SEBI CSCRF
Compliance Readiness
Checklist
A current-state readiness checklist for SEBI-regulated entities — MIIs, Qualified REs, Mid-size, Small-size and Self-certification REs across stock exchanges, depositories, clearing corporations, KRAs, brokers, DPs, AMCs, AIFs, VCFs, custodians, RTAs, Portfolio Managers and other intermediaries — under the Cybersecurity and Cyber Resilience Framework (CSCRF), read with all clarifications through Aug 2025 and the May 2026 AI Advisory.
Overview
What is SEBI CSCRF?
Framework Overview
The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF), issued vide SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20-Aug-2024, establishes graded baseline cyber security and cyber resilience standards across SEBI Regulated Entities (REs). It follows a five-tier classification (MIIs / Qualified REs / Mid-size REs / Small-size REs / Self-certification REs) with NIST-CSF-2.0-aligned controls (GV / ID / PR / DE / RS / RC plus an EV "Evolve" goal) and supersedes prior SEBI cyber circulars. Read in conjunction with subsequent clarifications and the May 2026 AI Vulnerability Detection Advisory.
Regulatory Authority & Enforcement
SEBI has the authority to impose penalties, issue directions, and take enforcement action against non-compliant entities under the SEBI Act, 1992 and the Securities Contracts (Regulation) Act, 1956. Non-compliance can result in monetary penalties, suspension of registration, restriction of activities, and reputational damage. SEBI conducts regular inspections and can mandate immediate corrective actions.
Compliance Deadlines
All CSCRF compliance deadlines are now in effect. MIIs / KRAs / QRTAs were due 1-Jan-2025; all other REs were extended to 31-Aug-2025 (per CIR/2025/96). Cyber audits from FY 2025-26 onwards must be conducted under CSCRF read with subsequent clarifications.
Who It Applies To
22 SEBI-regulated entity categories: MIIs (Stock Exchanges / Depositories / Clearing Corps / QRTAs), KRAs (Qualified RE post-Apr 2025), Stock Brokers, DPs, AMCs / MFs, AIFs, VCFs, Portfolio Managers, Custodians, RTAs, Merchant Bankers, Investment Advisers, Research Analysts, CIS, CRAs, Debenture Trustees, Bankers to Issue / SCSBs, DDPs. Several entity categories are excluded (Individual IAs, FPIs, FVCIs, LPCCs, QDPs, REITs, InvITs, Vault Managers, Inactive MBs).
Non-Compliance Risk
Monetary penalties up to INR 1 crore or more per violation, suspension or cancellation of registration, mandatory corrective actions with timelines, enhanced regulatory scrutiny, and significant reputational harm in the market.
CSCRF Circular Trail
What's currently in force
The CSCRF master circular has been amended and clarified seven times since issuance. This page reflects the current state as of 6-May-2026, after the Aug 2025 technical clarifications and the May 2026 AI Vulnerability Detection Advisory.
- 01
Master CSCRF
20 Aug 2024SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113Establishes the 5-tier framework for 22 SEBI-regulated entity categories.
- 02
Clarifications
31 Dec 2024SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/184Regulatory forbearance till 31-Mar-2025. Data Localisation (PR.DS.S2) kept in abeyance until further notification. KRA + DP compliance pushed to Apr 2025.
- 03
First extension
28 Mar 2025SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/45Compliance deadline extended to 30-Jun-2025 for all REs except MIIs / KRAs / QRTAs.
- 04
Major clarifications
30 Apr 2025SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60Stock-broker thresholds rewritten with two-parameter rule (clients OR trading volume; higher tier wins). KRAs demoted from MII to Qualified RE. AIFs + VCFs combined at manager level. PM / MB / DP simplified. Sub-100-clients M-SOC exemptions. HSM mandatory for MII + QRE. IA / RA reporting authority moved to BSE Ltd.
- 05
CSCRF + Cloud framework FAQ
11 Jun 2025FAQEdge-case clarifications across entity types and controls.
- 06
Second extension
30 Jun 2025SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/96Compliance deadline extended to 31-Aug-2025 for all REs except MIIs / KRAs / QRTAs.
