SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) — a practitioner reference

ControlForge free guide · 2026-05-23 · Reflects SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 (20 Aug 2024) with amendments through August 2025 and the AI advisory of May 2026

Quick reference

Applies to: all entities regulated by the Securities and Exchange Board of India (SEBI) — Market Infrastructure Institutions, stock exchanges, depositories, clearing corporations, stock brokers and depository participants, mutual funds and AMCs, portfolio managers, merchant bankers, alternative investment funds, KYC Registration Agencies, QRTAs (Qualified Registrars to an Issue and Share Transfer Agents), investment advisers, research analysts.
Mandatory or voluntary: mandatory for SEBI-regulated entities (REs) under the categorisation thresholds. Non-compliance attracts SEBI enforcement under the SEBI Act, 1992 and SCRA, 1956.
Year published: master circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024, replacing the earlier Broad Guidelines on Cyber Security and Cyber Resilience (2015/2018). Amendments dated 30 April 2025 (clarifications) and 28 August 2025 (technical clarifications). AI advisory dated 5 May 2026.
Compliance deadlines: 1 January 2025 for entities previously covered under sectoral cyber guidelines; 1 April 2025 for entities to whom CSCRF applies for the first time; extended to 31 August 2025 for certain RE categories following industry representation.
Issuing body: Securities and Exchange Board of India (SEBI), reviewed by SEBI's High Powered Steering Committee on Cyber Security (HPSC-CS).
Penalties: SEBI's enforcement toolkit under Section 11B of the SEBI Act includes monetary penalties (up to ₹25 crore or three times the amount of unfair gain), suspension/cancellation of registration, prohibitions on accessing the securities market, and directions to take corrective action.
ControlForge density: 69 controls curated; 46 cross-framework clusters reference SEBI CSCRF — third-highest density in the KB and the highest among Indian frameworks.

What it is

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) is the consolidated cybersecurity regulation for Indian capital markets. It replaces a patchwork of sectoral cyber circulars issued since 2015 with a structured, 205-page master document organised into four Parts: objectives and standards, mandatory guidelines, structured formats for compliance, and annexures.

CSCRF is built on a 5-tier architecture that classifies regulated entities by size, criticality, and complexity:

Market Infrastructure Institutions (MIIs) — stock exchanges (BSE, NSE), depositories (NSDL, CDSL), clearing corporations.
Qualified Regulated Entities (Qualified REs) — large stock brokers, large depository participants, mutual fund AMCs above defined thresholds, large portfolio managers, large QRTAs.
Mid-size REs — medium-tier entities by AUM, client base, or transaction volume.
Small REs — smaller entities below mid-size thresholds.
Self-Certification REs — the smallest entities with proportionate obligations.

The tier determines control-set depth, audit frequency, and reporting requirements. MIIs carry the heaviest obligations; Self-Certification REs operate under a proportionate-by-design regime focused on baseline hygiene and annual self-attestation.

CSCRF distinguishes cybersecurity (governance and operational controls) from cyber resilience (the ability to anticipate, withstand, contain, recover, and evolve from cyber incidents). The resilience objective shapes several distinctive requirements: regular cyber-rehearsal/tabletop exercises, recovery testing against destructive-attack scenarios, integration with the Market-SOC ecosystem operated by stock exchanges.

The framework introduces the Cyber Capability Index (CCI) — a benchmark used to assess and monitor cybersecurity maturity across MIIs and Qualified REs. The CCI methodology is detailed in Annexure 1 of the master circular.

Structure at a glance

The master circular is organised as:

Part I — Objectives and Standards. Framework objectives, cyber-resilience goals (anticipate / withstand / contain / recover / evolve), 23 cyber-resilience standards organised around the NIST CSF functions (Identify, Protect, Detect, Respond, Recover) with SEBI-specific governance overlays.
Part II — Guidelines. Detailed mandatory and recommended controls per tier. Covers identity and access, vulnerability management, network controls, application security, cryptography, BCM/DR, third-party risk, incident management, and customer-facing controls.
Part III — Structured Formats for Compliance. Mandatory reporting templates: cyber audit report format, VAPT report format, cyber incident reporting format, CCI scoring template, third-party risk assessment template.
Part IV — Annexures and References. CCI methodology, glossary, references to NIST/ISO standards, cross-mapping to earlier sectoral circulars.

