulting services to help financial institutions implement the framework and build robust cyber defenses.
  • RNR Consulting: A CERT-In empaneled security auditor licensed to assist with understanding, managing, and complying with SEBI’s cybersecurity guidelines.

When selecting a consulting partner, REs should consider factors such as the firm’s experience with SEBI regulations, industry-specific knowledge, track record, certifications (e.g., CERT-In empanelment), and the scope of services offered to ensure alignment with their specific needs and objectives.

Conclusion

The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) represents a significant step toward strengthening the digital trust and operational integrity of India’s financial ecosystem. For regulated entities, compliance is no longer just a technical obligation—it is a strategic imperative.

By embedding the CSCRF’s principles into core governance, IT operations, and risk management practices, organizations can not only meet regulatory requirements but also enhance their resilience against evolving cyber threats. From board-level oversight and ISO-aligned policies to real-time threat detection and third-party risk monitoring, each component of the framework is designed to ensure preparedness, accountability, and sustainability.

As cyber risks continue to grow in complexity, proactive implementation of CSCRF is key—not only to avoid penalties, but to build a culture of security that supports business continuity, investor confidence, and long-term growth.

Now is the time to assess, adapt, and align—because resilience is not optional. It’s foundational.

You can read the detailed sebi cscrf guidelines.

You may also like
DMARC

DMARC Deployment Guide: 6 easy steps

DMARC Deployment is very critical to prevent ever-evolving internet and its drastically increased usage since the onset of the pandemic have increased […]

January 6, 20216 min read
  • Home
  • Products

      Platform

      hunto.ai

      hunto.ai

      One Platform. One Solution for External Attack Surface management. Comprehend the threat agents aiming at your organization and bolster your defenses accordingly.

      Products

      DMARC+

      DMARC+

      Know delivery challenges of email & Protect your domain from email spoofing attacks.

      PhishGrid

      PhishGrid

      Educate and train your employees against external threats with real time simulation and interactive learning.

      Orion - Brand Defense

      Orion - Brand Defense

      Protect your brand by eliminating counterfeits using AI Powered Takedown Engine

      Dellect - XDR

      Dellect - XDR

      Detect and disrupt
      cyber threats with unprecedented speed and accuracy to reduce your cyber risk.

  • Services

      Services

      View all Services

      The strength of your cybersecurity measures directly impacts your brand’s trustworthiness and reputation.

      Human augmented Services

      Anti-Phishing Service

      Guard your customers and employees against deceptive phishing and other malicious threats with our Anti-Phishing Service.

      Brand Monitoring Service

      Track, analyze, and protect your brand’s reputation in real-time over dark, deep and surface web.

      Takedown Service

      Protect your brand by eliminating counterfeits using AI Powered Takedown Engine

      Red Teaming

      Challenge your defenses with our Red Teaming Service to uncover vulnerabilities before adversaries do.

Schedule a Demo

Get Secured Today!

Click that button and let’s chat! We promise to turn the murky, often scary world of cybersecurity into a walk in the digital park for your organization. Together, let’s make cybersecurity a piece of cake!