- 07
Technical clarifications
28 Aug 2025SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119Principle of Exclusivity / Equivalence for multi-regulator REs. PM 3-tier table revised. MBs simplified to active = Small-size / inactive = exempt. ISO 27001 made voluntary for QREs (still mandatory for MIIs). Mobile App Security made recommendatory. RTO 2 hr / RPO 15 min anchored to IOSCO.
- 08
AI Vulnerability Detection Advisory
5 May 2026HO/13/19/12(1)2026-ITD-1_CIMGI/10873/202610 Annexure-A directives. cyber-suraksha.ai task force constituted. To be read in conjunction with CSCRF.
Data Localisation (PR.DS.S2) currently in abeyance
Per the 31-Dec-2024 clarifications circular (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/184), the data localisation provisions under Data Security standard PR.DS.S2 have been kept in abeyance until further notification. Treat this as a non-binding expectation today; resume planning when SEBI issues the next clarification.
Entity Classification
The 5-tier model at a glance
CSCRF classifies all SEBI-regulated entities into five tiers based on size, scope of operations, and entity-type-specific thresholds. Your tier is determined at the start of each financial year using the previous year's data, validated by your reporting authority, and remains fixed for that financial year. Where an entity is registered under multiple categories, the highest tier applies.
| Entity Category | Applicable Entities | VAPT Frequency | SOC Requirement | CISO | Incident Reporting |
|---|---|---|---|---|---|
| Market Infrastructure Institutions (MIIs) | Stock Exchanges (BSE, NSE, MSEI) · Depositories (NSDL, CDSL) · Clearing Corporations (NSCCL, ICCL, MCXCCL) · QRTAs (RTAs servicing ≥2 Cr folios) | Twice a year (CII / Protected Systems) · Cyber Audit twice a year · Red Team half-yearly · Threat Hunting quarterly | Operates Market SOC (NSE, BSE; optional NSDL, CDSL) · 24×7 own SOC · Half-yearly functional efficacy | Dedicated CISO with direct MD/CEO reporting line · Grade ≥ CTO/CIO | 6 hr to SEBI Incident Reporting portal + mkt_incidents@sebi.gov.in + CERT-In |
| Qualified REs (QREs) | KRAs (Apr 2025: demoted from MII) · Institutional DPs (DPs not registered as Stock Brokers) · Stock Brokers >10 lakh clients OR >₹10 lakh Cr annual trading volume · AMCs ≥₹1 lakh Cr AUM · Custodians ≥₹10 lakh Cr AUC · QSBs (per Feb 2023 SEBI circular) | Once a year (twice a year if CII) · Cyber Audit twice a year · Red Team half-yearly · Threat Hunting quarterly | 24×7 SOC (own / group / Market SOC / 3P-managed) · Half-yearly functional efficacy | Dedicated CISO with direct MD/CEO reporting line · Grade ≥ CTO/CIO | 6 hr to SEBI Incident Reporting portal + mkt_incidents@sebi.gov.in + CERT-In · Reporting authority = SEBI (MIIs + most QREs) / Stock Exchanges or Depositories (broker QREs) / BSE Ltd (IA + RA QREs, 5 years from 25-Jul-2024) |
| Mid-size REs | Stock Brokers 1–10 lakh clients OR ₹1–10 lakh Cr volume · AMCs ₹10,000 Cr–<₹1 lakh Cr AUM · Custodians ₹1–<10 lakh Cr AUC · Portfolio Managers ≥₹10,000 Cr AUM · AIF + VCF managers (combined corpus) >₹10,000 Cr · RTAs 1–<2 Cr folios | Once a year · Cyber Audit once a year (twice a year if providing IBT or Algo trading) · No Red Team / Threat Hunting requirement | 24×7 SOC (own / Market SOC / 3P-managed) · Annual functional efficacy | Designated officer (CISO or equivalent) | 6 hr to SEBI Incident Reporting portal + mkt_incidents@sebi.gov.in + CERT-In |