Cyber-resilience standards (23 in total) are organised under the NIST CSF function structure — a deliberate choice signalling SEBI's intent to align Indian capital-markets cyber regulation with the global structural reference. Selected standards: cyber risk governance, asset management, supply-chain risk, identity governance, vulnerability management, monitoring, threat intelligence integration, incident response, cyber-rehearsal, recovery testing, cyber insurance considerations, board reporting.

The August 2025 technical clarifications added two important constructs:

Principle of Exclusivity and Equivalence — for entities regulated by multiple bodies (e.g. an NBFC-cum-stock-broker regulated by both RBI and SEBI), defined rules for which framework's controls apply where, and when one framework's compliance is recognised as equivalent for the other's purposes.
ISO 27001 equivalence — recognised for specific CSCRF control sets, reducing duplication for already-certified entities.

The May 2026 AI advisory added obligations for REs using AI in customer-facing decision-making, fraud detection, or trading: model governance documentation, bias and accuracy testing, human-oversight requirements, and incident reporting for AI-related cyber events.

Who must comply

CSCRF applies to all SEBI-regulated entities. Tier assignment determines obligation depth:

MIIs — full CSCRF compliance including CCI quarterly reporting, comprehensive cyber audit (Cat-1 CERT-In empanelled firm), 24×7 SOC, board-level Cyber Security Committee, dedicated CISO, cyber insurance, full BCM/DR testing.
Qualified REs — substantially full compliance with quarterly CCI reporting, semi-annual cyber audit, SOC (in-house or Market-SOC), board-reported cyber posture, cyber insurance where applicable.
Mid-size REs — proportionate compliance with annual cyber audit, defined SOC arrangement, regular VAPT, board IT committee oversight.
Small REs — baseline mandatory controls with simplified audit format and Market-SOC integration option.
Self-Certification REs — baseline hygiene controls with annual self-certification submitted to SEBI.

Tier thresholds for specific RE categories (Portfolio Managers, Merchant Bankers, AIFs) were revised by the August 2025 technical clarifications. Entity classification is the foundational compliance step — incorrect classification leads to either under-compliance (regulatory exposure) or over-compliance (cost without proportionate benefit).

The Principle of Exclusivity and Equivalence introduced in August 2025 governs how multi-regulator entities navigate the overlap. For an NBFC-cum-stock-broker, RBI's IT Governance Master Directions (April 2024) cover the NBFC activities; SEBI's CSCRF covers the broker activities; specific recognised equivalences reduce duplication where the controls are materially identical.

Core obligations / control families

The CSCRF control set is extensive. Major obligation areas:

Cyber security governance. Board-level Cyber Security Committee for MIIs and Qualified REs; CISO appointment with defined seniority and independence; Cyber Security Policy approved by board with annual review; CCMP (Cyber Crisis Management Plan) integrated with BCP; quarterly CCI reporting for MIIs and Qualified REs. Maps into ControlForge clusters cl-policy, cl-roles-responsibilities, cl-cyber-maturity-scoring, and cl-board-reporting.

Identity and access management. Centralised IAM; MFA mandatory for administrative access, remote access, and high-value customer transactions; PAM for privileged users with session recording; quarterly access reviews; risk-based authentication for customer-facing applications; segregation of duties enforced via IAM. Maps into cl-access-rights, cl-multi-factor-authentication, cl-authentication, and cl-pci-mfa-expansion.

Vulnerability management and VAPT. Annual VAPT by CERT-In empanelled firms for all internet-facing applications and critical internal systems; quarterly vulnerability scans; SLA-based remediation (typically 30 days critical, 90 days high, 180 days medium); re-test evidence required; manual penetration testing (not just automated scans). Maps into cl-vapt-cycle, cl-vuln-identification, and cl-devsecops-maturity.

