SarangIndia’s capital markets face a critical regulatory reality in 2026. SEBI’s Cybersecurity and Cyber Resilience Framework, issued in August 2024, has superseded all previous SEBI cybersecurity circulars and consolidated all cybersecurity obligations into a single, comprehensive, mandatory framework.
As of 2026, the framework is fully enforceable, CERT-In empanelled auditors are actively conducting assessments, and the question for every regulated entity is no longer when to comply; it is whether you can demonstrate compliance through documented evidence when your auditor asks. Over 7,500 SEBI-regulated entities are in scope.
Non-compliance incurs daily penalties of ₹1,500–₹5,000 from the NSE alone, operational restrictions, and risk of registration suspension. This guide breaks down the SEBI cybersecurity and cyber resilience framework, key requirements, implementation roadmap, and the compliance gaps most firms overlook.
Mitigata – Your Cyber Insurance & Risk Management Partner
SEBI CSCRF compliance isn’t just about passing an audit. It requires aligning controls, documentation, tools, and reporting in a way that holds up under scrutiny.
Most teams struggle not with intent, but with execution across multiple moving parts. Mitigata helps organisations get audit-ready without overcomplicating the process. Here’s what we help you with:
- End-to-end CSCRF readiness support From gap assessment to implementation, documentation, and audit preparation.
- Access to 500+ security tools Choose the right tools for your environment without vendor lock-in or guesswork.
- Structured compliance execution Clear mapping of SEBI CSCRF requirements to controls, policies, and evidence.
- Faster audit preparation Help you get documentation, reports, and checkpoints ready for CERT-In empanelled auditors.
- Cyber insurance at competitive rates Coverage aligned to your risk profile, sourced from leading insurers.
- Used by 800+ businesses teams that need compliance done properly, without unnecessary complexity.
The Smartest Way to Get SEBI CSCRF Certified Fast
Achieve SEBI CSCRF certification at 30% reduced cost using our enterprise-grade tools and in-house cybersecurity teams
What Is SEBI CSCRF?
The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) is a mandatory regulatory framework issued by the Securities and Exchange Board of India in August 2024, establishing comprehensive cybersecurity standards for all SEBI-regulated entities.
Who Must Comply with SEBI CSCRF in 2026
SEBI uses a five-tier compliance system that requires organisations to comply based on their size, transaction activities, asset management levels, and operational significance.
| Tier | Entity Type | Compliance Intensity |
|---|---|---|
| Market Infrastructure Institutions (MIIs) | Stock exchanges (NSE, BSE), clearing corporations, and depositories (NSDL, CDSL) | Highest – all controls mandatory, 24/7 SOC, red teaming required |
| Qualified Regulated Entities | Large stockbrokers (QSBs), large AMCs, and large RTAs above SEBI thresholds | Most mandatory controls apply, ISO 27001 required |
| Mid-size Regulated Entities | Mid-size brokers, AMCs, portfolio managers, KRAs | Medium – core controls mandatory, SOC via Market SOC acceptable |
| Small Regulated Entities | Smaller intermediaries, smaller PMS firms | Reduced – simplified controls with annual reviews |
| Self-Certification REs | Smallest entities with minimal cyber exposure | Lightest – self-certification permitted, basic monitoring required |
Want to strengthen operational resilience faster? This guide on SEBI CSCRF Compliance explains what organizations often miss during implementation.
Key SEBI CSCRF Requirements and Controls
The cybersecurity regulatory framework is structured around six security functions: Governance, Identify, Protect, Detect, Respond, and Recover, aligned with NIST CSF but with India-specific mandates layered on top.
1. Information Security Governance
The CISO reporting structure is one of SEBI’s most scrutinised governance requirements. Under CSCRF:
- A dedicated CISO must be appointed, reporting directly to the MD/CEO, not to the CTO or IT head.
- Where SEBI and RBI frameworks conflict on CISO reporting (common for banks with DP licences), SEBI’s structure takes precedence for SEBI-regulated functions.
- MIIs and Qualified REs must have an IT Committee with at least one external cybersecurity expert.
- Board-level cybersecurity oversight and documented risk registers are mandatory for all tiers except Self-Certification.
CISO requirements checklist:
- CISO formally appointed with board-approved mandate
- CISO reports to MD/CEO (not IT/CTO layer)
- Cybersecurity committee with external expert (MII and Qualified RE)
- Quarterly board reporting on cybersecurity metrics
- Documented cyber risk register, reviewed annually
Before missing another compliance deadline, review how SEBI Penalties for CSCRF Non Compliance could impact operational and reputational stability.