| Small-size REs | Stock Brokers 10k–1 lakh clients OR ₹10k–₹1 lakh Cr volume · AMCs <₹10,000 Cr AUM · Custodians <₹1 lakh Cr AUC · Portfolio Managers ₹3,000–<₹10,000 Cr AUM · AIF + VCF managers ₹3,000–₹10,000 Cr corpus · RTAs 10k–<1 Cr folios · All active Merchant Bankers · Non-individual IAs (registered in another category) | Once a year · Cyber Audit once a year (twice a year if providing IBT or Algo trading) | Onboarded to Market SOC (NSE / BSE) — mandatory unless RE has its own SOC and submits efficacy report. Sub-100-clients exemptions apply for DP / RTA. | Designated officer (CISO or equivalent) | 6 hr to SEBI Incident Reporting portal + mkt_incidents@sebi.gov.in + CERT-In |
| Self-certification REs | Stock Brokers 1k–10k clients OR ₹1k–10k Cr volume · Portfolio Managers ≤₹3,000 Cr AUM · AIF + VCF managers ≤₹3,000 Cr corpus · CIS · CRAs · Debenture Trustees (with new debt issuer in last 3 FYs) | Once a year · Cyber Audit once a year | Onboarded to Market SOC — mandatory unless RE has its own SOC. Sub-100-clients exemptions apply for PM / AIF + VCF managers. | Designated officer (CISO or equivalent) | 6 hr to SEBI Incident Reporting portal + mkt_incidents@sebi.gov.in + CERT-In |
Per-entity Thresholds
What metric drives your tier?
Each of the 22 SEBI-regulated entity types has its own threshold metric — AUM for AMCs, active clients OR trading volume for stock brokers (whichever pushes you higher), AUC for Custodians, folios for RTAs, and so on. Use this table to find your category and tier.
| Entity Type | Metric / Notes | Self-cert | Small-size | Mid-size | Qualified RE | MII |
|---|---|---|---|---|---|---|
| Stock Exchanges, Depositories, Clearing Corporations | — (always MII) | — | — | — | — | Always |
| Qualified RTA (QRTA) | Folios serviced | — | — | — | — | ≥2 Cr folios |
| KYC Registration Agencies (KRAs) | — (always Qualified RE post-Apr 2025) | — | — | — | Always | — (was MII pre-Apr 2025) |
| Stock Brokers (client-based + proprietary) | Clients OR annual trading volume — higher tier wins. <1k clients AND <₹1k Cr volume → exempt entirely. | 1k–10k clients OR ₹1k–10k Cr | 10k–1L clients OR ₹10k–1L Cr | 1L–10L clients OR ₹1L–10L Cr | >10L clients OR >₹10L Cr | — |
| Depository Participants (also Stock Broker) | Use Stock Broker rules | — | — | — | — | — |
| Depository Participants (not Stock Broker) | — (always Qualified RE; <100 clients exempt SOC/M-SOC) | — | — | — | Always | — |
| AMC / Mutual Fund | AUM | — | <₹10,000 Cr | ₹10,000 Cr–<₹1 lakh Cr | ≥₹1 lakh Cr | — |
| Portfolio Manager | AUM (no QRE tier; Self-cert <100 clients exempt M-SOC) | ≤₹3,000 Cr | >₹3,000–<₹10,000 Cr | ≥₹10,000 Cr | — | — |
| AIF + VCF (combined at manager level) | Sum of corpus across all AIFs + VCFs + schemes managed (Self-cert <100 clients exempt M-SOC) | ≤₹3,000 Cr | >₹3,000–₹10,000 Cr | >₹10,000 Cr | — | — |
| Custodian | AUC | — | <₹1 lakh Cr | ₹1–<10 lakh Cr | ≥₹10 lakh Cr | — |
| Registrar & Share Transfer Agents (RTA) | Folios (<10k folios → excluded; <100 clients exempt SOC/M-SOC) | — | 10k–<1 Cr | 1–<2 Cr | — | ≥2 Cr (QRTA) |
| Merchant Banker (post-Aug 2025) | Active or inactive? | — | All active MBs | — | — | — |
| Investment Adviser | Registered in another SEBI category? Reporting to BSE Ltd (5 yrs from 25-Jul-2024) | — | Non-individual; registered in another category → highest other tier | — | — | — |
| Research Analyst | Registered in another SEBI category? Reporting to BSE Ltd | — | Registered in another category → highest other tier | — | — | — |
