Complete guide to SEBI CSCRF

01What CSCRF is

The Cyber Security and Cyber Resilience Framework was issued by SEBI on 20 August 2024 (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113) and supersedes the earlier 2018 cyber circular. It is materially more prescriptive than its predecessor — every control is mapped to a maturity level, every regulated entity is bucketed by size into one of five categories, and every category has a specific control surface and audit cadence.

Unlike RBI's framework, which is built on outcomes and high-level expectations, CSCRF is closer to a control library — closer in style to NIST SP 800-53 with a MITRE ATT&CK overlay. SEBI's expectation: regulated entities can be inspected against specific control IDs.

02Who it applies to

CSCRF applies to all SEBI Regulated Entities (REs), which includes:

• Market Infrastructure Institutions (MIIs) — Stock Exchanges, Depositories, Clearing Corporations.
• Stock Brokers and Depository Participants.
• Mutual Funds, Asset Management Companies, AMC Trustees.
• Investment Advisers (RIAs) and Research Analysts.
• Portfolio Managers, AIFs.
• Custodians, Debenture Trustees, Credit Rating Agencies.
• KYC Registration Agencies (KRAs).
• RTAs (Registrar & Transfer Agents).

If you are a vendor or fintech partner to any of the above, you carry derivative obligations through the contract — REs are now required to push CSCRF expectations down to their material vendors.

03RE categorisation

Every RE is bucketed into one of five categories based on size, complexity, and systemic importance. The category determines control surface and audit cadence.

Each category has its own annexure in CSCRF specifying which controls are mandatory, which are advisory, and what the audit scope looks like. The control delta between Mid-RE and Q-RE is significant; do not assume your category until you have read your annexure.

04Governance

• CISO / equivalent designated officer — required for Q-RE, Mid-RE, and MIIs. Smaller entities can appoint a senior officer with clear cyber accountability.
• Cyber Security Committee — at the management level, reviewing posture quarterly.
• Board involvement — board-approved cyber policy refreshed annually; for MIIs, a dedicated board sub-committee.
• Annual cyber report to SEBI — submitted via the SEBI Compliance Portal in the prescribed format.

05Control families

CSCRF organises controls into families that map closely to NIST CSF. Practitioner translation:

• Identify — asset inventory (hardware, software, data, services), data classification, vendor inventory, business impact analysis.
• Protect — identity and access management with MFA on privileged access, network segmentation (especially trading systems segregated from corporate IT), endpoint protection, encryption (AES-256 at rest, TLS 1.2+ in transit), DLP.
• Detect — SIEM with use-case library, threat hunting, file integrity monitoring on critical systems, log retention (180 days hot, multi-year archive).
• Respond — Cyber Crisis Management Plan, incident response RACI, regulator notification timelines, customer/investor communication protocols.
• Recover — DR plan with RTO/RPO per critical system, annual DR test, post-incident lessons learnt.
• Govern (CSCRF-specific addition) — policy framework, risk register, vendor risk, third-party assurance, awareness training, audit programme.

06MITRE ATT&CK alignment

Each Q-RE and MII control is mapped to MITRE ATT&CK techniques. The expectation is that detection use-cases in your SIEM are themselves ATT&CK-tagged. Practical implications:

• Your SIEM use-case library must be ATT&CK-mapped — every use-case carries the technique IDs it covers.
• Coverage gaps are explicit — at any audit you should be able to show a heat-map of ATT&CK coverage with gaps acknowledged and on the roadmap.
• Threat-led testing (purple-team or red-team) is now an expectation for Q-REs and MIIs, not advisory.
• SBOM for in-scope applications, refreshed at every release, with vulnerability scanning of the dependency tree.

07VAPT & vulnerability management

• Annual VAPT for Q-RE and Mid-RE; bi-annual for MIIs.
• Vendor — preferably CERT-In empanelled; for MIIs, mandatory.
• Quarterly vulnerability scans of internet-facing systems.
• Patch SLAs — Critical: 7 days. High: 30 days. Medium: 90 days. With documented exception process.
• Re-test of high/critical findings within 30 days, with a re-test letter on file.
• Application security testing — pre-production OWASP ASVS L2 testing for new releases of customer-facing apps; SAST/DAST in CI for material applications.

