The June 2026 Deadline Is Not Soft
SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) — issued in August 2024 — represents the most comprehensive cybersecurity mandate ever issued to India's capital markets ecosystem. The final compliance deadline for implementation across all Regulated Entities (REs) is June 2026. SEBI has already conducted preliminary CSCRF compliance reviews with select intermediaries and signalled that findings will be treated as enforcement-worthy deficiencies.
If you are a stock broker, depository participant, registrar and transfer agent, asset management company, investment adviser, or research analyst with a SEBI registration — this framework applies to you.
August 2024CSCRF circular issued by SEBI
June 2026Final compliance deadline for all categories
5 TiersCSCRF categorises REs into 5 risk-based tiers
₹25 Cr+Approximate SEBI fines for cybersecurity non-compliance in 2024–25
1,000+Entities covered by CSCRF in India
DANGER
SEBI CSCRF is not a soft guideline — it is a circular issued under Section 11(1) of the SEBI Act. Non-compliance is treated as a violation of the Act. Penalties include financial sanctions, suspension of registration, and in serious cases, cancellation of SEBI registration.
Who Must Comply and at What Tier
CSCRF categorises all SEBI-regulated entities into five tiers based on technology risk profile and market criticality:
| Tier | Category | Examples |
|---|---|---|
| Market Infrastructure Institutions (MIIs) | Highest criticality | NSE, BSE, CDSL, NSDL, CCIL |
| Qualified REs | Large intermediaries | Stock brokers with > ₹2,000 Cr turnover, Mutual Fund AMCs |
| Mid-size REs | Medium intermediaries | Stock brokers (₹500 Cr–₹2,000 Cr turnover), Portfolio Managers |
| Small REs | Smaller intermediaries | Stock brokers (< ₹500 Cr turnover), Investment Advisers (>150 clients) |
| Self-Certification REs | Smallest intermediaries | Sole-proprietor IAs, Research Analysts with < 150 clients |
CSCRF Framework Architecture
SEBI structured CSCRF around five functions — borrowed from the NIST Cybersecurity Framework but adapted for Indian capital markets:
graph LR
A[IDENTIFY
Know your assets & risks] --> B[PROTECT
Implement safeguards]
B --> C[DETECT
Identify incidents]
C --> D[RESPOND
Act on incidents]
D --> E[RECOVER
Restore operations]
E --> A
style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style B fill:#1e3a5f,stroke:#F97316,color:#e2e8f0
style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style E fill:#1e5f3a,stroke:#10B981,color:#e2e8f0Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanFunction 1: Identify — Governance and Asset Management
Governance Controls
- Cybersecurity policy approved by the Board of Directors — not the management committee, the Board. Policy must be reviewed annually and be available for SEBI inspection on request.
- Board-level accountability — at least one Board member or Trustee designated as responsible for cybersecurity oversight. For listed entities, this may align with the Audit Committee mandate.
- CISO appointment — a Chief Information Security Officer (or equivalent) with direct access to the Board. SEBI is explicit that the CISO cannot report to the CTO for independence.
- Cybersecurity budget reported to the Board as a line item — evidence of investment proportionate to technology risk.
- Third-party risk management policy — covers all technology vendors, cloud providers, and outsourced operations (trading platforms, back-office systems, KYC vendors).
Asset Management Controls
- Technology asset inventory — every server, endpoint, network device, application, and cloud resource documented with owner, criticality, and data classification
- Data classification policy — Customer PII, trading data, financial records, and regulatory filings each classified and handled with corresponding controls
- Critical asset identification — order management systems (OMS), trading platforms, risk management systems, and customer-facing portals designated as critical; enhanced controls applied
INFO
For Self-Certification REs (Tier 5): SEBI has created a simplified self-certification template. You are not required to appoint a full CISO or conduct a formal Board review — a designated cybersecurity responsible person (can be the proprietor) and an annual self-assessment against a checklist are the minimum requirements.
Function 2: Protect — Security Controls Implementation
Access Management
- Multi-factor authentication (MFA) mandatory on all systems that handle client data or trading functions — no exceptions, no time-limited exemptions
- Privileged access management — dedicated PAM solution or equivalent for administrator access to trading systems, risk engines, and customer databases
- Least privilege enforced — trading desk staff cannot access back-office systems; compliance staff cannot access trading systems without documented business justification
- Remote access — all remote access through VPN with MFA; no direct RDP or SSH from the internet
Data Protection
- Encryption at rest for all customer data — PAN, Aadhaar (masked), bank account details, portfolio holdings, transaction history
- Encryption in transit — TLS 1.2 minimum; legacy TLS disabled on all trading and customer-facing endpoints
- Data Loss Prevention (DLP) — controls on email, cloud storage, and USB to prevent exfiltration of client data or trading positions
- Mobile device management (MDM) for any device used to access trading systems or client data — BYOD policy documented with minimum security baselines
Network Security
- Network segmentation — trading network, internet-facing applications, back-office systems, and administrative networks are separated by firewalls with documented rulesets
- WAF (Web Application Firewall) on all internet-facing trading portals and client applications
- DDoS protection — documented capability to absorb or mitigate DDoS attacks on trading infrastructure; this is non-negotiable given the market stability implications
VAPT Requirements
This is where CSCRF is explicit in a way most SEBI circulars are not:
- Annual VAPT mandatory for all tiers — scope includes internet-facing trading applications, APIs, mobile apps, and network perimeter
- VAPT must be conducted by a CERT-In empanelled vendor — internal testing does not satisfy the CSCRF requirement
- Re-testing within 3 months of critical finding remediation — open critical findings are a SEBI examination red flag
- VAPT report must be presented to the Board — not just filed with IT; the Board must be informed of the security posture
| Tier | VAPT Frequency | Scope |
|---|---|---|
| MIIs | Semi-annual | Full infrastructure + trading systems |
| Qualified REs | Annual | All internet-facing + internal network |
| Mid-size REs | Annual | Internet-facing applications + perimeter |
| Small REs | Annual | Internet-facing applications |
| Self-Certification | Annual (self-assessed or outsourced) | Public-facing systems |
Function 3: Detect — Monitoring and Threat Detection
Security Operations
- Security logging — all access to trading systems, customer data, and administrative functions logged with user, timestamp, action, and source IP. Minimum retention: 5 years (aligns with SEBI record-keeping requirements).
