SEBI's CSCRF (August 2024) sets unified cybersecurity obligations across every market intermediary, from MIIs to Self-Certification REs. The January 2025 deadline has passed. Get tier-matched remediation in place now.
SEBI's CSCRF (August 20, 2024) supersedes all prior SEBI cybersecurity circulars and applies to every regulated entity, from exchanges and depositories to stock brokers, AMCs, and KRAs. Built on five resiliency goals, requirements are tiered by entity size. All entities need a board-approved IS Policy, annual VAPT by CERT-In empanelled auditors, India data localization compliance, and 2-hour incident reporting.
Tier-specific gap assessment against CSCRF controls per Circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2024/85, producing a prioritised remediation roadmap.
Board-approved IS Policy, IRP, BCP, and Cyber Crisis Management Plan per CSCRF Paragraphs 8-11 for your entity tier.
Determine CSCRF entity tier (MII, QRE, Mid-size RE, Self-Cert RE) per Paragraph 4 and identify applicable requirements.
Evaluate data residency and cross-border flows against CSCRF Paragraph 24, identifying non-compliant storage and processing.
Design annual VAPT per CSCRF Paragraph 20, scoped to cover trading systems, client portals, APIs, and internal networks.
Assess IT vendors against CSCRF Paragraphs 25-27 third-party risk requirements for market intermediaries.
Design or source 24x7 SOC for MIIs/QREs per CSCRF Paragraph 16. Mid-size and smaller REs may use M-SOC from NSE/BSE.
Annual VAPT per CSCRF Paragraph 20 by CERT-In empanelled firms, covering trading systems, portals, and APIs.
Prepare evidence for mandatory annual cyber audit per CSCRF Paragraph 21, including control rationale and auditor liaison.
Implement 2-hour SEBI and CERT-In notification per CSCRF Paragraph 22 with classification criteria and escalation runbooks.
Implement India data localization per CSCRF Paragraph 24 for all market data, client data, and transaction records.
Deploy access management, encryption, network security, and vulnerability controls aligned to your CSCRF entity tier requirements.
Prepare and submit annual cyber audit per CSCRF Paragraph 21 with evidence packages and empanelled auditor coordination.
Quarterly review of CSCRF controls and regulatory developments to maintain continuous compliance per entity tier.
Ongoing threat intelligence covering capital market APT campaigns and emerging cyber risk to trading platforms.
Periodic tabletop exercises testing 2-hour SEBI/CERT-In notification per CSCRF Paragraph 22 and escalation workflows.
Track SEBI circulars, CSCRF amendments, and CERT-In directions, implementing changes within regulatory timelines.
Periodic review of M-SOC integration, alert coverage, and incident escalation effectiveness for entities using exchange-provided SOC.
All SEBI-registered stock brokers and trading members must comply with CSCRF. Large brokers qualify as Qualified REs (requiring 24x7 SOC), while smaller regional brokers may fall under Mid-size or Self-Certification RE tiers with proportionate requirements.
Stock exchanges (NSE/BSE), depositories (NSDL/CDSL), and clearing corporations face the highest-tier CSCRF obligations including 24x7 SOC, advanced persistent threat (APT) monitoring, red teaming, and the most stringent data localization requirements.
Asset Management Companies, mutual fund houses, and KYC Registration Agencies (KRAs) are covered by SEBI CSCRF with annual audit obligations, IS Policy requirements, VAPT by CERT-In empanelled firms, and 2-hour incident reporting mandates.
A structured six-phase process from entity tier classification through to ongoing annual audit submission and incident reporting readiness.
Determine your CSCRF entity tier and gap-assess current controls against the applicable requirement set, producing a prioritised remediation roadmap ahead of your audit deadline.
Develop board-approved IS Policy, Incident Response Plan, Business Continuity Plan, and Cyber Crisis Management Plan per CSCRF tier-specific requirements.
Deploy or source 24x7 SOC capability (own SOC or M-SOC), implement security controls, access management, encryption, and network security aligned to your entity tier.
Execute annual VAPT by CERT-In empanelled auditors and prepare evidence packages for empanelled auditor annual cyber audit submission to SEBI.
Implement 2-hour SEBI incident notification procedures, CERT-In reporting workflows, and India data localization controls for all market and client data.
Quarterly compliance reviews, annual audit submissions, regulatory update tracking, incident response drills, and continuous monitoring to sustain CSCRF compliance year-round.