Network controls. Network segmentation between corporate, trading, settlement, and customer-facing zones; perimeter and internal firewalls; IDS/IPS; DDoS protection for internet-facing applications; secure remote access with MFA; documented network architecture refreshed on material change. Maps into cl-network-protection and cl-zero-trust-architecture.

Application security. Secure SDLC with SAST/DAST integrated into CI/CD; threat modelling for customer-facing applications; pre-release security testing; API security (auth, authz, rate limiting, input validation); secure coding standards. Maps into cl-secure-development, cl-api-security-comprehensive, and cl-devsecops-maturity.

Cryptographic controls. Approved algorithms only; TLS 1.2 minimum (1.3 preferred); SSL versions disabled; encryption at rest for customer and critical data; HSM for high-value keys; key management procedures; application-layer encryption for sensitive fields. Maps into cl-cryptography and cl-quantum-safe-crypto.

SOC and monitoring. 24×7 SOC for MIIs; SOC arrangements (in-house, MSSP, or Market-SOC) for Qualified and Mid-size REs; SIEM coverage for trading, settlement, customer-facing, and critical infrastructure systems; log retention minimum 12 months active; SOC effectiveness metrics tracked and reviewed; integration with threat-intelligence feeds. Maps into cl-logging, cl-monitoring-activities, cl-soar-incident-automation, and cl-threat-intel-platform.

Incident response. Documented incident response procedure tested annually; CCMP integrated with BCP; coordination with SEBI, CERT-In (6-hour reporting), RBI (where applicable for multi-regulator entities); forensic capability in-house or via retainer; structured cyber incident reporting in the SEBI prescribed format. Maps into cl-incident-response-execution, cl-ir-plan-prep, cl-ir-reporting, cl-incident-reporting-external, and cl-crisis-comms.

BCM, DR, and cyber resilience. Annual DR testing for critical systems including full failover; cyber-specific recovery scenarios (ransomware, destructive attack, supply-chain compromise); 3-2-1 backup minimum with immutable/air-gapped backups; periodic backup restoration testing; cyber rehearsal exercises; defined RTO/RPO per critical system. Maps into cl-backup, cl-bcp-ict-readiness, cl-cyber-rehearsal, and cl-cyber-resilience-metrics.

Third-party / vendor risk management. Risk-based vendor classification (critical / non-critical); pre-engagement due diligence; contractual coverage including right to audit, breach notification flowback, exit assistance, sub-contractor approval; ongoing oversight including annual review of critical vendors; cloud assurance combining provider SOC 2 + RE-specific configuration review; vendor incident integration into RE's CCMP. Maps into cl-supplier-policy, cl-cloud-shared-responsibility, and cl-supply-chain-risk.

Customer-facing controls. Risk-based authentication for high-value transactions; device binding for mobile trading; transaction OTP; cooling-off periods for high-risk beneficiary changes; anomaly detection on customer transactions; customer awareness programmes covering phishing, OTP fraud, social engineering. Maps into cl-customer-security and cl-fraud-detection.

The customer-facing dimension is one of the differentiators of CSCRF compared to ISO 27001 or NIST CSF — both of which are control-set frameworks without explicit customer-protection obligations. SEBI's framing emphasises that capital-markets cybersecurity has a direct retail-investor protection angle: a compromised trading account is a direct customer harm. The customer-facing controls are tested against the RE's customer-facing channels (web, mobile, IVR, branch terminal) and against the operational evidence of anomaly detection effectiveness (true-positive rates on flagged transactions, false-positive impact on customer experience).

Cyber audit. Mandatory annual cyber audit for Qualified REs and MIIs (semi-annual or quarterly for some MIIs); audit conducted by CERT-In empanelled Cat-1 firm for MIIs and Qualified REs; structured audit report in the SEBI prescribed format; audit report submitted to SEBI within defined timelines; remediation tracking required. The August 2025 clarifications directed REs to follow CERT-In Cyber Security Audit Policy Guidelines. Maps into cl-mandatory-audit.

Cyber insurance. Mandated for MIIs and recommended for Qualified REs; coverage scope, sub-limits, and insurer selection criteria defined in Part II of the master circular.

