3360

SEBI CSCRF Compliance in 2026: Everything Financial Firms Need to Know

SEBI-regulated financial institutions have moved beyond implementing cybersecurity controls; they are now expected to continuously demonstrate cyber resilience. With all…

SEBI-regulated financial institutions have moved beyond implementing cybersecurity controls; they are now expected to continuously demonstrate cyber resilience. With all CSCRF implementation deadlines behind us, the focus in FY 2026-27 has shifted to recurring audits, evidence-based compliance, faster incident reporting, and ongoing governance. Many firms have discovered that having security tools in place is no longer enough; regulators increasingly expect documented processes, tested response plans, third-party risk oversight, and clear evidence that cybersecurity controls are working in practice.

On 20 August 2024, SEBI introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) through Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, replacing multiple legacy cybersecurity circulars with a single risk-based framework. The framework became effective on 1 January 2025 for existing regulated entities and 1 April 2025 for newly covered entities, with all transition deadlines concluding by 31 August 2025. As of FY 2026-27, organisations are now operating under recurring compliance obligations, including periodic cyber audits, VAPT requirements, governance reviews, and half-yearly reporting deadlines.

SEBI has also signalled that supervisory expectations continue to evolve. Its May 2026 Advisory on Emerging Advanced AI Tools for Vulnerability Detection highlights growing regulatory attention on AI-assisted vulnerability assessments, AI-enabled cyber threats, and stronger security monitoring throughout the audit lifecycle.

This guide explains everything financial firms need to know about SEBI CSCRF compliance in 2026, including entity classification, governance requirements, VAPT obligations, incident reporting timelines, third-party risk management, audit expectations, and the most common compliance gaps that organisations should address before their next regulatory review.

Mitigata: Your Partner for SEBI CSCRF Compliance

Mitigata takes an integrated approach to cyber resilience for India’s financial sector, combining compliance services, managed security products, and cyber insurance on a single platform. Regulated entities working with Mitigata do not need to coordinate across multiple vendors to meet SEBI CSCRF requirements.

Mitigata’s services that directly support your SEBI CSCRF compliance journey include:

  • Compliance assessment: SEBI CSCRF Compliance Services that map your current posture against framework requirements, identify gaps, and guide remediation through a structured roadmap.
  • Mitigata Console: Unified risk monitoring across attack surface, data leaks, employee risk, and third-party vendor risk, providing a single view of your compliance exposure.
  • Dark Web Monitoring: Dark Web Monitoring to detect credential or data exposure before a breach occurs.
  • Phishing Simulation: Phishing Simulation and Awareness Training to address one of the most persistent compliance challenges across SEBI-regulated entities.
  • Managed Security: Managed Security Products including EDR, XDR, DLP, SIEM, firewall, and VAPT, all delivered by Mitigata’s in-house security team.
  • DFIR: Digital Forensics and Incident Response services to support your CCMP and ensure a rapid, regulator-ready response when an incident occurs.
  • Cyber Insurance: Smart Cyber Insurance for Businesses covering financial losses from cyber incidents, including regulatory response costs, notification expenses, and business interruption losses.

Mitigata’s compliance services cover SEBI CSCRF alongside DPDP’23, GDPR, HIPAA, and PCI DSS. For regulated entities operating across multiple compliance environments, a single partner addresses the full set of requirements.

Compliance Doesn't Stop At Go-Live

Mitigata continuously monitors your CSCRF posture, so you’re always prepared for the next audit.

Who Must Comply in 2026?

SEBI CSCRF applies to all SEBI-regulated entities (REs) operating in India’s securities market. SEBI uses a five-tier model to classify entities based on their operational scale, client base, trading volume, assets under management, and systemic importance. Your tier determines your audit frequency, SOC obligations, CISO reporting structure, and ISO 27001 certification requirements.

The April 2025 clarifications circular materially revised the classification thresholds. Entities that previously assumed a lower tier should reconfirm their category. Standalone Investment Advisers and Research Analysts registered only in those capacities were exempted from CSCRF under the April 2025 revision, though entities holding dual registrations must carefully check their applicable category.