2. Technical Security Controls
| Control Domain | Mandatory Requirement | Applies To |
|---|---|---|
| Identity & Access Management (IAM/PAM) | MFA for all critical systems; least-privilege access; PAM for privileged accounts | All tiers |
| Network Security | Firewalls, IDS/IPS, and network segmentation of critical systems | All tiers |
| Endpoint Protection | EDR solutions on all connected devices | Mid-size and above |
| Data Security | Encryption at rest and in transit; DLP systems; data classification | All tiers |
| SIEM & Monitoring | Centralised log management; SIEM deployment; anomaly detection | Qualified RE and above |
| VAPT | Annual vulnerability assessments + penetration testing; repeat after major changes | All tiers |
| Post-Quantum Cryptography | Cryptographic asset inventories; PQC threat scenarios in risk assessments | All tiers |
The Fast Lane to SEBI CSCRF Certification Starts Here
800+ clients trust us for faster and more reliable SEBI CSCRF compliance across industries.
3. Security Operations Centre (SOC)
Every RE, except the smallest brokers, is required to have a SOC to monitor and respond to security incidents in real time. Smaller entities may opt for shared SOC services, including the Market SOC operated by NSE or BSE, ensuring they can detect and respond to incidents without building an internal 24/7 capability.
4. Cyber Capability Index (CCI)
The CCI is a SEBI-mandated self-assessment tool for evaluating cybersecurity maturity across five domains: Govern, Identify, Protect, Detect, and Respond/Recover. It is mandatory for MIIs and Qualified REs as part of periodic regulatory reporting.
CCI practical requirements:
- CCI assessments must be completed using SEBI’s prescribed methodology
- Results are submitted to SEBI as part of regulatory reporting cycles
- CCI scores inform SEBI’s risk-based oversight, such as lower scores attract more frequent regulatory engagement
- Internal teams may conduct CCI assessments, but evidence must be available for auditor review
5. Disaster Recovery Metrics
Critical operations must achieve a 2-hour Recovery Time Objective (RTO) and a 15-minute Recovery Point Objective (RPO). VAPT and DR drills must generate evidence that RTO/RPO metrics are achievable under real incident conditions.
6. Third-Party Risk Management
SEBI holds regulated entities fully accountable for their vendors. Your third-party risk management programme must include:
- A vendor inventory with risk classification by criticality and access level
- Security clauses in all vendor contracts, including audit rights
- Annual security reviews of critical third-party providers
- For cloud service providers: only MeitY-empanelled infrastructure permitted for production data
7. Incident Response & Business Continuity
- Formal incident response plans with defined severity levels and escalation paths
- All cybersecurity incidents must be reported immediately via the dedicated SEBI portal
- Tabletop exercises and simulation drills are conducted annually
- Recovery Time Objectives must align with SEBI’s market resilience expectations
- CERT-In reporting obligations apply in parallel with SEBI reporting
Curious why merchant bankers are revisiting their security frameworks? SEBI CSCRF for Merchant Bankers breaks down the latest compliance requirements clearly.
SEBI CSCRF Implementation Roadmap
Phase 1 Compliance Readiness Assessment (Weeks 1-4)
Before spending on technology, know your gaps.
- Confirm your RE category using SEBI’s April 2025 revised thresholds. The wrong category means wrong controls.
- Run a gap assessment by mapping your current controls against the CSCRF mandatory requirements for your tier.
- Inventory critical vs. non-critical systems. CSCRF audits cover 100% of critical systems and a 25% sample of non-critical ones.
- Appoint or formalise your CISO and establish the correct reporting line to the MD/CEO.
- Engage a CERT-In empanelled auditor early, so they can scope the audit and identify gaps before the formal assessment.
A downloadable CSCRF Gap Assessment Checklist aligned to your entity category is the fastest way to start Phase 1.
Phase 2 Technical Implementation (Weeks 5-16)
Deploy controls in risk-priority order:
- Identity & Access: implement MFA, PAM, and least-privilege across all critical systems first.
- Network: segment critical trading systems; deploy IDS/IPS; harden firewall rulesets.
- Monitoring: stand up SIEM with log sources from all critical systems; integrate with SOC (internal or Market SOC).
