Last updated: April 26, 2026
SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF, August 2024) requires regulated entities to report cyber incidents via the SEBI Compliance Portal within specific timelines. This article covers the practical workflow.
The reporting timelines
| Trigger | SEBI Window | Other |
|---|---|---|
| Cyber incident | 6 hours via Compliance Portal | + CERT-In 6 hours |
| MII incident | Immediate to exchange + SEBI | Press release if market-impacting |
| Investor data breach | 72 hours to DPB | Affected investors “without undue delay” |
| Trading disruption | Immediate | SEBI Surveillance + exchange |
The Compliance Portal flow
# SEBI Compliance Portal (intermediary login)
URL: https://siportal.sebi.gov.in
Login: SEBI registration number + password + OTP
Navigation:
Dashboard → Cyber Incident Reporting → New Incident
Fields (mandatory):
- Incident category (per SEBI's taxonomy)
- Date/time detected
- Date/time of incident
- MII categorisation impact (Y/N)
- Affected systems
- Customer/investor data exposure (Y/N + scope)
- Initial mitigation
- ATT&CK techniques (if known)
- Attachment: written incident report (PDF)
Submit → reference number issued → store in IR documentationThe ATT&CK mapping requirement
CSCRF expects MITRE ATT&CK technique IDs in incident reports for Q-RE and MII categories. The IR runbook should include:
- Initial Access tactic — Phishing (T1566), External Remote Services (T1133), Valid Accounts (T1078)
- Execution — Command and Scripting (T1059), User Execution (T1204)
- Persistence — Scheduled Task (T1053), Valid Accounts (T1078), Boot/Logon Autostart (T1547)
- Privilege Escalation — T1068, T1078, T1134
- Credential Access — Brute Force (T1110), OS Credential Dumping (T1003), Kerberoasting (T1558.003)
- Lateral Movement — Remote Services (T1021), Lateral Tool Transfer (T1570)
- Exfiltration — Exfiltration Over C2 Channel (T1041), Exfiltration Over Web Service (T1567)
Detection findings cross-referenced to ATT&CK technique IDs in the SIEM make this report drafting fast.
The attached incident-report PDF — structure
1. Executive summary (one page)
2. Timeline (chronological)
3. Affected systems and data
4. ATT&CK technique mapping
5. Investigation methodology
6. Containment actions
7. Eradication actions
8. Recovery actions
9. Post-incident review and lessons learnt
10. Compensating controls implemented
11. Customer / investor communication summary
12. Annexure: detailed forensic evidenceDecision tree
Detection at T
├── < 1 hour: Internal IR team activated; CISO notified
├── < 2 hours: Decide MII categorisation impact
│ └── If yes: notify exchange + SEBI surveillance immediately
├── < 4 hours: Draft Compliance Portal entry
├── < 6 hours: Submit to Compliance Portal + CERT-In
├── < 24 hours: Hourly updates to SEBI
├── < 72 hours: DPB notification if personal data
└── Post-72h: full incident report (the PDF above)The takeaway
SEBI CSCRF’s 6-hour window assumes a pre-built playbook. Build it before the incident: ATT&CK-mapped SIEM rules, pre-drafted Compliance Portal entries, authorised signatories. Tabletop quarterly. The first real incident with a working playbook costs hours; without one, days plus regulator-relationship damage.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.