Entity TypeCompliance Obligation
Stock Exchanges and Clearing CorporationsHighest tier (MII). Mandatory in-house SOC, half-yearly cyber audits, and a board-level cybersecurity committee.
Stockbrokers and Trading MembersTier based on client count and annual trading volume. Brokers with fewer than 1,000 clients and annual trading volume below ₹1,000 crore are exempt.
Depository Participants (CDSL / NSDL)Must implement multi-layered security controls, encryption, and regular VAPT.
Asset Management Companies (AMCs)Tier based on AUM thresholds. Mid-size to Qualified RE obligations, including ISO 27001 certification.
Portfolio ManagersClassified under standard RE tiers by AUM: Self-certification (up to ₹3,000 crore), Small-size (₹3,000–₹10,000 crore), and Mid-size (above ₹10,000 crore).
KYC Registration Agencies (KRAs)Reclassified as Qualified REs (April 2025). Full VAPT, cyber audit, and IT committee obligations now apply.
Registrars and Transfer Agents (RTAs)Qualified RE obligations if meeting threshold criteria; otherwise standard RE controls.
Credit Rating AgenciesStandard RE obligations, including documented governance, VAPT, and incident response plans.

Note: Category is determined at the beginning of each financial year based on the previous year’s data. Brokers with fewer than 1,000 clients and annual trading volume below Rs 1,000 crore are fully exempted. This threshold must be re-verified at the start of every financial year.

Explore this in-depth blog about ISO 27001 Controls Checklist to understand the essential safeguards that strengthen your cybersecurity posture.

The Five-Tier Compliance Model

SEBI CSCRF’s graded structure is its most important architectural element. Obligations scale with systemic importance, which means a smaller intermediary and a major stock exchange face meaningfully different requirements. Understanding your tier is the essential first step before any compliance activity.

TierEntity CategoryAudit FrequencySOC Requirement
Tier 1Market Infrastructure Institutions (MIIs)Half-yearlyMandatory in-house 24/7 SOC
Tier 2Qualified Regulated EntitiesHalf-yearlyManaged SOC or in-house
Tier 3Mid-size Regulated EntitiesAnnual (Half-yearly for IBT/Algo entities)Managed SOC (M-SOC)
Tier 4Small-sized Regulated EntitiesAnnual (Half-yearly for IBT/Algo entities)M-SOC (basic coverage)
Tier 5Self-Certification EntitiesSelf-certificationM-SOC mandatory; <100-client exemption applies only to specified entity types (PMS, DPs, RTAs, and AIFs).

Core Requirements of the Framework

SEBI CSCRF is built around five cyber resilience goals: Anticipate, Withstand, Contain, Recover, and Evolve. Each goal maps to specific governance, technical, and operational controls. The table below summarises the primary control areas and SEBI’s expectations of regulated entities.

Control AreaRequirement Under SEBI CSCRF
GovernanceBoard-approved cybersecurity policy, CISO appointment (at CTO/CIO level for MIIs and Qualified REs), and an IT Committee with an independent external expert.
VAPTMandatory at regular intervals. Annual minimum for most REs; half-yearly for Qualified Stock Brokers. Conducted by CERT-In-empanelled auditors.
SOC and MonitoringContinuous monitoring via SIEM, centralised log collection, and real-time threat detection. Tier 1 entities require a 24/7 in-house SOC.
Incident ResponseDocumented Cyber Crisis Management Plan (CCMP), tested through drills. Initial SEBI notification within 6 hours of detection.
Third-Party RiskVendor due diligence before onboarding, CSCRF compliance clauses in contracts, and ongoing third-party risk monitoring.
ISO 27001 CertificationMandatory for MIIs and Qualified REs. Supports but does not substitute for CSCRF compliance.
Post-Quantum CryptographyAll REs must include post-quantum threat scenarios in periodic risk assessments and maintain cryptographic asset inventories.

One Framework. One Platform.

Mitigata brings VAPT, SIEM, EDR, compliance, and cyber insurance together.

Governance and Risk Management

CSCRF requires your organisation to establish clear ownership of cyber risk at board and senior management level. For MIIs and Qualified REs, the CISO must hold a grade equivalent to the CTO or CIO and report directly to the MD/CEO or ED. An IT Committee with at least one independent external expert must be constituted and must formally review cybersecurity matters on a regular basis.