| CIS, CRA | — (always Self-cert) | Always | — | — | — | — |
| Debenture Trustee | New debt issuer added in last 3 FYs? | Yes (those without are excluded) | — | — | — | — |
| Banker to an Issue / SCSB | Special — submit RBI cyber compliance certificate to SEBI | — | — | — | — | — |
| Designated DP (DDP) | Inherits highest of DP and Custodian categorisation | — | — | — | — | — |
| Inactive Merchant Bankers · FPI · FVCI · LPCC · QDP · REIT/InvIT · Vault Manager · Individual IA · Non-registered RA | — (excluded entirely from CSCRF) | — | — | — | — | — |
Source: CSCRF master circular §2 (20-Aug-2024) read with Apr 2025 clarifications (CIR/2025/60) and Aug 2025 technical clarifications (CIR/2025/119). When an RE is registered under more than one category, the highest tier applies.
Tier-specific Obligations
ISO 27001 · CCI · M-SOC · HSM · RTO/RPO
Beyond VAPT and incident reporting, each tier carries a specific set of governance and resilience obligations. The Aug 2025 technical clarifications softened some of these (notably ISO 27001 became voluntary for QREs); the table below reflects current state.
| Tier | ISO 27001 | CCI | Market SOC | HSM | IT Committee | Drill | RTO | RPO |
|---|---|---|---|---|---|---|---|---|
| MIIs | Mandatory | Third-party half-yearly assessment | Operates M-SOC | Mandatory | Mandatory + quarterly + 1 external cyber expert | Half-yearly | 2 hr (per IOSCO) | 15 min |
| Qualified REs | Recommended (Aug 2025 made voluntary) | Self-assessment annually | Eligible / encouraged | Mandatory | Mandatory + quarterly + 1 external cyber expert | Half-yearly | 2 hr | 15 min |
| Mid-size REs | — | — | Eligible / encouraged | Risk-assessed alternative allowed | Mandatory + quarterly + 1 external cyber expert | Annually | Per CCMP | Per CCMP |
| Small-size REs | — | — | Mandatory (own-SOC carve-out) | Risk-assessed alternative allowed | Optional (otherwise MD/CEO/Board approves CSCRF compliance) | Annually | Per CCMP | Per CCMP |
| Self-certification REs | — | — | Mandatory (own-SOC carve-out) | Risk-assessed alternative allowed | Optional | Annually | Per CCMP | Per CCMP |
CCI — Cyber Capability Index
Per CSCRF Annexure-K, CCI is a measurable cyber-resilience scoring index applicable to MIIs and Qualified REs. MIIs undergo half-yearly third-party CCI assessments; Qualified REs perform annual self-assessments. Reports are submitted to SEBI.
Market SOC (M-SOC)
Market SOCs are operated mandatorily by NSE and BSE (optionally by NSDL and CDSL). Small-size and Self-certification REs are mandated to onboard unless they operate their own SOC and submit periodic functional efficacy reports. The May 2026 AI Advisory expedites onboarding for all eligible non-onboarded REs.
HSM — Hardware Security Module
Per the Apr 2025 clarifications (CIR/2025/60), implementation of a dedicated HSM is mandatory for MIIs and Qualified REs under the SEBI Cloud framework (Annexure-J). Mid-size, Small-size, and Self-cert REs may implement a risk-assessed alternative, approved by the Board / Partners / Proprietor.
RTO 2 hr · RPO 15 min
Per the Aug 2025 technical clarifications (CIR/2025/119) read with the Mar 2021 SEBI BCP/DR circular, MIIs and Qualified REs shall design and test systems for safe resumption of critical operations within 2 hours of disruption (per IOSCO), with a 15-minute RPO. Mid / Small / Self-cert REs follow their approved CCMP.
