SEBI CSCRF Framework 2025 : Complete Compliance Guide for Stock Brokers, Depositories & AMCs
Introduction to SEBI CSCRF
India's capital markets process trillions of rupees in daily transactions. Stock exchanges, brokers, depositories, and fund managers operate systems where a single cybersecurity failure can cascade into market disruption, investor data breaches, and loss of public confidence in the financial system. SEBI recognized this risk and progressively strengthened its cybersecurity requirements - culminating in the comprehensive Cybersecurity and Cyber Resilience Framework (CSCRF).
The SEBI CSCRF is a mandatory regulatory framework for all SEBI registered entities, consolidating earlier cybersecurity circulars into a single structured framework built around five internationally recognized pillars: Identify, Protect, Detect, Respond, and Recover. Every regulated entity - from large stock exchanges to individual portfolio managers - must demonstrate compliance through an annual audit conducted by a CERT-In empanelled auditor.
Non-compliance exposes organizations to regulatory penalties, adverse observations during SEBI inspections, and operational restrictions. This guide explains SEBI CSCRF compliance in India - who must comply, what the framework requires, what auditors check, common gaps, and how to choose the right CERT-In empanelled partner.
ISECURION is a CERT-In empanelled and ISO 27001:2022 certified cybersecurity firm with proven CSCRF audit experience across stock brokers, AMCs, depositories, RTAs, and other SEBI regulated entities across India.
What is SEBI CSCRF?
SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) is a mandatory compliance framework requiring all SEBI regulated entities to implement cybersecurity controls, undergo annual audits, and demonstrate continuous improvement in their cyber resilience posture.
Identify
IT asset inventory, data classification, supply chain risk, and governance policy.
Protect
MFA, encryption, VAPT, patch management, and access control implementation.
Detect
24x7 SOC monitoring, SIEM, and 2-year security log retention.
Respond
Incident response plan, SEBI breach notification, and annual drill evidence.
Recover
BCP, DRP, annual DR drills, and tested RTO/RPO targets.
The CSCRF covers the full cybersecurity lifecycle, establishing a unified framework for cyber governance across India's capital markets ecosystem.
Why SEBI CSCRF Compliance is Mandatory
The CSCRF is not a guideline - it is a mandatory regulatory requirement for every entity registered with SEBI. The framework was introduced to address the growing cyber risk to India's capital markets infrastructure, protect investor data and funds, and align India's securities sector with global cybersecurity best practices.
SEBI inspections of regulated entities now include cybersecurity compliance as a standard review area. Entities that have not completed their annual CSCRF audit, or that have unresolved material gaps, face regulatory action including adverse inspection observations shared with their board, increased scrutiny in subsequent inspection cycles, and in serious cases, operational restrictions.
Key Facts About SEBI CSCRF
Annual Audit: The CSCRF requires an annual cybersecurity audit by a CERT-In empanelled auditor. Missing the annual audit creates direct regulatory risk.
VAPT Mandatory: Annual Vulnerability Assessment and Penetration Testing (VAPT) of all trading platforms, web applications, APIs, and network infrastructure is mandatory.
Log Retention: Security event logs must be retained for a minimum of two years in a tamper-evident, audit-ready format - one of the most commonly failed requirements in CSCRF audits.
Who Must Comply with SEBI CSCRF?
Stock Exchanges
NSE, BSE and all SEBI recognized stock exchanges - highest tier (Qualified REs) with most stringent requirements.
Clearing Corporations
NSCCL, ICCL and all clearing entities - Market Infrastructure Institutions with enhanced compliance obligations.
Depositories
CDSL, NSDL and all depository participants managing demat accounts across India.
Stock Brokers
All trading members and sub-brokers operating on SEBI recognized exchanges.
Asset Management Companies
AMCs managing mutual fund schemes and investor folios - covering trading, NAV, and investor data systems.
Portfolio Managers & IAs
SEBI registered PMS providers and investment advisers managing client portfolios and recommendations.
RTAs & KRAs
Registrar and Transfer Agents processing mutual fund transactions and KYC Registration Agencies managing investor KYC records.
Research Analysts & Others
Research analysts, AIFs, venture capital funds, merchant bankers, and underwriters with SEBI registration.
The Five CSCRF Pillars - Mapped to SEBI Requirements
The CSCRF is structured around five pillars drawn from the NIST Cybersecurity Framework, adapted for India's capital markets context. Each pillar maps to specific controls and evidence your CERT-In auditor will assess during the annual review.
Identify - Know Your Assets and Risks
Comprehensive IT asset inventory (hardware, software, cloud, third-party), data classification policy, annual risk assessment, supply chain vendor risk register, and board-approved cybersecurity governance policy.
Protect - Implement Security Controls
MFA on all critical systems and privileged accounts, data encryption at rest and in transit, network segmentation, patch management, annual VAPT, security awareness training, and change management procedures.
Detect - Monitor Threats in Real Time
24x7 SOC monitoring or equivalent managed service, SIEM deployment with relevant use cases, security event log retention for minimum 2 years, anomaly detection rules, and defined alert escalation procedures.
