What Is SEBI CSCRF and Why It Matters Now
The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) is a mandatory regulatory requirement for all SEBI-regulated entities in India. Introduced via SEBI circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/168 (October 2023), it replaces the earlier 2019 cybersecurity circular and significantly raises the bar for all market intermediaries.
The June 30, 2026 deadline applies to:
- All Qualified Regulated Entities (QREs) — stockbrokers with more than 50,000 active clients
- All Mid-size Regulated Entities (MREs) — stockbrokers with 2,000–50,000 active clients
- Depository Participants
- Registrar and Transfer Agents (RTAs)
- KYC Registration Agencies (KRAs)
- Investment Advisors and Research Analysts with digital systems
The 6-Domain SEBI CSCRF Framework — What Auditors Check
CSCRF is structured around six cybersecurity domains. Your audit report must address each domain with evidence.
Domain 1: Govern (Governance)
- Board-approved Cybersecurity Policy (reviewed annually)
- Designated CISO or equivalent with documented responsibilities
- Third-party vendor risk management policy
- Cybersecurity awareness training records (minimum annual)
- Cyber insurance policy (required for QREs)
Domain 2: Identify
- Comprehensive IT asset inventory (hardware, software, cloud resources)
- Network topology diagram (current)
- Data classification policy with data flow mapping
- Business impact analysis for critical systems
- Annual vulnerability assessment results
Domain 3: Protect
- Multi-factor authentication (MFA) for all privileged access and remote access
- Patch management process (critical patches within 30 days, documented)
- Endpoint protection on all devices (EDR/antivirus with central management)
- Network segmentation between internet-facing and back-office systems
- Encryption of data at rest and in transit (TLS 1.2+ required)
- Privileged Access Management (PAM) for admin accounts
- Email security controls (SPF, DKIM, DMARC, anti-phishing)
- Web Application Firewall (WAF) for internet-facing applications
Domain 4: Detect
- SIEM or equivalent log aggregation (minimum 1-year log retention for QREs)
- Intrusion Detection System (IDS/IPS) on network perimeter
- File integrity monitoring on critical servers
- Vulnerability scanning — automated weekly or monthly
Domain 5: Respond
- Documented Incident Response Plan (IRP) with defined roles
- Cyber incident classification matrix (Critical / High / Medium / Low)
- CERT-In incident reporting process (6-hour notification requirement for critical incidents)
- Annual tabletop exercise or simulation (mandatory for QREs)
Domain 6: Recover
- Business Continuity Plan (BCP) covering critical trading operations
- Disaster Recovery Plan (DRP) with documented RTO and RPO
- DR drill report — minimum annual (QREs: semi-annual)
- Data backup policy with off-site/cloud backup verification records
SEBI CSCRF Compliance Checklist — Annex A (All Entities)
- [ ] Information Security Policy documented and board-approved
- [ ] Asset inventory maintained and updated quarterly
- [ ] MFA enabled for all privileged and remote access
- [ ] Patch management SOP with SLA (Critical: 30 days, High: 90 days)
- [ ] Antivirus/EDR deployed on all endpoints with central dashboard
- [ ] TLS 1.2+ enforced on all web-facing services
- [ ] Annual VAPT by CERT-In empanelled firm or equivalent
- [ ] Incident Response Plan documented
- [ ] CERT-In 6-hour reporting process defined
- [ ] Annual cybersecurity awareness training with records
Annex B — Additional Controls for QREs and MREs
- [ ] SIEM deployed with 1-year log retention
- [ ] IDS/IPS operational on network perimeter
- [ ] CISO appointed with board visibility
- [ ] Cyber insurance policy in place
- [ ] Vendor risk management with annual reviews
- [ ] Tabletop exercise conducted annually with report
- [ ] DR drill conducted semi-annually (QREs)
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanCommon Audit Failures — What Stockbrokers Get Wrong
1. Outdated asset inventory — Auditors require evidence the inventory was updated within the last quarter.
2. MFA not deployed on all privileged accounts — Firms often have MFA on email but not on trading systems or cloud consoles. CSCRF requires MFA everywhere privileged access exists.
3. Missing CERT-In 6-hour reporting SOP — The IT Amendment Rules 2022 require reporting certain cyber incidents to CERT-In within 6 hours. Almost no mid-size broker has this documented.
4. DR drill reports missing — Firms have DR sites but have not conducted or documented a drill in 2+ years.
5. No patch management logs — Firms patch systems but do not document it. CSCRF requires patch application evidence, not just a policy document.
6. Outdated network diagrams — Network topology submitted shows infrastructure from 2-3 years ago.
7. Vendor risk not assessed — Trading software vendors, payment gateways, and cloud providers not included in the vendor risk register.
NSE/BSE Submission Requirements
After completing the CSCRF audit, regulated entities must submit:
- Audit report in prescribed format with CISO sign-off and Board acknowledgement
- Executive summary (maximum 5 pages) with overall risk rating
- Control assessment matrix mapping each CSCRF control to compliance status
- Evidence index with SHA-256 hashes of key evidence documents
- Remediation plan for all gaps identified (with timelines)
SEBI CSCRF Penalties for Non-Compliance
| Violation | Penalty |
|---|---|
| Failure to submit audit report by deadline | ₹1,500–₹5,000 per day |
| Misrepresentation in audit report | Suspension of trading licence |
| Critical cyber incident not reported to CERT-In/SEBI | ₹1 crore+ per incident |
| Repeat non-compliance | Licence cancellation proceedings |
How to Get SEBI CSCRF Audit-Ready in 30 Days
Week 1 — Documentation Sprint:
- Collect and update: IT asset inventory, network diagram, all policies
- Identify gaps against Annex A and B checklists
- Enable MFA on all systems where missing
- Patch all critical vulnerabilities (CVSS 9.0+)
- Run automated VAPT to generate evidence
- Verify log retention configuration in SIEM
- Run SIEM report for last 90 days
- Complete tabletop exercise and document the report
- Get CERT-In reporting SOP signed by CISO
- Engage certified auditor or automated audit service
- Review draft report against NSE/BSE format requirements
- Board acknowledgement sign-off and submit
Frequently Asked Questions
Is SEBI CSCRF mandatory or voluntary? Mandatory for all SEBI-regulated entities. Non-compliance results in daily penalties and potential licence action.
Do I need a CERT-In empanelled firm for SEBI CSCRF audit? SEBI does not explicitly mandate CERT-In empanelment for CSCRF audits. However, an external audit by a qualified cybersecurity firm with NSE/BSE-format report output is required.
What is the difference between VAPT and SEBI CSCRF audit? VAPT is one control under Domain 2 (Identify) of the CSCRF framework. A full CSCRF audit covers all six domains including governance, incident response, and BCP/DR — not just technical vulnerability scanning.
Is SEBI CSCRF the same as ISO 27001 or SOC 2? No. SEBI CSCRF is a SEBI-specific mandatory framework with India-specific requirements around NSE/BSE reporting formats and CERT-In incident reporting. ISO 27001 certification does not satisfy CSCRF audit requirements.
Last updated: April 2026. Reflects SEBI CSCRF requirements as of SEBI circular dated October 2023.