AI advisory (May 2026). REs using AI in customer-facing decisions, trading, or fraud detection must document model governance, perform bias and accuracy testing, ensure human oversight, and report AI-related cyber incidents through the existing channels with AI-specific incident classification.

How auditors test it

CSCRF audits are performed by CERT-In empanelled firms — Cat-1 empanelled for MIIs and Qualified REs; broader empanelment categories acceptable for smaller tiers. The audit produces a report in the SEBI prescribed format submitted to SEBI within the timelines specified by the master circular.

Audit scope by tier:

MIIs: comprehensive audit covering all 23 cyber-resilience standards, control implementation, CCI scoring validation, BCM/DR testing evidence, third-party risk programme, customer-facing controls, audit logs and SOC coverage, application security including manual penetration testing, cryptographic controls.
Qualified REs: largely the same scope as MIIs with proportionate sampling depth; CCI reporting validation; semi-annual or annual frequency.
Mid-size REs: focused audit on mandatory control set with reduced sampling depth; annual frequency.
Small REs: simplified audit format aligned with proportionate control obligations.
Self-Certification REs: self-attestation submitted annually with declarations on the prescribed controls.

Evidence patterns during fieldwork:

Documentation review: Cyber Security Policy and version history; CCMP and last test report; BCP/DR plans and test reports; VAPT and pen-test reports with manual-testing evidence; CIMS/SEBI incident submission history; vendor risk register; cloud configuration review reports.
Control testing: IAM walkthroughs; PAM session recording samples; vulnerability remediation SLA evidence; change-management sampling; backup restoration test logs.
Inspector intensification themes (consistent across 2025–26 audits): cloud-provider self-attestation vs RE-specific cloud configuration review; manual VAPT depth vs scan-only output; CIMS/SEBI submission timeliness; vendor risk depth on critical suppliers (core trading platform, settlement systems, KYC, AML vendors).

The Cyber Capability Index (CCI) scoring methodology in Annexure 1 of the master circular guides MIIs and Qualified REs through quarterly self-scoring across multiple dimensions. CCI scores feed into SEBI's supervisory dashboard and inform inspection prioritisation.

Market-SOC integration. SEBI's framework anticipated that not every RE — particularly smaller stock brokers and depository participants — has the scale to operate a dedicated 24×7 SOC. Major stock exchanges (BSE and NSE) operate Market-SOCs that provide SOC services to smaller REs as an alternative to in-house or third-party MSSP arrangements. The August 2025 technical clarifications addressed Market-SOC onboarding logistics, integration standards, and the operational division between Market-SOC and the RE's internal incident response. For Small and Mid-size REs, Market-SOC integration is now a common path; the audit checks Market-SOC onboarding completeness and the RE-side runbook for receiving and actioning Market-SOC alerts.

How it relates to other frameworks

CSCRF deliberately uses NIST CSF as the structural reference and recognises ISO 27001 equivalences for specific control sets. Its cross-framework position:

NIST CSF 2.0 — structural reference. The 23 CSCRF cyber-resilience standards are organised under CSF's function structure. ControlForge bridges them through cl-policy, cl-asset-inventory, cl-risk-assessment, cl-monitoring-activities, and cl-incident-response-execution.
ISO/IEC 27001:2022 — recognised equivalences for specific CSCRF control sets per August 2025 technical clarifications. ISO 27001 certification reduces audit duplication for already-certified REs.
CERT-In Directions (Section 70B) — operationally parallel. The 6-hour CERT-In reporting requirement applies to SEBI REs in addition to CSCRF's SEBI-specific incident reporting; both must be filed for in-scope incidents.
RBI ITGRCA (April 2024) — for multi-regulator entities (NBFC-cum-stock-broker), the Principle of Exclusivity and Equivalence governs which framework's controls apply where.
DPDPA 2023 + Rules 2025 — privacy overlay from May 2027. SEBI REs processing customer personal data are Data Fiduciaries under DPDPA; the breach notification regimes (CERT-In 6h, SEBI's own, DPBI 72h detailed) all run in parallel for incidents involving personal data.
IRDAI Information and Cyber Security Guidelines 2026 — concept-equivalent for insurance sector; differs in scope and tier structure.
PCI DSS v4.0.1 — for SEBI REs handling payment card data (e.g. brokers offering card-funded trading accounts); layered on top of CSCRF.

