SEBI Cybersecurity and Cyber Resilience Framework: A Compliance Guide
Understanding SEBI’s Cybersecurity Framework: What Compliance Leaders Need to Know
The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF), introduced in August 2024, represents one of the most comprehensive regulatory mandates for India’s capital markets ecosystem. For compliance officers at brokerages, asset management companies, depositories, and clearing corporations, SEBI cybersecurity framework compliance is no longer a future consideration. It is an immediate operational requirement with hard deadlines and specific evidence expectations.
This guide breaks down what the framework actually requires, who falls under its scope, the timelines you need to track, and how to build a compliance program that satisfies both the letter and spirit of the regulation.
What the SEBI CSCRF Actually Covers
The CSCRF is not simply another cybersecurity guideline. It establishes a mandatory baseline for cyber governance, risk management, security operations, and incident response across all SEBI-regulated entities. The framework draws from global standards like ISO 27001, NIST, and COBIT while incorporating India-specific requirements around data localization, CERT-In reporting, and board-level accountability.
At its core, the framework operates on five pillars: Governance, Identify, Protect, Detect, and Respond and Recover. Each pillar contains specific controls, documentation requirements, and audit evidence expectations. Unlike previous SEBI circulars that offered broad guidance, the CSCRF specifies exact timelines, reporting formats, and compliance thresholds.
The Governance Structure Requirement
SEBI mandates a formal cyber governance structure with clearly defined roles. This includes a designated Chief Information Security Officer (CISO) or equivalent, a Cyber Security Committee at the board level, and documented escalation procedures. For smaller entities, the framework allows some flexibility in how these roles are structured, but the accountability requirements remain non-negotiable.
The framework also requires entities to maintain a comprehensive cybersecurity policy that addresses asset classification, access controls, vendor risk, incident response, and business continuity. This policy must be reviewed annually at minimum and updated whenever material changes occur in the threat landscape or business operations.
Who Falls Under the CSCRF’s Scope
The CSCRF applies to all SEBI-regulated entities, but it introduces a tiered classification system that determines the depth and rigor of compliance requirements. Understanding which category your organization falls into is essential for resource planning and timeline management.
Entity Classification Under CSCRF
| Category | Entity Types | Compliance Threshold |
|---|---|---|
| Market Infrastructure Institutions (MIIs) | Stock exchanges, depositories, clearing corporations | Highest: Full control implementation, 24×7 SOC, annual VAPT |
| Qualified Regulated Entities | Large brokers, AMCs with significant AUM, KRAs, RTAs | High: Comprehensive controls, dedicated security team, quarterly reviews |
| Mid-size Regulated Entities | Medium brokers, merchant bankers, portfolio managers | Moderate: Core controls, periodic assessments, annual audits |
| Small Regulated Entities | Small brokers, investment advisors, research analysts | Baseline: Essential controls, basic documentation, compliance declaration |
The classification criteria include factors like trading volume, client base size, assets under management, and systemic importance. Entities should self-assess their classification and seek clarification from SEBI if there is ambiguity. Getting the classification wrong can result in either over-investment in controls or, more problematically, under-compliance that triggers regulatory action.
Core Requirements: Breaking Down the Five Pillars
Governance Requirements
The governance pillar establishes accountability structures that extend from the board level to operational teams. SEBI expects documented evidence of board oversight, including meeting minutes that demonstrate cybersecurity discussions, risk appetite statements approved at the highest level, and clear lines of responsibility for cyber incidents.
Consider a mid-sized brokerage with operations across 15 branches and 200 employees. Under the CSCRF, this entity needs to demonstrate that its board receives quarterly cybersecurity updates, that there is a named individual responsible for cyber risk (even if not a full-time CISO), and that policies exist for all major security domains. The documentation burden alone requires a structured approach to policy management and evidence collection.
Identify: Asset and Risk Management
The Identify pillar requires entities to maintain comprehensive inventories of hardware, software, data assets, and third-party connections. Beyond simple asset lists, SEBI expects risk assessments that map threats to specific assets and quantify potential impacts. This risk assessment must feed into treatment plans with documented remediation timelines.
