What is SEBI CSCRF?
The Securities and Exchange Board of India (SEBI) Cyber Security and Cyber Resilience Framework (CSCRF) is a mandatory cybersecurity framework for all SEBI-regulated entities — including stock exchanges, depositories, brokers, mutual funds, portfolio managers and market infrastructure institutions. First introduced in 2015 and significantly updated in 2024, CSCRF establishes comprehensive cybersecurity requirements for India’s capital markets ecosystem.
| Standard Body | Securities and Exchange Board of India (SEBI) |
| Current Version | 2024 update |
| Mandatory or Voluntary | Mandatory for SEBI-regulated entities |
| Geography | India |
| Official Resource | sebi.gov.in |
Entity Categories and Requirements
SEBI CSCRF categorises regulated entities into five categories based on their size, criticality and systemic importance — each with progressively more stringent requirements.
| Category | Entities | Key requirements |
|---|---|---|
| Market Infrastructure Institutions (MII) | Stock exchanges, depositories, clearing corporations | Most stringent — SOC, CISO, annual audit, cyber drills |
| Qualified REs | Large brokers, AMCs, portfolio managers above threshold | CISO, SOC, VAPT, incident reporting |
| Mid-size REs | Medium-sized regulated entities | CISO, basic SOC capabilities, annual VAPT |
| Small REs | Smaller regulated entities | Basic cybersecurity controls, annual assessment |
| Self-certification REs | Very small entities | Self-certification of basic cyber hygiene |
Key Framework Requirements
| Requirement | Description |
|---|---|
| Cyber Security Policy | Board-approved cyber security and resilience policy covering all aspects of the framework |
| CISO designation | Qualified CISO responsible for cybersecurity programme — reports to board |
| Security Operations Centre | 24×7 SOC for monitoring — can be in-house or outsourced to SEBI-empanelled SOC providers |
| VAPT | Annual vulnerability assessment and penetration testing by CERT-In empanelled auditors |
| Incident reporting | Cyber incidents reported to SEBI and CERT-In within 6 hours of detection |
| Business continuity | RTO of 4 hours for critical systems — regular BCP testing required |
| Data localisation | Critical data of Indian securities market must be stored within India |
Securitora Assessment
SEBI CSCRF is essential for any organisation participating in India’s capital markets ecosystem. The 2024 update significantly raised the bar — particularly around SOC requirements, incident reporting timelines and data localisation. The category-based approach is pragmatic — smaller entities are not burdened with the same requirements as systemically important market infrastructure institutions. For international firms operating in India, CSCRF compliance requires careful attention to data localisation and the use of CERT-In empanelled auditors.
| Recommended for | All SEBI-regulated entities — stock exchanges, brokers, AMCs, portfolio managers |
| Difficulty to implement | Medium to High — varies by entity category, MIIs face most stringent requirements |
| Best used with | ISO 27001 · NIST CSF 2.0 · RBI Cyber Security Framework |
| Official resource | sebi.gov.in → |