Respond - Act During an Incident
Documented Incident Response Plan (IRP) with defined roles, SEBI breach notification procedures and timelines, annual tabletop exercises or simulation drills, and post-incident review processes.
Recover - Restore Operations After an Incident
Documented BCP and DRP, annual DR drills with results including actual vs target RTO/RPO, backup integrity testing, and alternate site or cloud failover capability where applicable. Untested recovery plans with no drill evidence do not satisfy CSCRF requirements.
CSCRF Compliance Roadmap for Regulated Entities
Phase 1: Gap Assessment
Assess current cybersecurity posture against all five CSCRF pillars. Identify control gaps, missing documentation, and evidence shortfalls before the formal audit begins.
Phase 2: Policy & Governance
Develop or update board-approved cybersecurity policy, data classification framework, vendor risk register, and access management procedures aligned to SEBI requirements.
Phase 3: Technical Controls & VAPT
Implement MFA, encryption, log management, and SIEM use cases. Conduct annual VAPT across trading platforms, web applications, APIs, and network infrastructure. Remediate critical and high findings.
Phase 4: IR & DR Testing
Conduct incident response tabletop exercises and DR drills. Document actual RTO/RPO achieved. Update IRP and DRP based on test outcomes. Ensure SEBI notification procedures are operationally ready.
Phase 5: Annual CSCRF Audit & SEBI Submission
Engage CERT-In empanelled auditor for the formal annual CSCRF audit. Compile complete evidence pack, obtain audit report, and submit to SEBI within the prescribed deadline.
What a SEBI CSCRF Audit Involves - What the Auditor Checks
A CSCRF audit is not a paper review - it combines documentation assessment, technical testing, and control validation. Understanding what your auditor will examine helps you prepare effectively and avoid surprises at submission time.
Cybersecurity Governance Review
Board-approved cybersecurity policy, IT security SOPs, asset inventory, risk assessment, and security awareness training records. Policies that exist on paper but are not implemented will not satisfy the auditor.
Annual VAPT Results
VAPT report covering trading platforms, web portals, mobile apps, APIs, and network infrastructure. Unresolved critical or high vulnerabilities from the previous cycle are a direct red flag.
Access Controls & MFA
MFA implementation on all critical systems - trading platforms, back-office, email, VPN, and cloud services. Access logs, privileged account inventories, and quarterly access review records.
SOC Monitoring & Log Retention
Evidence of 24x7 SOC monitoring, SIEM deployment with meaningful alert use cases, and 2-year security event log retention in tamper-evident format. The auditor assesses whether alerts are being generated and escalated - not just whether the SIEM is installed.
Incident Response & DR Testing
Documented IRP, evidence of last tabletop exercise or drill, and DR test results including achieved vs target RTO/RPO. Untested plans with no drill evidence do not satisfy CSCRF requirements.
Third-Party Vendor Assessment
Vendor list, security requirements in vendor contracts, security questionnaires or assessments conducted on critical third-party providers, and cloud service agreements with relevant security clauses.
Encryption Implementation
Encryption of investor data at rest in databases, backup tapes, and cloud storage. Encryption in transit for all external-facing systems. Backup encryption is a particularly common gap.
Patch Management Records
Evidence of a functioning patch management process - not just a policy. The auditor will look for patch deployment logs covering critical and high-severity vulnerability patches within defined timelines.
CSCRF vs ISO 27001 vs CERT-In Guidelines - Overlap and What You Can Reuse
A common question from regulated entities is whether existing ISO 27001 certification or CERT-In compliance reduces CSCRF audit effort. The answer is yes - significantly - but neither eliminates the mandatory annual CSCRF audit.
| Aspect | SEBI CSCRF | ISO 27001 | CERT-In Guidelines |
|---|---|---|---|
| Mandatory? | ✅ Yes - all SEBI entities | ❌ Voluntary | ✅ Yes - incident reporting, empanelment |
| Audit Frequency | Annual | 3-year cycle + annual surveillance | As triggered (incidents, empanelment) |
| Auditor Requirement | CERT-In empanelled only | Accredited certification body | CERT-In empanelled |
| VAPT Required | ✅ Annual mandatory | Recommended, not mandated | ✅ Required for empanelled entities |
| Log Retention | 2 years minimum | Not specified (risk-based) | 180 days minimum (2022 directions) |
| Scope | SEBI-specific systems and data | Organization-wide ISMS | All digital infrastructure in India |
What ISO 27001 gives you toward CSCRF: A certified ISMS means your governance, risk assessment, access controls, incident management, and BCP are already documented and externally validated - significantly reducing the documentation gap-finding phase and giving auditors confidence in your control environment.
What neither replaces: The mandatory annual CSCRF audit itself, SEBI-specific incident reporting obligations, and SEBI-mandated minimum controls such as 24x7 SOC monitoring and 2-year log retention must still be demonstrated regardless of ISO 27001 status.
Common CSCRF Compliance Gaps in Indian Regulated Entities
Based on CSCRF audit experience across stock brokers, AMCs, and other SEBI regulated entities, the following gaps appear most frequently - and are most likely to generate adverse observations in SEBI inspections.