Most cross-framework density in ControlForge sits in cl-policy, cl-vapt-cycle, cl-mandatory-audit, cl-bcp-ict-readiness, and cl-incident-reporting-external, where SEBI CSCRF, RBI ITGRCA, NIST CSF, and ISO 27001 substantially overlap. The 46 SEBI CSCRF clusters in ControlForge make it one of the most cross-walked frameworks for organisations operating across Indian financial-services regulators.

Common pitfalls

Five recurring failure patterns from 2025–26 cyber audit engagements:

Tier misclassification. REs misjudge their tier — particularly mid-size REs who should be classified as Qualified following AUM/client-base growth, or Self-Certification REs who should have moved to Small. Misclassification leads to either under-compliance (regulatory exposure) or over-compliance (audit cost without commensurate benefit). The August 2025 clarifications revised thresholds for Portfolio Managers and Merchant Bankers, triggering many reclassifications. Fix: annual tier review tied to financial-year reporting; clear documentation of classification rationale.
Cloud assurance gap. Cloud-provider SOC 2 Type 2 accepted in lieu of RE-specific cloud configuration review. Auditors specifically test whether the RE has reviewed its own cloud tenant configuration (IAM policies, network rules, encryption configuration, logging coverage) — not just relied on the provider's attestation. Fix: documented cloud configuration review by the RE's own security function, annually for production environments and after material change.
VAPT depth. Findings show "VAPT performed" but evidence is automated scan output. SEBI auditors specifically ask for manual penetration testing evidence — business logic flaws, authentication/authorisation issues that automated scanners miss. The CERT-In Cyber Security Audit Policy Guidelines referenced in August 2025 raised the bar further. Fix: VAPT engagement scoped explicitly to include manual testing with structured methodology; re-test evidence for remediated findings.
Incident reporting submission discipline. Late or missing submissions across the CIMS (CERT-In 6-hour), SEBI prescribed format, and (for multi-regulator entities) RBI CIMS. The 6-hour clock starts from internal awareness, not external disclosure. Fix: pre-staged incident classification and submission templates per regulator; tested escalation procedure in tabletop exercises.
Cyber audit findings remediation drift. Findings from one cyber audit cycle recur in the next; SLA-based remediation timelines missed without root-cause analysis; same gap reopened year-over-year. SEBI's enforcement scrutiny increases with recurrence patterns. Fix: integrated findings register tied to internal audit, monthly CISO review of remediation SLA adherence, root-cause analysis on every overdue finding.

Two further patterns worth flagging:

CCI scoring inflation. Quarterly CCI scores submitted at high levels without supporting evidence. SEBI's CCI validation during cyber audit reconciles claimed scores against operational evidence. Fix: CCI scoring tied to documented evidence per dimension; conservative scoring with clear justification.
AI advisory not yet operationalised. The May 2026 AI advisory is recent and many REs have not yet integrated AI governance into their CSCRF programme. Where AI is used in customer-facing decisions, fraud detection, or trading, the advisory's documentation, testing, oversight, and incident-reporting requirements apply now. Fix: AI inventory across the RE; AI-specific governance overlay; integration of AI cyber incidents into the existing reporting flow.

When to use this framework

CSCRF is the right anchor when:

You are a SEBI-regulated entity — there is no optionality at the framework level. Tier classification is the only practical degree of freedom.
You operate across Indian financial-services regulators — CSCRF, RBI ITGRCA, and IRDAI 2026 cover overlapping ground; the Principle of Exclusivity and Equivalence (August 2025) is the navigational construct.
You are an ISO 27001 certified entity expanding into SEBI-regulated activities — the August 2025 equivalences reduce duplication.
You are evaluating CERT-In empanelled cyber audit firms — Cat-1 empanelment is the minimum for MIIs and Qualified REs.

CSCRF does not apply to non-SEBI-regulated entities. For such entities, the structurally similar frameworks are RBI ITGRCA (for banks/NBFCs) and IRDAI 2026 (for insurers).