SEBI Cybersecurity and Cyber Resilience Framework 2024 — Complete Compliance Guide
India’s securities markets process billions of rupees in transactions every trading day. A successful cyberattack on a stockbroker, clearing corporation, or asset management company does not just harm the directly targeted entity — it can destabilise market confidence, expose investor data, and trigger systemic risk across the financial ecosystem. Recognising this, the Securities and Exchange Board of India (SEBI) issued a comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF) in August 2024, replacing and significantly strengthening earlier circulars on the subject.
If your organisation falls under SEBI’s regulatory perimeter, understanding and implementing CSCRF is not optional — it is a compliance mandate with audit obligations, board-level accountability, and regulatory consequences for non-compliance. This guide covers everything you need to know about SEBI CSCRF in 2026.
Background: Why SEBI Issued CSCRF
SEBI’s earlier cybersecurity circulars — issued in 2015 and updated in increments — had become fragmented and insufficient against the threat landscape of the 2020s. Ransomware targeting financial infrastructure, supply chain attacks on fintech integrations, and state-sponsored intrusions into market participants made a unified, risk-based framework necessary.
The CSCRF circular (SEBI/HO/ITD-1/ITD_CSC/P/CIR/2024/113, dated August 20, 2024) consolidates all previous cybersecurity directives and introduces significantly stronger requirements around:
- Third-party risk management
- Security Operations Centre (SOC) monitoring
- Cyber incident reporting timelines
- Board and senior management accountability
- Cyber resilience metrics and testing
Who Must Comply with SEBI CSCRF?
SEBI CSCRF applies to all “Regulated Entities” (REs) within SEBI’s jurisdiction. The framework categorises them by their systemic importance and the nature of their operations:
Category 1 — Market Infrastructure Institutions (MIIs)
- Stock Exchanges (NSE, BSE, etc.)
- Clearing Corporations (NSCCL, ICCL, etc.)
- Depositories (NSDL, CDSL)
MIIs face the most stringent requirements, including mandatory 24×7 SOC operations and advanced threat intelligence programmes.
Category 2 — Qualified Regulated Entities (QREs)
- Stockbrokers with more than 50,000 active clients or more than ₹1,000 crore in annual turnover
- Asset Management Companies (AMCs) — all SEBI-registered AMCs
- Portfolio Managers with AUM above ₹3,000 crore
- Investment Advisers and Research Analysts above specified thresholds
- Custodians and Registrar and Transfer Agents (RTAs)
- KYC Registration Agencies (KRAs)
Category 3 — Mid-size Regulated Entities (MREs)
- Stockbrokers below QRE thresholds but above defined minimum size criteria
- Smaller portfolio managers and investment advisers
- Alternative Investment Funds (AIFs) and Venture Capital Funds above certain AUM
Category 4 — Small Regulated Entities (SREs)
- Smaller stockbrokers, sub-brokers, and distributors
- Research analysts and investment advisers below minimum thresholds
The compliance obligations scale with category — MIIs have the most demanding requirements; SREs have lighter obligations with longer implementation timelines.
Key Requirements of SEBI CSCRF
1. Cybersecurity Policy and Governance
Every RE must have a board-approved Cybersecurity Policy reviewed annually. A designated Chief Information Security Officer (CISO) is mandatory for QREs and above. The board must receive a cybersecurity report at least quarterly, covering incidents, vulnerabilities, audit findings, and remediation status.
2. Cyber Risk Assessment
REs must conduct a formal cyber risk assessment at least annually. The risk assessment must cover all critical information assets, third-party dependencies, internet-facing systems, and data flows. Identified risks must be tracked through a risk register with documented treatment plans.
3. Vulnerability Assessment and Penetration Testing (VAPT)
- MIIs and QREs: VAPT mandatory at least annually for all critical systems; web application penetration testing for all internet-facing applications
- MREs: VAPT at least once every two years
- SREs: Vulnerability Assessment at minimum annually
- VAPT must be conducted by CERT-In empanelled organisations
- Findings must be remediated within defined timelines (critical: 30 days, high: 60 days)
4. Security Operations Centre (SOC) Monitoring
QREs and above are required to implement 24×7 security monitoring through either an in-house SOC or a managed SOC (SOC-as-a-Service) from a qualified provider. The SOC must cover all critical systems, log ingestion from network devices, endpoints, applications, and identity systems, and have defined playbooks for incident response.
