Scenario Brief: Tracking SBOM Readiness Among SEBI-Regulated Intermediaries

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
May 22, 2026
2 min read
Read as
Scenario brief — not a report of a live incident
This is a RingSafe Threat Scenario designed for SOC training, tabletop exercises, and board-level cyber discussions. Specific CVE identifiers, advisory numbers, organisation references, dates, and figures used below are illustrative. Always verify against authoritative sources (CERT-In, NVD, vendor advisories, regulator websites) before taking operational action.
SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF) for Market Infrastructure Institutions and Qualified RIs reaches its phase-2 deadline on 30 June 2026. RingSafe’s mid-quarter readiness sample shows only 38% of in-scope entities have completed the required Cyber Capability Index (CCI) self-assessment. Last-mile sprints begin now.

RingSafe Compliance TrackerSEBI CSCRF Phase 2 — 22 May 2026

Where the deadline pressure is

Phase 2 of CSCRF lifts the maturity threshold for Qualified Regulated Intermediaries (QRIs) from “Essential” to “Foundational” tier, which requires:

  • A documented Cyber Crisis Management Plan (CCMP) tested at least twice per year.
  • Operational SIEM with 180-day log retention for tier-1 systems.
  • Annual Vulnerability Assessment and biennial Penetration Test of all internet-exposed systems and trading interfaces.
  • Cyber Capability Index (CCI) self-assessment scoring at least 70.
  • An SBOM for every in-house and procured trading-critical application.

What our sample tells us

RingSafe assessed readiness across 38 stockbrokers, depository participants, and asset managers in April-May:

  • 62% have the CCMP documented but only 24% have actually tabletop-tested it in the last 12 months.
  • SIEM coverage is uneven; 41% meet the 180-day retention requirement but cover less than half of designated tier-1 systems.
  • SBOM is the weakest control by far — 9% of entities have SBOMs for in-house applications, and almost none have them for procured third-party software.

RingSafe analysis

The SBOM gap is structural, not a question of effort. Most QRIs procure trading platforms, OMS systems, and risk engines from vendors who do not yet ship CycloneDX or SPDX bills of materials. The CSCRF requirement essentially forces an industry-level conversation between QRIs and their vendors — and we are watching to see whether SEBI grants a one-time extension for procured-software SBOMs or holds the line.

The other observation: SOC-as-a-service is increasingly the realistic answer for sub-100-employee QRIs that cannot build a 24×7 detection team. Expect consolidation in the Indian SOC market through the rest of 2026.

30-day sprint plan for laggards

  • Week 1: complete the CCI self-assessment honestly — you cannot remediate what you have not scored.
  • Week 2: scope a CCMP tabletop with at least three named scenarios (ransomware, vendor compromise, insider data theft).
  • Week 3: write procurement letters to your top 5 software vendors demanding an SBOM within 90 days.
  • Week 4: file the readiness attestation with your designated SEBI contact.

Continue learning

DPDP Act in your stack?

Get a DPDP gap assessment

Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.

Book DPDP scoping call Replies in 4 working hrs · India-only · Senior consultants
Continue Learning

Related Academy modules

View all modules
Security Guides
Module 4 · Advanced

Why this module exists. Microservices security cannot be solved at the firewall — there are too…

May 14, 2026 · 4 min read
Security Guides
Module 6 · Intermediate

Why this module exists. The data that you forgot was there is the data that becomes…

May 14, 2026 · 4 min read
Compliance
Module 4 · Intermediate

Why this module exists. The cross-border-transfer regime under DPDP is materially different from what came before…

May 14, 2026 · 4 min read