SEBI's Cybersecurity and Cyber Resilience Framework — the CSCRF — was issued in August 2024 and, after a phased rollout extended through the first half of 2025, now applies across SEBI's Regulated Entities. It folds a decade of separate cyber circulars for stock exchanges, depositories, brokers, mutual funds and other intermediaries into one cyber-resilience framework with a graded, size-proportionate set of obligations. If your last cybersecurity assessment was scoped to the old circular for your segment, the CSCRF is where you re-baseline.
The shift in spirit is from cybersecurity to cyber resilience: not just preventing incidents but proving you can anticipate, withstand, contain, recover from and evolve past them. The framework maps controls to the NIST Cybersecurity Framework functions — including the newer Govern function — and grades how much of the stack you must implement by how systemically important you are. Below we walk the parts a SEBI inspection or a CERT-In empanelled cyber audit will actually test, framed as a readiness review you can take into a board or technology-committee meeting. The clauses are SEBI's; the operational framing is ours.
1. The graded model — which category are you?
The single most important thing to get right first is your category, because it determines how much of the framework binds you. The CSCRF sorts REs into a small number of tiers by thresholds such as client count, trade volume, assets under management or systemic role. Misclassifying yourself one tier too low is the fastest route to an adverse inspection finding.
| Category | Who typically lands here | Obligation intensity |
|---|---|---|
| Market Infrastructure Institutions (MIIs) | Exchanges, clearing corporations, depositories | Highest — full stack, third-party CCI, most frequent testing |
| Qualified REs | Larger brokers, AMCs and intermediaries above SEBI thresholds | High — most controls, self-assessed CCI, periodic VAPT/audit |
| Mid-size REs | Mid-tier intermediaries | Moderate — core controls and SOC coverage, periodic audit |
| Small-size REs | Smaller intermediaries | Proportionate baseline; Market-SOC option for monitoring |
| Self-certification REs | The smallest entities | Baseline hygiene with self-certification of compliance |
CSCRF graded categories — indicative obligation levels (confirm your exact thresholds against the circular)
2. The Cyber Capability Index (CCI)
The CSCRF introduces the Cyber Capability Index — a maturity-scoring mechanism that turns 'are we resilient?' into a measurable number across defined parameters. It is the metric SEBI uses to compare resilience over time and across the market, so the score is not a vanity exercise — it is reported and tracked.
- MIIs assess the CCI on the most frequent cadence and through independent third-party validation, with the results placed before their governing/technology committee.
- Qualified REs compute the CCI through self-assessment on a periodic (typically annual) basis and retain the working papers behind the score.
- Score each parameter against real evidence, not intent — an unimplemented control scored as 'in place' is exactly what an auditor re-tests first.
- Use the CCI as your programme backlog: the lowest-scoring parameters are your remediation priorities for the next cycle.
3. The SOC mandate — own, group or Market-SOC
The CSCRF expects continuous security monitoring, but recognises that not every RE can stand up a 24x7 Security Operations Centre. It therefore offers a graded path to SOC coverage so smaller entities are not pushed into a control they cannot sustain.
- Own SOC: larger REs and MIIs run their own (or a group/parent) SOC with defined use-cases, log coverage of critical systems, KRIs and escalation.
- Market-SOC (M-SOC): smaller REs can subscribe to a Market-SOC facility offered through the exchanges/depositories, satisfying the monitoring obligation without building in-house.
- Whichever route, the controls SEBI tests are the same: centralised tamper-evident logging, defined retention, monitored use-cases mapped to your threats, and evidence the SOC actually triages and escalates — not just collects logs.
4. The control stack auditors will test
Beyond governance and monitoring, the CSCRF operationalises a stack of technical controls. These are the areas a CERT-In empanelled cyber auditor — whom many REs must engage — will ask to see evidence for.
| Control area | What 'in place' looks like | Evidence to keep ready |
|---|---|---|
| VAPT | Periodic VAPT of internet-facing and critical systems; scope tied to exposure; re-tests for closure | VAPT reports, remediation tracker, re-test sign-off, auditor empanelment proof |
| SBOM | Software Bill of Materials maintained for critical/in-house applications | Component inventory, version/CVE tracking, update trail |
| ISO 27001 alignment | ISMS scoped to in-scope systems; certification where the category requires it | ISO 27001 certificate / SoA, internal-audit and management-review records |
| Data classification & protection | Data classified by sensitivity; encryption at rest/in transit; DLP where warranted | Classification policy, crypto inventory, key-rotation records |
| Access management | Least privilege, MFA, periodic access reviews, privileged-access controls | Access-review evidence, PAM logs, joiner/mover/leaver trail |
| Audit logging & retention | Centralised logs, defined retention, review cadence | Retention policy, SIEM coverage map, review evidence |
CSCRF technical controls — what 'in place' looks like and the evidence to keep ready
5. Incident reporting and the CERT-In overlap
The CSCRF sets cyber-incident reporting obligations to SEBI (via the relevant exchange/depository channels), and these sit on top of — not instead of — CERT-In's national directions. A regulated entity that suffers an incident has two clocks running at once.
Your next 30 / 60 / 90 days
- Confirm your CSCRF category in writing with threshold evidence behind it — every other decision depends on it.
- Run a control-by-control gap assessment against the framework scoped to your category, and turn the gaps into a dated remediation plan.
- Stand up or confirm SOC coverage — own/group SOC or Market-SOC — with monitored use-cases mapped to your real threats and evidence of triage.
- Close the technical-control gaps auditors test hardest: exposure-tiered VAPT with re-tests, an SBOM for critical applications, access reviews and MFA, and centralised logging with defined retention.
- Compute (or validate) your Cyber Capability Index from real evidence, and use the lowest-scoring parameters as the backlog for the next cycle.
- Pre-wire the dual SEBI + CERT-In incident-reporting runbook and dry-run it, so both clocks are met from muscle memory rather than improvisation.
How Macksofy helps
As a CERT-In empanelled auditor working across Indian capital-market and BFSI entities, Macksofy runs CSCRF readiness end to end: category confirmation and a control-by-control gap assessment, Cyber Capability Index support, exposure-tiered VAPT with documented re-tests, SOC design or managed monitoring, and the audit evidence a SEBI inspection expects. See our SEBI CSCRF audit for the dedicated engagement and the SEBI MII framework for market-infrastructure scope, continuous VAPT for the vulnerability-management cadence, managed SOC for monitoring and the CISO-as-a-service option, ISO 27001 consulting for the ISMS the framework leans on, the CERT-In empanelled audit for the empanelled-audit scope, and our BFSI practice for how we tailor all of this to regulated finance. CSCRF and the RBI Cyber Security Framework map to one evidence base — we run them as a single programme rather than parallel tracks.