Exemptions
Are you exempt or excluded?
The Apr 2025 clarifications introduced sub-100-client carve-outs and clarified which entity types fall outside CSCRF entirely. Check these before scoping a compliance engagement — they materially change applicability.
Excluded from CSCRF entirely
- ☐
Stock Brokers with <1,000 clients AND <₹1,000 Cr trading volume
- ☐
Inactive Merchant Bankers (no MB activity in review period)
- ☐
Debenture Trustees with no new debt issuer in last 3 FYs
- ☐
Individual Investment Advisers
- ☐
Non-registered Research Analysts (SaaS declaration only)
- ☐
FPI · FVCI · LPCC · QDP · REIT / InvIT · Vault Managers
- ☐
RTAs servicing <10k folios
Exempt from SOC and Market SOC onboarding
- ☐
DP with <100 clients
- ☐
Self-cert Portfolio Managers with <100 clients
- ☐
Self-cert AIF + VCF managers with <100 clients
- ☐
RTA with <100 clients
Governance & Policy
Governance checklist
Foundational governance requirements that form the basis of CSCRF compliance. These must be established before technical controls can be effective.
Designated CISO appointed (direct MD/CEO reporting line for MIIs + Qualified REs; grade ≥ CTO/CIO; roles per NCIIPC guidelines)
IT Committee for REs constituted with at least one external independent cybersecurity expert (mandatory for MIIs, Qualified REs, Mid-size REs; quarterly meetings)
For Small-size and Self-certification REs without an IT Committee, CSCRF compliance is reviewed and approved by MD/CEO/Board member/Partners/Proprietor
Comprehensive Cyber Security and Cyber Resilience Policy approved by the board (annual review, GV.PO standards)
Cybersecurity risk management policy reviewed annually (GV.PO.S4)
Incident Response Plan (IRP) documented, approved, and tested with annual scenario-based drills (half-yearly for MIIs + QREs; annual for others)
Cyber Crisis Management Plan (CCMP) aligned with SEBI and CERT-In guidelines; press-release decisions made per the approved CCMP
Dedicated annual cyber security budget allocation approved by the board
Cyber security awareness training program for all employees (annual mandatory; PR.AT.S1)
Third-party / vendor cyber risk assessment in consultation with IT Committee (GV.SC standards)
Cyber Capability Index (CCI) — third-party half-yearly assessment for MIIs; self-assessment annually for Qualified REs (GV.OV.S4 + Annexure-K)
ISO 27001:2022 certification — mandatory for MIIs (Aug 2025 made it voluntary for Qualified REs)
Roles and responsibilities for cybersecurity clearly defined across the organisation
Technical Controls
Technical controls checklist
Detailed technical security controls required under SEBI CSCRF, organized by domain. Requirements vary by entity category — refer to the entity classification table above.