- SIEM or equivalent — log correlation with alert rules for: off-hours access, bulk data exports, failed authentication spikes, privilege escalation
- 24/7 monitoring for Qualified REs and above — either in-house SOC or outsourced MSSP. Small REs need at minimum automated alerts reviewed the next business day.
- Dark web monitoring — for Qualified REs and above, SEBI expects active monitoring for leaked credentials or client data on underground forums
Market Manipulation Detection
CSCRF has a capital-markets-specific addition most generic cybersecurity frameworks lack: cyber threat intelligence applied to market manipulation detection. Unusual trading patterns that coincide with system access anomalies must be flagged and investigated.
Function 4: Respond — Incident Response for Capital Markets
SEBI-Specific Incident Reporting
Capital markets incidents have two audiences: CERT-In (6-hour window) and SEBI. SEBI's CSCRF requirements:
- Report to designated SEBI department within 6 hours of a cybersecurity incident affecting trading operations or client data
- Preliminary incident report within 24 hours — nature, scope, impact on markets/clients, containment status
- Final investigation report within 21 days — full RCA, regulatory impact assessment, remediation plan
WARNING
A trading halt or client data breach at a stock broker is simultaneously a SEBI notification event, a CERT-In notification event, and potentially a DPDP Board notification event. All three clocks run in parallel. Your incident response runbook must have parallel notification tracks, not sequential ones.
Crisis Communication
- Client communication plan — how and when are clients notified if their trading account or data is affected?
- SEBI liaison — a designated point of contact who can speak to SEBI during an active incident
- Media policy — who speaks to the press, what can be said, what cannot be said until SEBI clearance
Function 5: Recover — Business Continuity for Trading Operations
- RTO for trading systems — SEBI expects trading operations to resume within defined windows; MIIs have the strictest requirements (minutes), while broker platforms have more latitude (hours)
- DR drill for trading systems — annual drill with documented results; SEBI examiners will ask for the last drill report
- Client data backup — recovery point objective (RPO) of ≤ 24 hours for client portfolios and transaction history
- Cyber insurance — CSCRF recommends (does not mandate) cyber insurance proportionate to technology risk; for Qualified REs this is de facto expected
SEBI CSCRF vs. Other Frameworks: What's New
| Control | SEBI CSCRF | RBI IT Framework | DPDP Act | CERT-In 2022 |
|---|---|---|---|---|
| Board-level CISO | ✅ | ✅ | ❌ | ❌ |
| Annual VAPT (CERT-In empanelled) | ✅ | ✅ | Implied | ❌ |
| 6-hour SEBI notification | ✅ | ❌ | ❌ | ❌ |
| 6-hour CERT-In notification | ✅ | ✅ | ✅ | ✅ |
| Market manipulation detection | ✅ | ❌ | ❌ | ❌ |
| Dark web monitoring (Qualified+) | ✅ | ❌ | ❌ | ❌ |
| DPB notification | ❌ | ❌ | ✅ | ❌ |
Your CSCRF Compliance Timeline — June 2026 Sprint
| Month | Action |
|---|---|
| Now (May 2026) | Book VAPT, begin gap assessment against CSCRF controls |
| June 2026 | VAPT complete, Board presentation of security posture |
| June 2026 | CSCRF compliance declaration submitted to SEBI per circular |
| Ongoing | Quarterly security committee meetings, annual VAPT cycle |
Key Takeaway
The June 2026 deadline is weeks away. The two actions that take the longest — and that SEBI will look for first — are: (1) a Board resolution nominating a cybersecurity responsible person, and (2) a VAPT report from a CERT-In empanelled vendor. Both can be initiated today. Every week of delay is a week closer to the deadline with no evidence of compliance activity.
Book your SEBI CSCRF compliance VAPT at bachao.ai/sebi-audit. We deliver CERT-In empanelled VAPT reports with a SEBI CSCRF control mapping section, structured for direct submission to your Board and compliance team. Turnaround: 7–10 business days. Capacity is limited — book now for pre-June delivery.
Written by Shouvik Mukherjee, Founder, Bachao.AI. DPIIT Recognised Startup. CERT-In empanelled. Serving SEBI-registered intermediaries, stock brokers, and AMCs across India.