5. Incident Reporting to SEBI
This is one of the most operationally significant requirements. Cyber incidents must be reported to SEBI within specified timelines:
- Critical incidents (market disruption, data breach of investor records, ransomware): Report to SEBI within 6 hours of detection
- High-severity incidents: Report within 24 hours
- Medium-severity incidents: Report within 72 hours
- A root cause analysis (RCA) report must follow within 21 days of incident closure
- Incidents must also be reported to CERT-In per their mandatory reporting requirements
6. Third-Party and Supply Chain Risk Management
REs must maintain an inventory of all critical third-party technology vendors and conduct security assessments of these vendors. Contracts with critical technology providers must include cybersecurity obligations, audit rights, and incident notification clauses. Cloud service providers used for critical operations must comply with data localisation and security requirements.
7. Business Continuity and Disaster Recovery
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) must be defined and tested
- Business Continuity Plan (BCP) must be tested at least annually via tabletop or live drill
- MIIs must maintain near-zero RPO for critical trading systems
- Backup systems must be tested quarterly
8. Data Security and Privacy
Investor data — including KYC information, trading records, and financial data — must be encrypted at rest and in transit. Data classification policy is required. Access to investor data must be on a need-to-know basis with strong authentication. The framework aligns with India’s Digital Personal Data Protection Act 2023 (DPDP Act) obligations.
9. Cyber Audit
MIIs and QREs must undergo an annual Cyber Audit conducted by a CERT-In empanelled auditing organisation. The audit report must be submitted to SEBI within 60 days of completion of the audit. The audit covers all 11 domains of the CSCRF including governance, asset management, access control, cryptography, operations security, incident management, and compliance.
10. Cyber Security Awareness and Training
All employees must receive cybersecurity awareness training at least annually. Staff with privileged access must receive role-specific training. Phishing simulation exercises must be conducted quarterly for QREs and above.
SEBI CSCRF vs RBI Cybersecurity Framework — Key Differences
| Dimension | SEBI CSCRF (2024) | RBI Master Direction on IT (2023) |
|---|---|---|
| Regulated Entities | Stock exchanges, brokers, AMCs, depositories, custodians | Banks, NBFCs, payment operators, urban cooperative banks |
| Incident Reporting Timeline | 6 hours for critical incidents | 2–6 hours depending on incident type |
| VAPT Frequency | Annual for QREs and MIIs | Bi-annual (every 6 months) for major banks |
| SOC Requirement | 24×7 mandatory for QREs and above | 24×7 mandatory for systemically important banks |
| Board Reporting | Quarterly cybersecurity report to board | At least quarterly; Board IT Strategy Committee required |
| Audit Submission | Annual cyber audit report to SEBI within 60 days | Annual IS audit report to RBI within 60 days |
| Data Localisation | Investor data must remain in India | Payment data must be stored only in India |
Implementation Roadmap for SEBI CSCRF Compliance
Phase 1: Foundation (Month 1–2)
- Determine your RE category and applicable obligations
- Conduct a gap assessment against CSCRF requirements
- Appoint CISO or designate a cybersecurity lead
- Asset inventory and criticality classification
Phase 2: Policy and Control Implementation (Month 2–5)
- Develop or update Cybersecurity Policy and supporting policies
- Implement access control, encryption, and logging standards
- Establish third-party risk management process
- Set up or contract SOC services
Phase 3: Testing and Validation (Month 5–7)
- Conduct VAPT on all critical systems by CERT-In empanelled firm
- Remediate VAPT findings within required timelines
- Test BCP/DR plan
- Conduct phishing simulation and staff awareness training
Phase 4: Audit and Submission (Month 7–9)
- Engage CERT-In empanelled auditor for annual Cyber Audit
- Prepare and submit audit report to SEBI
- Board review and approval of cybersecurity posture report
MDIT Services — Your SEBI CSCRF Compliance Partner
MDIT Services is a CERT-In empanelled cybersecurity company based in New Delhi with deep expertise in SEBI CSCRF compliance. We have helped stockbrokers, AMCs, RTAs, and depository participants achieve and maintain CSCRF compliance efficiently and cost-effectively.
Our SEBI CSCRF service offerings include:
- CSCRF gap assessment and category determination
- VAPT of all critical systems and internet-facing applications
- Annual Cyber Audit (CERT-In empanelled)
- SOC-as-a-Service with 24×7 monitoring and SEBI incident reporting support
- Policy development and CISO advisory
- Board-level cybersecurity reporting templates
- Staff security awareness training and phishing simulations
SEBI CSCRF compliance is a continuous obligation, not a one-time project. Our team ensures you remain compliant through annual audit cycles, monitoring, and regulatory update tracking.
Contact MDIT Services today for a SEBI CSCRF gap assessment and implementation proposal.
Call us: +91-11-XXXX-XXXX | Email: info@mditservices.in | Website: mditservices.in