For regulated entities managing multiple trading platforms, client databases, and vendor integrations, maintaining accurate asset inventories is operationally challenging. The CSCRF requires these inventories to be updated within 24 hours of any material change, which necessitates either significant manual effort or automated asset discovery mechanisms.
Protect: Security Controls Implementation
The Protect pillar covers the technical and administrative controls that prevent cyber incidents. This includes access management (principle of least privilege, multi-factor authentication for privileged access), network security (segmentation, firewalls, intrusion prevention), data protection (encryption at rest and in transit), and endpoint security.
SEBI has specified minimum standards for several control areas. For instance, MIIs must implement network segmentation that isolates critical trading systems from corporate networks. All entities must enforce password policies that meet complexity requirements and mandate regular rotation. Data classification schemes must distinguish between public, internal, confidential, and restricted data, with corresponding protection measures for each level.
Detect: Security Operations and Monitoring
Detection requirements scale with entity classification. MIIs must operate or contract with a 24×7 Security Operations Center (SOC) capable of real-time monitoring and threat detection. Qualified Regulated Entities need SOC capabilities that may be partially outsourced but must maintain in-house expertise for incident triage. Smaller entities can rely on managed security services but must still demonstrate active monitoring.
The framework mandates specific log retention periods (minimum 2 years for critical systems), correlation capabilities that can identify attack patterns across multiple data sources, and regular reviews of detection rule effectiveness. Auditors will look for evidence that detection capabilities are not merely deployed but actively maintained and tested.
Respond and Recover: Incident Management
SEBI’s incident response requirements integrate with CERT-In’s mandatory reporting timelines while adding sector-specific obligations. Cyber incidents affecting trading systems, client data, or market integrity must be reported to SEBI within 6 hours of detection, with detailed root cause analysis following within specified windows.
The framework requires documented incident response plans that have been tested through tabletop exercises or simulations at least annually. Recovery capabilities must demonstrate the ability to restore critical systems within defined Recovery Time Objectives (RTOs), typically 4 hours for trading systems at MIIs and 24 hours for less critical functions at smaller entities.
Compliance Timelines: What’s Due When
The CSCRF introduced a phased implementation schedule that varies by entity classification. Understanding these timelines is critical for resource allocation and audit preparation.
| Requirement | MIIs | Qualified REs | Mid-size REs | Small REs |
|---|---|---|---|---|
| Governance Structure | January 2025 | April 2025 | April 2025 | June 2025 |
| Core Technical Controls | January 2025 | April 2025 | June 2025 | June 2025 |
| SOC Implementation | January 2025 | April 2025 | N/A (monitoring required) | N/A (monitoring required) |
| First VAPT Completion | January 2025 | April 2025 | June 2025 | Annual declaration |
| Annual Audit Submission | March 2025 | June 2025 | September 2025 | September 2025 |
Note that these timelines represent the first compliance cycle. Ongoing requirements include quarterly reviews for higher-tier entities, annual policy reviews for all entities, and continuous monitoring of control effectiveness. Missing initial deadlines triggers SEBI’s enforcement process, which can include warnings, penalties, and in severe cases, restrictions on business activities.
Evidence and Audit Expectations
SEBI-empaneled auditors conducting CSCRF assessments expect more than policy documents. They look for evidence that controls are implemented, operating effectively, and producing measurable outcomes. Understanding what constitutes acceptable evidence can mean the difference between a clean audit and extended remediation cycles.
Documentation That Auditors Expect
Policy documents must be version-controlled with clear approval trails. Auditors will verify that policies have been formally approved by appropriate authorities (board for overarching policies, CISO for operational procedures), that review dates are current, and that employees have attested to reading and understanding relevant policies.
For technical controls, auditors expect configuration evidence, not just statements that controls exist. This includes firewall rule exports, access control lists from critical systems, encryption configuration screenshots, and vulnerability scan reports. The evidence must be dated and attributable, showing when controls were implemented and who verified them.
Incident response evidence includes logs from past incidents (even minor ones), post-incident review documentation, and records of tabletop exercises. Auditors assess whether the organization learns from incidents and whether improvements are tracked to completion.
Common Audit Findings to Avoid
Several findings recur across CSCRF audits. Incomplete asset inventories rank high, particularly for cloud assets and third-party integrations that fall outside traditional IT management. Stale access rights, where former employees or role changes haven’t been reflected in system access, appear frequently. Lack of evidence for periodic reviews, even when reviews occur informally, creates compliance gaps that are easily avoided with proper documentation practices.