- VAPT: commission your first CERT-In empanelled VAPT to remediate critical findings within 1 week per SEBI’s patch management timeline (PR.MA.S3).
- Data: classify data assets; implement encryption at rest and in transit; deploy DLP.
- SBOM: begin maintaining a Software Bill of Materials for COTS products and internally developed software.
Curious which platforms simplify regulatory reporting fastest? This guide on Tools for SEBI CSCRF Compliance highlights solutions worth considering today.
Phase 3 Audit Readiness & Ongoing Compliance (Month 4+)
Most audit failures arise from documentation and governance gaps, not a lack of technology. Auditors look for:
- Evidence of control operation, not just existence
- Board minutes showing cybersecurity review
- Incident logs, VAPT reports, and patch closure evidence
- Vendor risk assessment records
- Training completion records for all staff
Set up quarterly compliance reviews, automate compliance monitoring where possible, and document everything as if an auditor is watching because eventually, one will be.
One Stop Solution for Full Security Stack
From SIEM to Data Loss Prevention (DLP), Mitigata offers every security service at the best market rates.
CERT-In Empanelled Auditors: What You Need to Know
A CERT-In empanelled auditor is a cybersecurity firm officially approved by the Indian Computer Emergency Response Team to conduct IS audits for regulatory purposes. Under CSCRF, only CERT-In empanelled auditors may conduct your mandatory annual cyber audit; internal teams or non-empanelled vendors cannot substitute.
Key rules:
- Auditors must have at least 3 years of experience in IT audit of banking and financial services.
- Relevant certifications required: CISA, CISM, GSNA, or CISSP.
- Three-year tenure rule: After 3 consecutive years with the same audit firm, a 2-year cooling-off period applies. Plan your auditor rotation accordingly.
- The same firm can conduct both VAPT and the cyber audit, subject to the tenure rule.
Conclusion
Mitigata helps Indian financial firms achieve and maintain SEBI CSCRF compliance, from initial gap assessment through control implementation, CERT-In audit preparation, and ongoing GRC monitoring. Trusted by 800+ clients across 25+ industries, with access to 500+ security tools and expert compliance consultants who know CSCRF from the inside.
Book a call and start your SEBI CSCRF compliance assessment with Mitigata today!
Frequently Asked Questions
1. What is SEBI CSCRF, and why is it mandatory?
SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) establishes mandatory cybersecurity standards for all SEBI-registered entities. It became enforceable in 2025 to protect India’s capital markets from rising cyber threats and ensure operational resilience across financial market infrastructure.
2. Which organisations must comply with SEBI CSCRF in 2026?
All SEBI-registered entities must comply with the requirements of stock exchanges, clearing corporations, depositories, stockbrokers, AMCs, portfolio managers, KRAs, RTAs, custodians, and credit rating agencies. Compliance intensity varies by tier. Standalone IAs and RAs were exempted in April 2025; dual-registration firms must check their applicable category.
3. What are the key technical requirements under SEBI CSCRF?
Mandatory technical controls include MFA for critical systems, IAM/PAM, network segmentation, firewalls, IDS/IPS, SIEM, EDR, data encryption, VAPT (annual and post-change), SOC monitoring, and incident response plans. Advanced tiers also require red teaming and post-quantum cryptography risk assessments.
4. What happens if my organisation fails to meet SEBI CSCRF requirements?
NSE penalties start at ₹1,500-₹5,000 per day for non-compliance. SEBI can also impose warnings, operational restrictions, and suspension of registration. Entities must submit remediation plans and face enhanced regulatory oversight until compliance is demonstrated.
5. Who can conduct the mandatory SEBI CSCRF cyber audit?
Only CERT-In empanelled auditors with IS audit experience in BFSI can conduct the mandatory annual cyber audit. After 3 consecutive years with the same firm, a 2-year cooling-off period applies before re-engagement.
6. How much does SEBI CSCRF compliance cost for mid-market firms?
Stockbrokers typically spend ₹2-5 lakh annually, while AMCs and larger entities spend ₹5-15 lakh annually. Integrated compliance platforms and managed SOC services reduce costs by 20-30% versus point-solution approaches.
7. How often must organisations conduct SEBI CSCRF compliance assessments?
Annual cyber audits are mandatory for all tiers. MIIs and Qualified REs must also conduct periodic Cyber Capability Index (CCI) assessments. Best practice is continuous monitoring with quarterly compliance reviews.
akshit k
deepthi s
areena g