SEBI Cyber Audit Requirements Explained
The annual cyber audit is one of the most scrutinized compliance obligations for market intermediaries in India. SEBI cyber audit requirements have evolved significantly since the first cybersecurity circular in 2015, and entities that treat this as a checkbox exercise consistently find themselves facing observations, remediation deadlines, and in some cases, regulatory action. Understanding what SEBI expects, how auditors evaluate your controls, and what constitutes adequate evidence is essential for any compliance or risk function operating in the capital markets ecosystem.
This post breaks down the structural requirements of SEBI’s cyber audit framework, the scope auditors typically cover, the findings that recur across regulated entities, and the operational discipline needed to pass these audits without last-minute scrambles.
SEBI’s Cyber Audit Expectations: The Regulatory Foundation
SEBI’s cybersecurity and cyber resilience framework, originally outlined in the circular dated July 6, 2015, and subsequently updated through multiple amendments, requires all market infrastructure institutions (MIIs), stock brokers, depository participants, mutual funds, portfolio managers, and other registered intermediaries to conduct a comprehensive cyber audit at least once every year.
The audit must be performed by a CERT-In empaneled auditor. This is non-negotiable. Internal IT teams cannot self-certify, and auditors without CERT-In empanelment are not recognized for this purpose. The empaneled auditor is expected to independently assess the entity’s cybersecurity posture against SEBI’s prescribed framework, which draws from standards like ISO 27001, NIST, and COBIT but adds India-specific regulatory overlays.
Frequency and Reporting Timelines
For most intermediaries, the audit is annual. However, MIIs and large brokerages handling significant transaction volumes may face half-yearly assessments based on SEBI’s risk categorization. The audit report, along with the entity’s response to findings and a remediation plan, must be submitted to SEBI within a specified window post audit completion. Late submissions attract regulatory attention, and entities that miss deadlines repeatedly end up on SEBI’s enhanced surveillance list.
Brokerages managing multi-segment registrations face additional complexity here. Each registration may carry distinct compliance obligations, and the cyber audit must cover systems and processes across all registered activities. For a deeper look at how this intersects with operational compliance, see our analysis on SEBI multi-registration compliance.
Scope of the SEBI Cyber Audit: What Auditors Actually Evaluate
The scope of SEBI’s cyber audit goes well beyond technical vulnerability assessments. Auditors evaluate three broad domains: governance and policy, technical controls and infrastructure, and incident response preparedness. Each domain carries specific expectations that regulated entities must address with documented evidence.
Governance and Policy Framework
Auditors begin with the governance layer. They examine whether the entity has a board-approved cybersecurity policy, whether it has been reviewed and updated within the last year, and whether the board or a designated committee receives periodic reports on cybersecurity posture. The policy must explicitly address data classification, access control principles, acceptable use, and incident escalation paths.
The governance assessment also covers role definitions. Auditors look for a designated CISO or equivalent role, clear separation of duties between IT operations and security oversight, and documented accountability for compliance with SEBI’s cybersecurity framework. Entities where the CTO or CIO also serves as the de facto security head without formal designation often receive observations.
Technical Controls and Infrastructure Security
This is the most granular portion of the audit. Auditors assess network architecture, firewall configurations, intrusion detection and prevention systems, endpoint protection, encryption standards for data at rest and in transit, patch management cadence, and vulnerability assessment results from the preceding period.