08SOC obligations

• MIIs and Q-REs — 24x7 SOC, in-house or co-managed; SLA-bound; quarterly metrics published to the cyber committee.
• Mid-RE — SOC during business hours minimum; off-hours coverage via on-call or MSSP.
• Use-case library documented, ATT&CK-mapped, version-controlled.
• Threat intelligence integrated; sectoral intel from MII / SEBI advisories ingested.
• MTTD / MTTR measured and reported.

09Cyber audit

CSCRF prescribes formal cyber audits separate from financial / IS audit:

• Auditor qualification — CERT-In empanelled, with documented cyber audit competence; for MIIs, additional qualifications such as CISA / CISM lead auditor.
• Audit scope — every applicable control in your category's annexure.
• Audit report — submitted to SEBI within prescribed timelines via the Compliance Portal; remediation plan with target dates appended.
• Audit Committee oversight — findings reviewed by the audit committee of the board; remediation tracked to closure.

10Incident reporting

11Data & cloud rules

• Data localisation — investor data and trading data must be primarily stored in India. Cross-border processing permissible only with specific safeguards.
• Cloud adoption — permitted with documented risk assessment, board approval for material outsourcing, encryption keys held by the RE, exit/portability plan.
• Vendor and sub-processor — full chain documented; SEBI inspection rights flowed down.
• Encryption keys — for sensitive systems, customer-controlled keys (CMK) preferred; HSM-backed for trading and custody systems.

12Compliance timeline

CSCRF's original timeline (Aug 2024) gave 6-12 months depending on category. SEBI has subsequently issued extension circulars for specific sub-sectors (RIAs, smaller depository participants) — check the SEBI circular page for your sub-sector before assuming you are out of time. As of 2026:

• MIIs and Q-REs: in-force, current audit cycle is the first formal CSCRF audit.
• Mid-REs: in-force; many smaller mid-tier brokers were granted phase-in extensions.
• Small-REs: phased; first self-certification or reduced-scope audit due in the current cycle.
• Sub-sectors with extensions: check the latest SEBI circular for your category.

13Common mistakes

• Self-categorising lower than warranted. SEBI re-categorises during inspection. Conservative interpretation wins.
• Last year's RBI/IT audit re-titled as "CSCRF audit". Different control surface; auditors are increasingly aware.
• SIEM use-cases without MITRE mapping. Q-REs are increasingly asked for the ATT&CK heat-map.
• SBOM treated as one-time deliverable. SBOM is per-release and versioned.
• Trading systems on the same VLAN as corporate IT. Fundamental segregation breach.
• Vendor contracts not refreshed for CSCRF flow-down. Pre-2024 contracts often miss the inspection-rights and breach-notification clauses.
• "Annual VAPT" interpreted as automated scan. CSCRF expects manual exploitation.
• Customer / investor data on cloud outside India. Localisation breach; trace your S3/Blob/GCS bucket regions.

1490-day roadmap

• Days 1–15. Read your category annexure end-to-end. Confirm categorisation. Write a gap register — every applicable control with current state and target state.
• Days 15–30. Governance fixed: CISO appointment letter, cyber committee charter, quarterly cadence in calendar, board-approved policy refreshed.
• Days 30–45. SIEM use-case library audit, ATT&CK mapping started, log retention validated.
• Days 45–60. VAPT scoped and kicked off with a CERT-In empanelled vendor; vulnerability scanning cadence formalised; vendor contract review for CSCRF flow-down.
• Days 60–75. SBOM generation pipeline for material applications; DR test executed; data-residency audit (where is investor data actually stored).
• Days 75–90. CSCRF audit scoped with a qualified auditor; gap closures into ticket system; report template ready for the SEBI Compliance Portal submission.