SEBI CSCRF for AMCs & Mutual Funds: AUM-Tiered Classification & Qualified RE Obligations
Asset Management Companies under SEBI CSCRF: AUM-tiered classification (₹10k Cr, ₹1L Cr thresholds), Qualified RE obligations, ISO 27001 voluntary status, and what AMCs of every size must do.
On this page (9)
Asset Management Companies (AMCs) and Mutual Funds sit at the heart of the Indian securities market — managing public money at scale makes them a natural target for CSCRF's most demanding tier. The framework classifies AMCs purely by Assets Under Management (AUM), with a straightforward three-tier structure and a clean threshold that separates standard obligations from the Qualified RE burden.
This piece covers everything an AMC compliance officer needs to know for FY 2026-27.
AMC tier classification: pure AUM
Per CSCRF master circular §2, AMC classification is the simplest in the framework — a single metric, three tiers, no two-parameter complexity:
| Tier | AUM (INR crores) |
|---|---|
| Qualified RE | ≥₹1,00,000 Cr (₹1 Lakh Cr) |
| Mid-size | ₹10,000 – <₹1,00,000 Cr |
| Small-size | <₹10,000 Cr |
There is no Self-cert tier and no exclusion category for AMCs. Every AMC, regardless of size, is in scope — the only question is tier.
The AUM used for classification is the prior financial year's figure, assessed at the start of each financial year (per CSCRF §2).
The ₹1 Lakh Cr line: what changes at QRE
Crossing ₹1,00,000 Cr AUM triggers a step-change in CSCRF obligations:
| Obligation | Small-size AMC | Mid-size AMC | QRE AMC |
|---|---|---|---|
| VAPT | Annual | Annual | Annual (half-yearly if CII) |
| Cyber Audit | Annual | Annual | Half-yearly |
| Red Teaming | — | — | Half-yearly |
| Threat Hunting | — | — | Quarterly |
| Cyber Drill | Annual | Annual | Half-yearly |
| CCI Assessment | — | — | Self-assessment annually |
| ISO 27001 | — | — | Recommended |
| IT Committee | Optional | Quarterly + external expert | Quarterly + external expert |
| CISO | Designated officer | Designated officer | Direct MD/CEO line; grade ≥ CTO/CIO |
| HSM | Risk-assessed alternative | Risk-assessed alternative | Mandatory |
| M-SOC | Mandatory (own-SOC carve-out) | Eligible | Eligible |
| RTO / RPO | Per CCMP | Per CCMP | 2 hr / 15 min |
The jump from Small-size to Mid-size is primarily about the IT Committee (mandatory, quarterly, with an external cyber expert required) and M-SOC (from mandatory to eligible). The jump from Mid-size to QRE is the substantive one — half-yearly audits, red teaming, threat hunting, CCI, dedicated CISO, HSM, and IOSCO-aligned RTO/RPO targets.
ISO 27001: voluntary for QRE AMCs
Per the August 2025 technical clarifications (CIR/2025/119), ISO 27001 is now recommended, not mandatory, for Qualified REs — including AMCs above ₹1 Lakh Cr AUM. It remains mandatory for MIIs only.
That said, Annex A of ISO 27001 overlaps substantially with the CSCRF control catalogue. Many QRE AMCs will find that pursuing ISO 27001 certification simultaneously satisfies a significant portion of CSCRF control evidence — particularly in the Govern, Protect, and Respond+Recover domains.
Mid-size AMCs: the IT Committee
At ₹10,000 Cr AUM, the IT Committee becomes mandatory. Per CSCRF, the committee must:
- Meet quarterly
- Include at least one external independent cybersecurity expert
- Review and approve the cyber resilience posture
- Oversee the CCI self-assessment (if applicable)
- Ratify the annual cyber policy review
For AMCs at the upper end of the Mid-size range (₹60,000–99,000 Cr AUM), preparing for QRE transition — standing up red-teaming cadences, threat-hunting capability, and a direct-report CISO — is a sensible pre-emptive move, even though QRE obligations haven't formally activated yet.