Network Security
Next-generation firewall deployed at all network perimeters with rule review every quarter
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) deployed and monitored
Network segmentation implemented — critical systems isolated from general corporate network
DMZ architecture for all internet-facing applications and services
Network Access Control (NAC) implemented for all endpoint connections
Secure DNS configuration with DNS filtering and monitoring
VPN with strong encryption for all remote access — no split tunneling
Regular network architecture review and penetration testing of network controls
Access Control
Multi-Factor Authentication (MFA) enforced for all privileged and remote access
Privileged Access Management (PAM) solution deployed for all administrative accounts
Quarterly access reviews conducted for all critical systems and applications
Role-Based Access Control (RBAC) implemented with principle of least privilege
Password policy enforced — minimum 12 characters, complexity, 90-day rotation for privileged accounts
Automated deprovisioning process for separated employees (within 24 hours)
Service account inventory maintained with regular credential rotation
Session timeout and concurrent session controls implemented
Data Security
Encryption at rest (AES-256) for all sensitive and critical data stores
Encryption in transit (TLS 1.2+) for all internal and external communications
Data Loss Prevention (DLP) solution deployed for email, web, and endpoints
Data classification policy implemented — Public, Internal, Confidential, Restricted
Database Activity Monitoring (DAM) for all databases containing sensitive data
Secure data backup with encryption — offsite/air-gapped copies tested quarterly
Data retention and secure disposal policy aligned with SEBI record-keeping requirements
PII and sensitive data discovery and inventory completed across all systems
Application Security
VAPT conducted as per SEBI-mandated frequency (see VAPT Requirements section)
Secure Software Development Life Cycle (SSDLC) adopted for all in-house applications
Web Application Firewall (WAF) deployed for all internet-facing web applications
Static Application Security Testing (SAST) integrated into CI/CD pipeline
Dynamic Application Security Testing (DAST) performed before every major release
Open-source and third-party component vulnerability scanning (SCA) in place
API security testing and rate limiting implemented for all exposed APIs
Code review process with security-focused review for all production deployments
Endpoint Security
Endpoint Detection and Response (EDR) deployed on all endpoints including servers
Automated patch management — critical patches applied within 72 hours of release
System hardening baselines (CIS benchmarks) applied to all servers and workstations
Removable media controls — USB and external device usage restricted and monitored
Mobile Device Management (MDM) for all corporate and BYOD devices accessing systems
Application whitelisting on critical servers and trading systems
SOC & Monitoring
24×7 SOC operational — own / group / Market SOC / 3P-managed (mandatory for MIIs and Qualified REs; Market SOC mandatory for Small-size and Self-cert REs unless they have own SOC)
Functional efficacy of SOC reviewed half-yearly (MIIs + QREs) or annually (others using third-party / Market SOC)
SIEM solution deployed with correlation rules for SEBI-relevant threat scenarios
Log retention policy aligned with CERT-In Directions (April 2022) and applicable government guidelines (CSCRF requires "strong log retention as per government guidelines/policies/standards"; specific 180-day retention timelines come from CERT-In, not SEBI)
Centralised log collection from all critical infrastructure, applications, and security devices
Threat intelligence feeds integrated and operationalised in SOC workflows
Security incident ticketing and tracking system with SLA-based escalation
Regular SOC maturity assessment and capability uplift program
Automated alerting for anomalous activities — brute force, lateral movement, data exfiltration
Threat hunting (quarterly for MIIs + QREs; per CSCRF DE.DP.S5)
Audit & Testing Cadences
VAPT · Cyber Audit · Red Team · Threat Hunting
CSCRF mandates four distinct testing cadences (often conflated): VAPT and Cyber Audit are separate engagements; Red Team and Threat Hunting apply only to MIIs and Qualified REs. All four must be conducted by a CERT-In empanelled IS auditing organisation. Security Brigade has been continuously empanelled by CERT-In since 2008.
| Tier | VAPT | Cyber Audit | Red Team | Threat Hunting | Auditor |
|---|---|---|---|---|---|
| MIIs | Twice a year (CII / Protected Systems per NCIIPC); else once a year | Twice a year | Half-yearly | Quarterly | CERT-In empanelled IS auditing org (mandatory across all tiers) |
| Qualified REs | Twice a year (CII); else once a year | Twice a year | Half-yearly | Quarterly | CERT-In empanelled IS auditing org |
| Mid-size REs | Once a year (commences in Q1 of FY) | Once a year (twice if IBT/Algo) | — | — | CERT-In empanelled IS auditing org |
| Small-size REs | Once a year | Once a year (twice if IBT/Algo) | — | — | CERT-In empanelled IS auditing org |
| Self-certification REs | Once a year | Once a year | — | — | CERT-In empanelled IS auditing org |
CERT-In Empanelled Auditor Mandatory
All VAPT, Cyber Audit, Red Team, and Threat Hunting engagements must be conducted by a CERT-In empanelled IS auditing organisation holding a valid empanelment at the time of the assessment. Verify auditor status on the CERT-In website before engagement.