The gap between having controls and proving controls often catches organizations off guard. A brokerage might have robust network segmentation, but without documented network diagrams, firewall rule reviews, and penetration test results validating the segmentation, auditors cannot credit the control as compliant.
Operationalizing SEBI Cybersecurity Framework Compliance
Moving from understanding requirements to implementing a sustainable compliance program requires systematic approaches to policy management, evidence collection, and ongoing monitoring.
Building the Policy Foundation
Start by mapping existing policies against CSCRF requirements. Many organizations have cybersecurity policies developed for other purposes (ISO certification, internal governance, client requirements) that partially address CSCRF mandates. A gap analysis identifies what exists, what needs updating, and what requires new policy development.
Policies should be structured for both compliance and operational utility. Overarching policies approved at the board level establish principles and accountability. Underlying standards specify technical requirements (encryption algorithms, password complexity, access review frequency). Procedures document operational steps that implement the standards. This hierarchy allows updates at appropriate levels without requiring board approval for every technical change.
Establishing Evidence Collection Workflows
Manual evidence collection at audit time creates stress, gaps, and quality issues. Organizations that maintain compliance year-round rather than scrambling before audits achieve better outcomes with lower effort. This requires establishing regular evidence collection as part of operational workflows.
Consider a depository participant subject to quarterly CSCRF reviews. Rather than gathering access review evidence every quarter, the organization can implement monthly access certification cycles that automatically generate compliant evidence. When quarterly reviews arrive, evidence already exists in standardized format. This approach distributes effort, improves quality, and reduces audit preparation burden.
Platforms like eQomply are designed precisely for this operational model, enabling regulated entities to capture compliance evidence continuously, map it to specific CSCRF requirements, and generate audit-ready reports without last-minute scrambles. The ability to maintain a single source of truth for policies, risk assessments, and compliance evidence becomes particularly valuable for organizations managing multiple regulatory frameworks simultaneously.
Integrating with Existing Risk Management
SEBI cybersecurity framework compliance should not exist as an isolated program. Organizations that integrate CSCRF requirements with enterprise risk management, operational risk frameworks, and existing compliance programs achieve efficiency gains while providing better visibility to leadership.
Cyber risks identified through CSCRF assessments should flow into unified risk registers that also capture operational, financial, and strategic risks. This integration allows board risk committees to see cybersecurity in context, understand interdependencies, and make informed resource allocation decisions. It also avoids the common problem of compliance teams and risk teams maintaining separate, sometimes contradictory, views of organizational risk.
Preparing for Continuous Compliance
The CSCRF is not a one-time certification exercise. SEBI has established ongoing reporting requirements, periodic assessments, and expectations for continuous improvement. Organizations should build compliance programs that accommodate evolving requirements without major restructuring.
This means investing in scalable processes rather than point-in-time fixes. Policy management systems that track versions, approvals, and attestations. Risk assessment methodologies that can incorporate new threat categories as they emerge. Evidence repositories that maintain audit trails and support rapid retrieval. Reporting capabilities that can generate board presentations, regulatory submissions, and audit documentation from the same underlying data.
Moving Forward with CSCRF Compliance
SEBI’s Cybersecurity and Cyber Resilience Framework establishes clear expectations for India’s capital markets participants. The requirements are substantial, the timelines are compressed, and the evidence standards are rigorous. Organizations that approach compliance systematically, with proper tooling and integrated processes, will navigate these requirements more effectively than those relying on manual approaches and audit-time mobilization.
The framework ultimately aims to strengthen the resilience of India’s financial markets against cyber threats. Compliance programs that embrace this goal, rather than treating it as a box-checking exercise, will achieve both regulatory satisfaction and genuine security improvement.
For compliance leaders evaluating how to build or strengthen their CSCRF compliance programs, scheduling a demo with eQomply provides an opportunity to see how purpose-built GRC infrastructure can reduce compliance burden while improving audit readiness. The platform’s pre-mapped SEBI CSCRF controls, automated evidence collection, and integrated policy management address the specific operational challenges this regulation creates for market intermediaries.
