← Regulatory InsightsSEBI CSCRF

SEBI CSCRF: Cyber Security and Cyber Resilience Framework Compliance Guide

10 min read·CISO · Compliance · IT Security·March 2026

SEBI CSCRF — Overview

The Securities and Exchange Board of India’s Cyber Security and Cyber Resilience Framework (CSCRF) applies to all SEBI-regulated entities including:

  • Stock Exchanges and Clearing Corporations (Market Infrastructure Institutions — MIIs)
  • Qualified Registered Entities (stockbrokers, depository participants, mutual funds, AMCs)
  • Other Registered Entities (investment advisors, research analysts, KYC registration agencies)

The framework, updated in August 2024, classifies entities into five categories based on their operational criticality and prescribes tiered security requirements accordingly.

The Five Entity Categories

CategoryEntity TypeSecurity Tier
MIIStock exchanges, clearing corps, depositoriesHighest — comprehensive framework
Qualified RELarge brokers, AMCs, mutual fundsEnhanced controls
Mid-size REMid-size brokers, DPsBaseline + enhanced
Small RESmall brokers, investment advisorsBaseline
Self-certification REVery small entitiesSimplified self-certification

Core Requirements Across All Categories

Governance

  • Board-approved Cyber Security Policy
  • Designated Chief Information Security Officer
  • IT Security Committee with executive representation
  • Annual cyber security audit

Technical Controls

Network Security:

  • Network segmentation between trading systems, back-office systems, and internet-facing systems
  • Intrusion detection and prevention systems
  • Web application firewalls for all internet-facing applications

Access Management:

  • Role-based access control with documented roles
  • Privileged access management
  • Multi-factor authentication for remote access and privileged operations
  • Annual access review with documented certification

Data Protection:

  • Classification of all data assets
  • Encryption of sensitive investor and trading data
  • Data loss prevention controls

Endpoint Security:

  • Anti-malware on all endpoints
  • Patch management programme
  • Mobile device management for BYOD environments

Incident Response

  • Documented incident response plan
  • Tabletop exercises at least annually
  • Mandatory reporting to SEBI within 6 hours of significant cyber incidents
  • Post-incident review and lessons learned documentation

Third-Party Risk

  • Security due diligence for all critical IT vendors
  • Contractual security requirements
  • Annual vendor security review
  • Exit planning for critical vendors

CSCRF and DPDP Alignment

SEBI-regulated entities handling investor personal data have dual obligations — CSCRF for cybersecurity and DPDP Act for data protection. The frameworks are complementary:

  • CSCRF access controls → DPDP data access limitation
  • CSCRF data classification → DPDP data categorisation
  • CSCRF incident reporting → DPDP breach notification
  • CSCRF third-party controls → DPDP processor obligations
  • CSCRF security audit → DPDP assurance evidence
ShareLinkedIn
DPDP Assurance Platform

Assess your compliance against SEBI CSCRF

The CreativeCyber DPDP Assurance Platform includes SEBI CSCRF as a mapped control pack — run a gap assessment, generate evidence, and produce audit-ready reports.

Explore the Platform →
📋 Free checklist:Download the SEBI CSCRF compliance checklist ↓

Related Guides

🏛️ DPDP Act 2023
Digital Personal Data Protection Act 2023: What Every Indian Enterprise Must Know
12 min read
📋 DPDP Rules 2025
DPDP Rules 2025: Operational Compliance Guide for Enterprises
10 min read
🏦 RBI ITGRC
RBI ITGRC Framework: A Practitioner's Guide for Banks
11 min read

    We use cookies and analytics (Google Analytics) to improve your experience. Under India's Digital Personal Data Protection Act, 2023, we require your consent before collecting any usage data. Privacy Policy