VAPT & Cyber Audit are separate deliverables
Per CSCRF §4.3 (VAPT) and §4.4 (Cyber Audit), these are distinct engagements with their own report formats, IT-committee review steps, and submission timelines. Cyber Audit covers 100% of critical systems and 25% of non-critical systems on a sample basis, and verifies overall CSCRF compliance.
Incident Reporting
Incident reporting obligations
SEBI CSCRF mandates strict timelines for reporting cyber security incidents. Failure to report within the stipulated timelines is itself a compliance violation.
Within 6 hours of detection
Required Details
Initial notification on the SEBI Incident Reporting portal + email mkt_incidents@sebi.gov.in. Nature of incident, systems affected, impact assessment, immediate actions taken.
Follow-up
Interim Report within 3 days · Mitigation measure within 7 days · Root Cause Analysis (RCA) within 30 days · Forensic Audit Report (per Annexure-O §3.4) · Incident-related VAPT and closure reports within 45 days · IT Committee review of all reports before submission
Within 6 hours of detection
Required Details
Per CERT-In Directions (April 2022). Type of incident, affected systems / IPs, estimated impact, remediation steps.
Follow-up
Subsequent reports as required by CERT-In
Immediately upon detection
Required Details
If the incident impacts market operations, trading, or settlement systems. Concurrent with the SEBI / CERT-In notification.
Follow-up
Continuous updates until resolution
Key Incident Reporting Checklist
Incident response team activated and incident commander designated
Incident classified by severity — Critical / High / Medium / Low
Initial notification sent to SEBI within 6 hours of detection
CERT-In notified within 6 hours as per CERT-In Directions (April 2022)
Relevant stock exchange / depository notified if market operations impacted
Incident details documented — nature, timeline, affected systems, impact scope
Containment measures implemented and documented
Evidence preserved for forensic analysis — logs, memory dumps, disk images
Interim Report submitted to SEBI within 3 days (per CSCRF Annexure-O Table 36)
Mitigation measure submitted to SEBI within 7 days
Root Cause Analysis (RCA) report submitted within 30 days (case-by-case extension possible)
Forensic Audit Report submitted per Annexure-O §3.4 (and incident closure report)
Incident-related VAPT and closure reports within 45 days
IT Committee for REs reviews all reports before SEBI submission
Remediation actions implemented and verified; lessons-learnt recorded
Compliance Calendar
Annual audit & compliance calendar
A structured quarterly plan to ensure continuous CSCRF compliance throughout the financial year. Adjust timelines based on your entity category and specific SEBI requirements.
Q1 (April – June)
[All] Annual VAPT cycle commences (twice/year for CII / Protected Systems)
[All] Cybersecurity policy annual review and board approval (GV.PO.S2)
[All] Cybersecurity risk management policy review (GV.PO.S4)
[All] Annual cyber security budget review and allocation
[All] Cybersecurity awareness training (PR.AT.S1; annually)
[MII] Half-yearly third-party CCI assessment
[QRE] Annual self-assessment using CCI
[All] Re-determine CSCRF tier based on previous FY data; report to authority
Q2 (July – September)
[MII, QRE] Quarterly threat hunting (DE.DP.S5)
[MII, QRE] Quarterly user-access rights and unused-token review
[MII, QRE] Quarterly privileged-user activity review
[MII, QRE] Half-yearly red team exercise (DE.DP.S4)
[MII, QRE] Half-yearly cybersecurity scenario-based drill
[MII, QRE] Half-yearly SOC functional efficacy review
[MII, QRE] Half-yearly third-party-managed system review
[MII] Half-yearly threat-based risk assessment (ID.RA.S2)
[MII] Mid-year third-party CCI assessment
[Mid, Small, Self] Half-yearly user-access review
[All] Business Continuity Plan (BCP) review
[All] Incident response tabletop exercise
Q3 (October – December)
[CII] Second-half VAPT cycle commences (twice-a-year tier)
[MII, QRE] Quarterly threat hunting + privileged-access review (second cycle)
[All] Disaster Recovery (DR) drill and documentation (RTO 2 hr / RPO 15 min for MII + QRE)
[All] Cyber crisis simulation aligned to approved CCMP
[All] Network architecture and firewall rule review
[All] Threat landscape assessment and control update
[Mid, Small, Self] Annual cyber resilience posture evaluation (EV.ST.S5)
Q4 (January – March)
[All] Annual cyber audit (twice/year for MII + QRE; once/year + IBT/Algo brokers)
[All] Cyber audit + VAPT report submission to reporting authority within 1 month of completion
[All] Closure of cyber audit / VAPT findings within 3 months of report submission
[All] Board-level cybersecurity review presentation
[All] Next-FY cybersecurity roadmap and budget proposal
[MII, QRE] Half-yearly red team + drill + SOC efficacy (second cycle)
[MII] Annual ISO 27001 surveillance / re-certification (mandatory)
[All] Compliance gap remediation verification
Gap Assessment
Gap assessment template
Use this template to assess your current compliance posture against SEBI CSCRF requirements. Identify gaps, assign remediation ownership, and track progress to full compliance.