Periodic cyber risk assessments are mandatory. These must cover IT assets classified as critical based on their sensitivity, connectivity, and impact on core operations. The June 2025 FAQs clarify that REs should consider factors such as PII exposure, potential security risks, and system connectivity when determining criticality.

Cyber Defences and Technical Controls

Technical controls must be implemented, tested, and evidenced. SEBI expects documented proof of implementation during inspections, not just policy documents. Required controls include:

  • Network security: Network security controls
  • EDR: Endpoint Detection and Response (EDR) for device-level threat containment
  • VAPT: VAPT conducted by CERT-In-empanelled auditors at mandated intervals
  • DLP: Data Loss Prevention (DLP) to protect sensitive financial data
  • IAM: Identity and Access Management (IAM) for critical system access
  • SIEM: Security Information and Event Management (SIEM) for real-time log aggregation and threat correlation
  • HSM: Hardware Security Modules (HSMs) for MIIs and Qualified REs, as mandated in the August 2025 technical clarifications

When there are compliance failures, directors may be held personally liable. Discover more in this detailed blog on D&O Insurance Checklist to learn how the right policy helps protect business leaders.

Incident Response and Reporting

All REs must maintain a documented Cyber Crisis Management Plan (CCMP) that defines detection, containment, and recovery procedures. The CCMP must be tested through regular drills. Incident reporting timelines are uniform across tiers: critical incidents must be notified to the SEBI Incident Reporting Portal and CERT-In within six hours of detection. Delays in reporting attract regulatory consequences independent of the incident itself.

The CCMP must also include clear escalation paths and Root Cause Analysis (RCA) procedures. Digital forensics capabilities must be in place to support post-incident investigation requirements.

Third-Party and Supply Chain Risk

SEBI CSCRF places significant compliance obligations on the management of vendor and cloud provider relationships. REs must conduct due diligence before onboarding third-party technology providers, embed CSCRF compliance clauses in service agreements, and monitor vendor cyber risk on an ongoing basis. CSPs must provide data access during regulatory investigations, and SLAs must include clear escalation procedures for forensic evidence requests.

For publicly listed financial entities, cyber incidents that materially affect operations or result in data breaches may constitute price-sensitive information requiring disclosure under the SEBI LODR Regulations.

Your Vendors Are Your Responsibility

Mitigata continuously monitors third-party cyber risk before it becomes your problem.

Common Compliance Gaps Financial Firms Face

As SEBI’s supervisory teams review FY 2025-26 audit submissions, several execution gaps have emerged consistently across regulated entities. Awareness of the framework is widespread; the failures are in implementation depth and documented evidence.

  • Incomplete or outdated risk documentation where periodic assessments exist but are not linked to formal treatment plans.
  • Tier miscategorisation following the April 2025 threshold revisions, resulting in incorrect audit scope and SOC planning.
  • Insufficient VAPT coverage, particularly for entities that conducted assessments only across partial systems or failed to close findings within prescribed timelines.
  • A CCMP that exists on paper but has never been tested through a structured drill, leaving incident response readiness unverified.
  • Siloed security tools generating data without integration into a unified monitoring environment, undermining SOC effectiveness.
  • Gaps in employee awareness training, leaving staff exposed to phishing and social engineering, which remain the most common initial access vectors for cyberattacks.
  • No formal vendor risk register, meaning third-party relationships lack documented due diligence or contractual CSCRF compliance obligations.
  • No cryptographic asset inventory, now required as part of post-quantum cryptography preparedness per the SEBI CSCRF and the May 2026 AI advisory guidance.

Every business faces cyber risk, but not every business is financially prepared for it. Explore Cyber Insurance to discover what comprehensive cyber coverage should include.

Conclusion

SEBI CSCRF has completed its transition from a new regulatory framework to a live audit obligation. All implementation deadlines have passed, and SEBI’s supervisory teams are actively reviewing compliance submissions. For regulated entities, the question is no longer whether to comply, but whether their compliance posture is documented, tested, and evidenceable under audit scrutiny.

The framework’s five-tier model means that obligations scale with your organisation’s size and systemic importance. Whether you are a large AMC preparing for your next ISO 27001 certification or a mid-size stockbroker establishing your first managed SOC, the compliance requirements are specific to your category and cannot be generalised.