Consider a mid-size stock broking firm operating trading terminals across 50 branch locations with a centralized back-office system. The auditor will evaluate whether network segmentation exists between the trading network and the corporate LAN, whether remote access for branch locations uses encrypted tunnels with multi-factor authentication, and whether the firm conducts periodic penetration testing beyond automated vulnerability scans. Each of these must be evidenced through logs, configuration exports, and documented test results.
| Technical Domain | What Auditors Verify | Evidence Expected |
|---|---|---|
| Network Security | Firewall rules, segmentation, IDS/IPS deployment | Configuration exports, network diagrams, alert logs |
| Access Control | Privilege management, MFA, periodic access reviews | Access review records, MFA enrollment reports, role matrices |
| Patch Management | Patching cadence, critical patch timelines | Patch deployment records, exception approvals for delays |
| Encryption | Data-at-rest and data-in-transit encryption standards | Certificate inventories, encryption configuration evidence |
| Vulnerability Management | VAPT frequency, findings closure | VAPT reports, remediation tracker with closure dates |
| Endpoint Protection | Antivirus/EDR deployment, update cadence | Deployment coverage reports, signature update logs |
Incident Response and Business Continuity
SEBI expects documented incident response plans that are not merely theoretical. Auditors assess whether the entity has conducted tabletop exercises or simulated incident drills within the audit period, whether the incident response plan aligns with CERT-In’s 6-hour reporting directive, and whether previous incidents (if any) were handled per the documented protocol.
The disaster recovery and business continuity components are also within scope. Auditors verify DR site configurations, RTO/RPO definitions, failover testing records, and backup integrity checks. For brokerages that handle real-time trading data, the absence of documented BCP testing is a material finding.
Common Audit Findings: What Keeps Recurring Across Entities
Audit after audit, certain findings recur with predictable regularity across SEBI-regulated entities. Understanding these patterns allows compliance teams to proactively address gaps before the auditor arrives.
Incomplete or Outdated Policy Documentation
The most frequent finding is policies that have not been reviewed within the prescribed period. SEBI expects annual review and board approval. Entities often have comprehensive policies drafted at the time of initial compliance, which then remain static for two or three years. The auditor flags not just the staleness of the document, but the absence of review records, approval timestamps, and version control trails.
Gaps in Access Management
Privileged access reviews that are not conducted quarterly, dormant accounts of departed employees remaining active, shared credentials for system administration, and MFA not enforced across all critical systems are consistently flagged. For entities operating across multiple SEBI registrations, the access management challenge multiplies because different systems serve different business functions and user bases must be segregated accordingly.
Inadequate Evidence of Control Effectiveness
This is perhaps the most operationally frustrating finding. The control exists, it may even be functioning correctly, but there is no documented evidence of its continuous operation. Auditors cannot accept verbal assurances. They need logs, screenshots with timestamps, automated reports, or signed attestation records. Entities that rely on manual processes for evidence collection frequently discover that they cannot reconstruct evidence for controls that operated six months ago.
Delayed VAPT Remediation
Vulnerability assessment and penetration testing reports often contain critical or high-severity findings that remain open beyond acceptable timelines. Auditors track not just whether VAPT was conducted, but whether identified vulnerabilities were remediated within defined SLAs. Entities that conduct VAPT but lack a structured remediation tracking mechanism receive observations for open vulnerabilities, even if the testing itself was thorough.
Preparing Evidence and Documentation for the Cyber Audit
Evidence preparation is where compliance teams either demonstrate operational maturity or expose structural weaknesses. The key principle is continuous evidence collection rather than retrospective compilation. Entities that attempt to gather audit evidence in the weeks before the auditor arrives invariably find gaps, missing records, and inconsistencies that cannot be resolved under time pressure.
Establishing an Evidence Repository
Every control mapped to SEBI’s cybersecurity framework should have a corresponding evidence artifact. These artifacts must be collected at the frequency the control operates, whether daily, weekly, monthly, or quarterly. An evidence repository that links each SEBI requirement to the responsible owner, the control activity, the evidence type, and the collection frequency forms the backbone of audit preparedness.
Consider a depository participant that must demonstrate quarterly access reviews across 12 critical systems. Without automated evidence capture, the compliance team must manually collect access lists from each system administrator every quarter, verify them against HR records, document exceptions, and store them with timestamps. This is where platforms like eQomply provide structural support, automating evidence capture workflows, linking them to specific regulatory requirements, and maintaining audit trails that satisfy CERT-In empaneled auditors without manual reconstruction.