| CSCRF Requirement | Current Status | Gap Description | Remediation Action | Owner | Deadline |
|---|---|---|---|---|---|
| CISO Appointment & Reporting Structure | Compliant / Partial / Non-Compliant | ||||
| Board-Level Cyber Security Committee | Compliant / Partial / Non-Compliant | ||||
| Cyber Security Policy (Board Approved) | Compliant / Partial / Non-Compliant | ||||
| Incident Response Plan | Compliant / Partial / Non-Compliant | ||||
| Network Security Controls (FW, IDS/IPS, Segmentation) | Compliant / Partial / Non-Compliant | ||||
| Multi-Factor Authentication | Compliant / Partial / Non-Compliant | ||||
| Data Encryption (At Rest & In Transit) | Compliant / Partial / Non-Compliant | ||||
| VAPT by CERT-In Empanelled Auditor | Compliant / Partial / Non-Compliant | ||||
| SOC / 24x7 Monitoring | Compliant / Partial / Non-Compliant | ||||
| Log Retention Policy (per CERT-In Directions, April 2022) | Compliant / Partial / Non-Compliant | ||||
| Incident Reporting Process (6-Hour SLA) | Compliant / Partial / Non-Compliant | ||||
| DR/BCP Testing | Compliant / Partial / Non-Compliant | ||||
| Cyber Security Awareness Training | Compliant / Partial / Non-Compliant | ||||
| Third-Party Risk Management | Compliant / Partial / Non-Compliant | ||||
| Annual Compliance Reporting to SEBI | Compliant / Partial / Non-Compliant |
This template covers key CSCRF requirements. Extend with additional rows specific to your entity category and business context. Print this page (Ctrl+P / Cmd+P) to use as a working document.
Need help with SEBI CSCRF compliance?
Security Brigade has been CERT-In empanelled since 2008 and has conducted 6,700+ security assessments for 700+ clients including major BFSI institutions.
We provide end-to-end CSCRF compliance support — tier classification, gap assessment, VAPT, Cyber Audit, Red Team, M-SOC onboarding advisory, ISO 27001 certification, AI Advisory readiness, and ongoing compliance management.
Source & currency. This page reflects the SEBI Cybersecurity and Cyber
Resilience Framework as of 6 May 2026, sourced from the master circular
SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 Aug 2024 read with:
CIR/2024/184 (31 Dec 2024 clarifications, including Data Localisation
abeyance), CIR/2025/45 (28 Mar 2025 first extension), CIR/2025/60
(30 Apr 2025 clarifications — broker thresholds rewritten, KRA recategorised, AIF + VCF
clubbed, sub-100-clients exemptions), the SEBI FAQ (11 Jun 2025), CIR/2025/96
(30 Jun 2025 second extension to 31 Aug 2025), CIR/2025/119
(28 Aug 2025 technical clarifications — Principle of Exclusivity / Equivalence,
ISO 27001 voluntary for QREs, Mobile App Security recommendatory), and the May 2026 AI
Vulnerability Detection Advisory HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026.
Verify any specific obligation against the latest SEBI circular before action — this page
is informational and not legal advice.