Cybersecurity is no longer just an IT concern—it’s a boardroom priority. With financial systems becoming increasingly digital, the stakes have never been higher. Recognizing the urgent need for structured cyber governance, the Securities and Exchange Board of India (SEBI) introduced the Cyber Security and Cyber Resilience Framework (CSCRF)—a game-changer for India’s financial markets.
In this blog, we break down what SEBI’s CSCRF is, who it affects, what it requires, and why businesses can’t afford to overlook it.
What is SEBI’s Cyber Security and Cyber Resilience Framework?
Introduced to safeguard India’s financial infrastructure from escalating cyber threats, the CSCRF lays out a comprehensive blueprint for regulated entities (REs) to protect themselves and the larger ecosystem. It mandates a proactive and resilient approach to cyber risks.
SEBI first rolled out the framework for specific entities like stock exchanges and depositories in 2015. Over time, it has extended the scope to cover:
- Asset Management Companies (AMCs)
- Portfolio Managers
- Alternative Investment Funds (AIFs)
- Mutual Fund Trustees
- KYC Registration Agencies (KRAs)
- Investment Advisors and Research Analysts
- Brokers and Market Infrastructure Institutions
The latest guidelines came into effect in October 2023, with different timelines for compliance based on the type of regulated entity.
Why Was the Framework Introduced?
India’s financial institutions are increasingly attractive targets for cyberattacks—from ransomware to phishing to data theft. According to CERT-In, India witnessed a 20% increase in financial sector cyberattacks from 2021 to 2023 alone.
SEBI recognized that a cyber incident at even one node of the financial system could trigger widespread disruption. Thus, the CSCRF was introduced with two core goals:
- Prevent cyber breaches through structured risk assessment, monitoring, and early warning mechanisms.
- Ensure resilience, so that even if an attack occurs, the institution can recover swiftly with minimal damage.
Who Must Comply?
SEBI has taken a phased approach in rolling out CSCRF, ensuring that all significant players in the securities market are brought under its ambit. The compliance requirement now applies to:
- All Mutual Funds and AMCs
- Portfolio Managers
- AIFs and their managers
- Market Infrastructure Institutions (MIIs) – including Stock Exchanges, Clearing Corporations, and Depositories
- Registrars to an Issue and Share Transfer Agents (RTAs)
- KYC Registration Agencies (KRAs)
- Stock Brokers and Sub-Brokers
- Investment Advisers and Research Analysts
Each entity is responsible for crafting a tailored cybersecurity policy, subject to SEBI’s core principles.
Key Components of the CSCRF
The framework requires each entity to adopt a risk-based, multi-layered approach. Here’s what that includes:
1. Cybersecurity Governance
Organizations must define clear roles and responsibilities related to cybersecurity. This includes board-level oversight, and in some cases, appointing a Chief Information Security Officer (CISO).
2. Periodic Cyber Risk Assessments
Entities must conduct bi-annual or annual risk assessments, identifying gaps and threats that could impact operations.
3. Security Operations Center (SOC) Implementation
Larger entities must set up or integrate with an SOC for real-time monitoring, incident detection, and response.
4. Incident Reporting
Any cyber incident—no matter how minor—must be reported to SEBI and CERT-In within 6 hours, aligning with India’s broader cyber incident response mandate.
5. Data Protection & Access Control
Strict controls must be in place for user access, encryption, and secure data storage. Zero Trust principles are encouraged.
6. Business Continuity & Disaster Recovery
Firms must develop and routinely test a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure minimal downtime in the event of an attack.
7. Vendor and Third-Party Risk Management
Since third-party vendors are often weak links, SEBI mandates that entities vet and monitor all vendors handling sensitive systems or data.
When Did the Rules Take Effect?
- The finalized guidelines for Portfolio Managers and AIFs came into effect on October 1, 2023.
- Stockbrokers, Mutual Funds, KRAs, and others were given specific implementation deadlines between Q4 2023 and Q2 2024, based on entity size and risk profile.
SEBI also requires annual internal and third-party audits to ensure compliance is not just on paper but actively enforced.
What Happens If You Don’t Comply?
Non-compliance with the CSCRF doesn’t just result in regulatory penalties. It leaves organizations vulnerable to:
- Financial loss from cyber fraud or ransom
- Loss of client trust and brand reputation
- Operational downtime during and after an attack
- Legal consequences under the Information Technology Act and other financial sector regulations
SEBI has made it clear that ignorance won’t be tolerated—entities failing to comply may face audits, public censure, or even license revocation in extreme cases.
Why SEBI’s CSCRF Matters More Than Ever
In a hyper-connected financial world, a single breach can trigger a domino effect across institutions. SEBI’s CSCRF ensures a unified, coordinated defense against such risks. It’s not just about compliance; it’s about survival and sustainability.
Moreover, this framework pushes Indian financial institutions to align with global best practices—something investors increasingly look for when choosing where to park their funds.
Final Thoughts
SEBI’s Cyber Security and Cyber Resilience Framework is more than a regulatory checklist—it’s a survival manual for modern financial organizations. By prioritizing governance, preparedness, and resilience, it’s helping to transform cybersecurity from a siloed IT task into an enterprise-wide imperative.
If your organization falls under SEBI’s purview and you’re unsure where to begin—start with awareness, leadership commitment, and a comprehensive cybersecurity roadmap. The time to act is now.
