SEBI CSCRF Audit 2026: What Trading Members Must Do Before the June 30 Deadline

The NSE submission portal for SEBI CSCRF cybersecurity audits is now open. All trading members, depository participants, AMCs, KRAs, and registered investment advisers must submit their preliminary cybersecurity audit report by June 30, 2026. Corrective action plans are due by September 30, 2026. If you have not started your audit, you have roughly nine weeks.

What Is SEBI CSCRF?

SEBI CSCRF — the Cybersecurity and Cyber Resilience Framework — is SEBI's mandatory regulatory standard for all entities in the Indian securities market. It was substantially revised and tightened in 2024, and the 2026 audit cycle is the first full compliance check under the updated framework.

CSCRF is not a one-time checkbox. It is a continuous risk management framework that covers:

1. Governance — Board-level cyber risk oversight, CISO appointment, incident response policy
2. Technical controls — VAPT, access control, encryption, patch management, MFA
3. Operational resilience — BCP/DR, RTO/RPO targets, backup and recovery testing
4. Third-party risk — Vendor security assessments, contractual obligations
5. Incident reporting — Alignment with CERT-In 6-hour reporting mandate

Who Is Covered by SEBI CSCRF?

Every SEBI-regulated entity is covered. The framework categorizes entities into Market Infrastructure Institutions (MIIs) and Qualified Regulated Entities (QREs). Trading members fall under QRE obligations.

The June 30 Deadline: What You Must Submit

SEBI's circular requires QREs to submit a preliminary cybersecurity audit report through the NSE portal by June 30, 2026. This is not the final corrective action plan — it is confirmation that a qualified audit has been conducted and preliminary findings identified.

What the submission includes:

1. Audit scope statement — Systems, networks, and applications covered
2. Auditor declaration — Signed by a CERT-In empanelled security auditor or CISA/CISSP-certified firm
3. Gap analysis summary — Controls assessed against CSCRF requirements, gaps identified
4. Vulnerability summary — VAPT findings with severity breakdown (Critical/High/Medium/Low)
5. Preliminary remediation plan — Timeline for addressing Critical and High findings

What Auditors Actually Check

SEBI CSCRF audit covers technical and governance controls. Here are the most common gaps we see in trading member audits:

Network and Application Security

1. VAPT not done in the last 12 months — Most common gap. SEBI requires periodic VAPT on internet-facing systems.
2. Unpatched systems — Outdated OS, middleware, or exchange connectivity software
3. Weak authentication — No MFA on trading terminals, admin consoles, or email
4. Exposed admin interfaces — RDP, SSH, or admin panels directly accessible from the internet
5. Missing WAF — Web application firewall not deployed on client-facing portals

Access Control and Identity

1. Shared credentials — Multiple traders sharing one login ID
2. No privileged access management — No audit trail for admin-level access
3. Stale accounts — Former employee accounts still active
4. No access review process — User access not reviewed quarterly

Incident Response

1. No documented IR plan — Required by both SEBI CSCRF and CERT-In
2. No incident drill in the last year — SEBI requires tabletop or simulation exercises
3. No SIEM or log aggregation — Inability to detect or investigate incidents

Data Protection

1. Unencrypted sensitive data — Client KYC data or trading data stored unencrypted
2. No DLP controls — No mechanism to prevent data exfiltration
3. No data classification policy — No process to identify what is sensitive

9-Week Action Plan for Trading Members

If you are starting today (late April 2026), here is a realistic plan to meet the June 30 submission deadline:

Weeks 1–2: Assessment

1. [ ] Inventory all internet-facing systems (trading platform, client portal, admin console, APIs)
2. [ ] Run automated VAPT on all in-scope systems
3. [ ] Conduct internal gap analysis against CSCRF control checklist
4. [ ] Engage a CERT-In empanelled auditor for formal audit sign-off

1. [ ] Patch all Critical and High CVEs identified in VAPT
2. [ ] Enable MFA on all admin and trading terminal access
3. [ ] Disable or remove stale user accounts
4. [ ] Document incident response plan (use CERT-In IRP template as base)

1. [ ] Compile audit report with auditor sign-off
2. [ ] Prepare gap analysis with remediation timeline
3. [ ] Draft corrective action plan for Medium/Low findings (due September 30)

1. [ ] Upload preliminary report to NSE CSCRF portal
2. [ ] Confirm receipt and acknowledgement from NSE
3. [ ] Begin implementing corrective actions for the September deadline

How Automated VAPT Accelerates Your SEBI Audit

The most time-consuming part of a CSCRF audit is the technical VAPT. Traditional manual penetration testing takes 3–6 weeks and costs ₹50,000–₹5,00,000. With a nine-week window, manual testing leaves almost no time for remediation.

Bachao.AI automated VAPT delivers:

1. 441 security tests covering OWASP Top 10, misconfigurations, CVEs, and API vulnerabilities
2. CERT-In aligned report — Accepted for SEBI CSCRF technical controls evidence
3. Results in under 2 hours — First scan in the same day, re-scan after fixes
4. Free first scan — Understand your exposure before committing to the full audit

Frequently Asked Questions

Does VAPT alone satisfy the SEBI CSCRF audit requirement?

No. VAPT is one technical control evidence component within the broader CSCRF audit. You also need governance documentation (IR plan, access control policy, BCP/DR), auditor sign-off from a CERT-In empanelled firm, and a gap analysis across all CSCRF domains. VAPT is mandatory but not sufficient on its own.

Can we use an automated VAPT report for SEBI CSCRF submission?

Yes, provided the report documents the scope, methodology, findings, and severity ratings clearly. Bachao.AI reports include all of this in CERT-In aligned format. Your empanelled auditor will review and incorporate the VAPT findings into the overall audit report.

What happens if we miss the June 30 deadline?

SEBI can initiate an adjudication proceeding and impose monetary penalties. For first-time violations, penalties typically start at ₹1 lakh and can escalate significantly for regulated entities with client-facing exposure. More importantly, non-compliance can trigger enhanced scrutiny in future audit cycles and affect your exchange membership standing.

Is SEBI CSCRF the same as ISO 27001?

No. ISO 27001 is an international standard and certification. SEBI CSCRF is a sector-specific Indian regulatory mandate. ISO 27001 implementation will satisfy most CSCRF controls, but the CSCRF audit is a separate process specific to SEBI-regulated entities. Having ISO 27001 does not exempt you from CSCRF submission.

How often do we need to repeat this audit?

QREs (which includes most trading members) must conduct VAPT annually. The full CSCRF audit cycle aligns with SEBI's annual compliance calendar. Expect this to be a recurring obligation.

Bachao.AI provides CERT-In aligned automated VAPT and SEBI CSCRF audit support. Start your free VAPT scan or view our SEBI audit service to understand what your CSCRF submission needs.