MFA Not on All Critical Systems
MFA is implemented on the primary trading login but left missing on back-office systems, admin panels, cloud consoles, and email. CSCRF requires MFA across all critical and privileged access points.
Log Retention Below 2 Years
One of the most common and easily avoidable gaps. Entities retain logs for 90 or 180 days due to storage cost concerns, or without a tamper-evident mechanism. SEBI mandates 2-year minimum.
Vendor Risk Not Formally Assessed
Cloud providers and third-party vendors touching investor data are within CSCRF scope. Most entities lack formal vendor security questionnaires, security clauses in contracts, or evidence of third-party assessments.
IRP Exists on Paper Only
SEBI CSCRF requires a tested Incident Response Plan - not just a documented one. Many entities have a plan drafted years ago with no associated drill evidence or SEBI notification procedure test.
SIEM Deployed But Not Configured
Some entities have deployed a SIEM but have not configured meaningful use cases. Auditors assess whether alerts are being generated, triaged, and escalated - not just whether the tool is installed.
Open VAPT Findings at Audit Time
Annual VAPT is mandatory. Some entities conduct VAPT but fail to remediate critical or high-severity findings before the CSCRF audit. An audit submitted with open critical vulnerabilities creates direct regulatory exposure.
ISECURION's CSCRF gap assessment service identifies these issues with enough lead time to remediate before your formal audit deadline.
How to Choose a CERT-In Empanelled Auditor for SEBI CSCRF
Not all CERT-In empanelled auditors are equal in their understanding of SEBI's regulatory requirements. When selecting an auditor for your CSCRF audit, look for the following:
Verify Active CERT-In Empanelment
CERT-In maintains a public list of empanelled organizations. Confirm the auditor is actively empanelled before engagement - audits by non-empanelled parties are not accepted by SEBI.
Confirm SEBI Sector Experience
CSCRF has SEBI-specific requirements - trading system security, SEBI breach notification timelines - that a general-purpose auditor may not know. Ask for references from other SEBI regulated entities they have audited.
Look for In-House VAPT Capability
Annual VAPT is a CSCRF requirement. An auditor that conducts VAPT in-house gives you an integrated and efficient audit process - findings directly inform the CSCRF audit report, reducing evidence gaps and turnaround time.
Ask About Deliverables
Your auditor should deliver a CSCRF audit report, gap analysis, risk register, remediation roadmap, and a SEBI submission-ready evidence pack. If the proposed deliverables don't include all of these, the engagement may be incomplete.
Assess Remediation Support
A good CSCRF auditor provides remediation guidance and can re-test critical findings before the final report - giving you the best chance of a clean SEBI submission, not just a list of findings to deal with alone.
Engage Early Before Your Deadline
SEBI audit submission deadlines are fixed. Engaging your auditor 2–3 months before the deadline allows time for a pre-audit gap assessment, remediation, and a complete formal audit without rushing.
How ISECURION Helps with SEBI CSCRF Compliance
CSCRF Gap Assessment
Comprehensive review of all five CSCRF pillars, identifying control gaps, documentation shortfalls, and evidence requirements before the formal audit.
Annual VAPT
In-house VAPT covering trading platforms, web applications, mobile apps, APIs, and network infrastructure - SEBI CSCRF compliant and directly integrated with audit deliverables.
Policy & Documentation
Development of cybersecurity policies, IRP, DRP, vendor security questionnaires, and all documentation required for a SEBI submission-ready evidence pack.
CSCRF Audit & Report
Formal annual CSCRF audit by CERT-In empanelled auditors, with audit report, executive summary, risk register, and SEBI submission-ready compliance evidence pack.
IR & DR Testing Support
Facilitation of incident response tabletop exercises and DR drills with documented results - producing the evidence your auditor needs for IRP and BCP/DRP compliance.
Ongoing Advisory
Year-round compliance advisory, SEBI circular monitoring, remediation tracking, and readiness support - so you are never caught unprepared when audit time arrives.
ISECURION is a CERT-In empanelled and ISO 27001:2022 certified cybersecurity firm with proven CSCRF audit experience across SEBI regulated entities in Bengaluru, Mumbai, Delhi, Kolkata, and across India.
Start Your SEBI CSCRF Audit with ISECURION
SEBI's CSCRF is actively enforced. Whether you are a stock broker, AMC, depository, or portfolio manager, your annual cybersecurity audit deadline is not optional. ISECURION provides end-to-end CSCRF compliance - from gap assessment and VAPT to the final SEBI submission-ready evidence pack.
CERT-In Empanelled
SEBI Sector Experience
SEBI Submission-Ready Reports
In-House VAPT Capability
With SEBI inspections increasingly focused on cybersecurity compliance, and annual audit deadlines that cannot be missed, regulated entities must act now. ISECURION's SEBI CSCRF audit services help stock brokers, AMCs, depositories, RTAs, and all other regulated entities meet their obligations confidently and on time.
🔒 View CSCRF Audit Services Schedule a Consultation