The most common failures observed in FY 2025-26 audit cycles are not due to a lack of awareness of the framework. They are in execution depth, particularly around VAPT remediation evidence, CCMP testing, vendor risk registers, and post-quantum cryptography readiness. Addressing these gaps before your next audit cycle is the most direct path to regulatory confidence.

Mitigata provides end-to-end SEBI CSCRF compliance support, from gap assessment and policy creation through VAPT, managed security, and cyber insurance. Book a free call and let Mitigata’s in-house experts take the complexity off your compliance team.

Frequently Asked Questions

1. What is the difference between SEBI CSCRF and ISO 27001?

SEBI CSCRF is a mandatory regulatory framework specific to SEBI-regulated financial entities in India. ISO 27001 is a globally recognised voluntary information security management standard. SEBI CSCRF draws on similar principles but carries direct regulatory authority, with non-compliance exposing regulated entities to penalties and enforcement action. ISO 27001 certification is a mandatory requirement for MIIs and Qualified REs under CSCRF, but it does not substitute for CSCRF compliance itself.

2. What happens if my organisation fails a SEBI CSCRF audit?

SEBI can issue regulatory directions, impose financial penalties, or restrict operations depending on the severity of non-compliance. Beyond formal penalties, a failed audit can damage your organisation’s standing with clients, counterparties, and institutional investors. Proactive gap remediation before the audit cycle is substantially less costly than managing regulatory consequences after the fact.

3. How often must we conduct VAPT under SEBI CSCRF?

Vulnerability Assessment and Penetration Testing must be conducted at regular intervals by CERT-In-empanelled auditors. For most regulated entities, the minimum cadence is annual. Qualified Stock Brokers are subject to a half-yearly requirement. More frequent assessments are required following significant system changes. VAPT findings must be remediated within prescribed timelines, and evidence of closure must be maintained for audit submission.

4. Does cyber insurance satisfy SEBI CSCRF compliance requirements?

Cyber insurance does not substitute for the governance and technical controls required under SEBI CSCRF. It is a recognised component of a comprehensive cyber resilience strategy that covers financial losses from incidents, including regulatory response costs and business interruption losses. Mitigata’s Smart Cyber Insurance for Businesses is designed to complement, not replace, the operational controls your organisation must implement under the framework.

5. What is the mandatory incident reporting timeline under SEBI CSCRF in 2026?

Incident reporting requirements are uniform across all tiers. For critical incidents, initial notification must be submitted to the SEBI Incident Reporting Portal and to CERT-In within six hours of detection. Your Cyber Crisis Management Plan must include escalation procedures and accountable owners who can consistently meet this timeline.

6. Can smaller stockbrokers and advisers use Mitigata’s compliance services?

Yes. Mitigata’s compliance and security services are scaled to meet the requirements of regulated entities across all SEBI CSCRF tiers, from smaller registered advisers and brokers to large AMCs and MIIs. The Mitigata Console and managed security products are designed to provide enterprise-grade protection without requiring a large in-house security team.

7. How does Mitigata help with third-party risk management under SEBI CSCRF?

The Mitigata Console includes dedicated employee and Third-Party Risk monitoring, enabling your organisation to assess and track the cyber risk posture of vendors and partners on an ongoing basis. This supports the due diligence, contractual compliance, and continuous monitoring obligations that SEBI CSCRF places on regulated entities for their supply chains and cloud service providers.

8. What do the May 2026 AI vulnerability detection guidelines mean for my compliance programme?

SEBI’s May 2026 Advisory on Emerging Advanced AI Tools for Vulnerability Detection introduced 10 annexure directives, including guidance on AI-assisted vulnerability assessment tooling, faster M-SOC onboarding, and SBOM asset inventory maintenance. The advisory is not mandatory, but it signals clear supervisory direction for FY 2026-27. Compliance programmes should incorporate AI vulnerability assessment into their next VAPT cycle and document the IT Committee’s discussion of the advisory as audit evidence.

Sarang

Sarang Ashokan is a cybersecurity content writer at Mitigata. He writes SEO-focused content that breaks down complex security topics into clear, easy-to-understand ideas. His work helps businesses make sense of cyber risks and stay better prepared, whether they come from a technical background or not.

Leave a Reply

Your email address will not be published. Required fields are marked *