Small-size AMCs: M-SOC is mandatory
For AMCs with <₹10,000 Cr AUM, the M-SOC mandate is the primary operational obligation. Per CSCRF §4.5 + Annexure-M, Small-size REs must onboard to the Market SOC (operated by NSE and BSE) unless they operate their own SOC and submit functional efficacy reports annually.
The May 2026 AI Advisory item 6c reinforces this: "All eligible REs (not onboarded with any M-SOC) shall expedite the onboarding."
M-SOC onboarding is a 4–6 week exercise: log-source inventory, SIEM integration, alert-triage workflow design, and SOAR playbook configuration. Start early.
The AI Advisory: AMCs are in scope
All 19 addressed RE categories in the May 2026 AI Advisory include Mutual Funds and AMCs. If your AMC uses or is evaluating AI/LLM tools in operations or customer-facing products, Annexure-A items 2 (AI-based VA tools), 7 (AI-aware risk scenarios), and 10 (long-term AI plan) apply in parallel with your CSCRF obligations.
Practical next steps
Confirm your tier. AUM is the only metric. Classification is straightforward, but miscategorisation at the ₹10,000 Cr and ₹1,00,000 Cr boundary lines carries material compliance consequences.
If approaching Mid-size or QRE. Don't wait for the financial-year reclassification. Stand up the required capabilities (IT committee, CISO, half-yearly cadences) in advance so you are compliant from day one of the new tier.
Small-size AMCs: prioritise M-SOC. This is your binding obligation. Onboarding delays are the most common compliance gap.
QRE AMCs: build the CCI self-assessment. The Cyber Capability Index is a structured self-assessment against NIST CSF 2.0. It is not a heavy lift — but it is an annual submission your auditor will cross-check.
How Security Brigade helps
We have delivered VAPT, cyber audits, red-teaming, and CISO/advisory engagements for AMCs across the AUM spectrum — from Small-size sub-₹10,000 Cr AMCs to QREs managing lakh-crore portfolios. Use our free SEBI Compliance Wizard to classify your AMC in 2 minutes.
FAQ
Is the AMC tier recalculated every year?
Yes. Per CSCRF §2, classification is decided at the start of each financial year based on prior-year AUM. An AMC that crosses ₹10,000 Cr AUM in FY 2026-27 will be reclassified as Mid-size at the start of FY 2027-28.
What if my AMC manages multiple mutual fund schemes?
AUM is aggregated across all schemes managed by the AMC — not per-scheme.
Does the ₹1 Lakh Cr threshold include debt funds?
Yes. Total AUM includes equity, debt, hybrid, and liquid fund AUM as reported to SEBI.
Are AMC subsidiaries classified separately?
If the subsidiary is a separately registered AMC with SEBI, it is classified independently based on its own AUM.
Content current as of 2026-05-06. Source: docs/SEBI-CSCRF-FACTCHECK-2026-05-06.md. Verify any specific obligation against the latest SEBI circular before action.
About the authors
Founder & Chief Technology Officer
Founded Security Brigade in 2006 with the thesis that security assessment quality should be structural, not dependent on individual testers. 16+ years building platforms, teams, and methodologies that make enterprise security consistent.
Offensive Security Research · Security Brigade
A rotating byline for collaborative analysis pieces from Security Brigade's offensive security and threat-research practice.
Continue reading
All articles →SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
OWASP Mobile Top 10 (2024): The Definitive Guide for Indian Mobile App Teams
A reference walkthrough of every risk in the OWASP Mobile Top 10 (2024 release) — what each risk means in plain English, how attackers exploit it on Android and iOS, what your engineering team should fix, and how a CERT-In empanelled pentest validates the fix.
SEBI CSCRF for Custodians: AUC Tiers & CCI Obligations
Custodians under SEBI CSCRF: Assets Under Custody drives three-tier classification (₹1L Cr, ₹10L Cr thresholds), CCI self-assessment at QRE, and what custodians of every size must do.