Documentation Standards That Satisfy Auditors
Evidence must meet three criteria: completeness (covers the full audit period), authenticity (timestamps and system-generated records preferred over manually created documents), and traceability (linked to the specific control and requirement it addresses). Screenshots without dates, policies without version histories, and review records without approver signatures are routinely rejected.
For brokerages managing compliance across multiple SEBI registrations, the documentation burden is multiplied. Each registration’s systems, processes, and controls need distinct evidence trails. Our analysis on SEBI compliance for brokerages examines how this operational complexity plays out in practice.
Remediation Tracking and Closure: Turning Findings into Compliance
Receiving audit findings is not the end of the process. SEBI expects entities to submit a remediation plan with defined timelines for each observation, and auditors verify closure during the subsequent audit cycle. Unresolved findings from previous audits are treated with heightened severity, and entities that show a pattern of repeated unresolved observations risk regulatory escalation.
Structuring the Remediation Workflow
Each finding must be assigned to a specific owner with a defined target closure date. The remediation plan should distinguish between findings that require immediate action (critical vulnerabilities, access control gaps), those requiring process changes (policy updates, governance improvements), and those requiring capital investment (infrastructure upgrades, new tool deployment). This categorization helps both the entity and SEBI understand the remediation trajectory.
A structured remediation tracker should capture the finding description, severity classification, root cause, remediation action, responsible owner, target date, actual closure date, and evidence of closure. This tracker becomes a living document reviewed in monthly or quarterly compliance meetings and presented to the board or audit committee at defined intervals.
Avoiding the Recurrence Trap
SEBI auditors specifically look for findings that recur across audit cycles. A finding that appears in consecutive audits signals systemic weakness rather than isolated oversight. Regulated entities must address not just the specific observation, but the underlying process gap that allowed it to occur. If access reviews are consistently incomplete, the remediation should address the access review process itself, not merely clean up the specific instances the auditor identified.
This is where the difference between reactive compliance and embedded compliance operations becomes apparent. Entities using purpose-built GRC platforms like eQomply can automate the monitoring of control effectiveness, flag deviations before they become audit findings, and maintain continuous remediation visibility across multiple regulatory frameworks operating simultaneously.
Board Reporting on Audit Status
SEBI’s governance expectations include board-level visibility into cybersecurity audit outcomes and remediation progress. The board or a designated technology/risk committee must receive reports on audit findings, remediation status, and residual risk. These reports should not merely list findings, they should contextualize risk exposure and articulate the entity’s path to closure.
Generating board-ready reports from scattered spreadsheets, email threads, and system logs is operationally expensive and error-prone. Consolidating audit findings, remediation tracking, and board reporting into a unified platform reduces the reporting burden while ensuring consistency between what the auditor observed, what was communicated to the board, and what was actually remediated.
Building Sustainable Audit Readiness
SEBI cyber audit requirements are not a once-a-year compliance event. They reflect an ongoing expectation that regulated entities maintain robust cybersecurity governance, demonstrate continuous control effectiveness, and respond to findings with operational discipline. The entities that pass audits cleanly are not those with the largest security budgets, but those with structured compliance operations that produce evidence continuously, track obligations systematically, and close gaps with accountability.
The challenge for many capital market intermediaries is that their compliance infrastructure was not designed for this level of operational rigor. Spreadsheet trackers, shared drives full of evidence screenshots, and email-based remediation follow-ups collapse under the weight of annual audits, especially when the entity operates across multiple SEBI registrations or faces concurrent regulatory assessments from other bodies like CERT-In.
If your team is preparing for an upcoming SEBI cyber audit and recognizes the structural gaps in your current evidence management and remediation tracking, it may be worth exploring how a purpose-built compliance platform can reduce that operational burden. You can see how eQomply handles this for capital market entities by requesting a walkthrough here.
