SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) consolidated the regulator’s security expectations for the securities market. The headline for security teams: VAPT is mandatory — annual for regulated entities, and bi-annual for Market Infrastructure Institutions (MIIs) like exchanges and depositories.
Who must comply, and how often
- Regulated entities (brokers, AMCs, etc.) — at least annual VAPT.
- MIIs (stock exchanges, clearing corps, depositories) — bi-annual VAPT, reflecting their systemic importance.
- All — incident reporting within SEBI’s tight window, aligned with CERT-In’s 6 hours.
What CSCRF expects beyond a scan
CSCRF is resilience-oriented, not checkbox VAPT. Expect requirements around governance, a functioning SOC, data classification, third-party/vendor risk, and the ability to recover — not just a vulnerability list. The VAPT must be real (manual exploitation and business-logic testing), with findings closed and evidenced.
Common compliance gaps
- Scan-only “VAPT.” An automated scan is not a penetration test; CSCRF expects depth.
- Findings not closed. Auditors want the remediation trail, not just the report.
- Vendor risk ignored. Your RTA, KYC, and cloud providers are in scope.
- MIIs treating it as annual. The cadence is bi-annual — twice a year.
RingSafe delivers CSCRF-aligned VAPT with the depth and reporting SEBI auditors expect. Talk to our team.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.