In SEBI's 2023–24 inspection cycle, ID.2 — Third-Party Risk Management — was cited as the #2 most common gap across all regulated entity categories, behind only ID.1 (Identity and Access Management). Yet most CISOs treat TPRM as a contract management problem rather than a cyber risk management discipline.
The stakes are significant. SEBI does not distinguish between a breach caused directly by a regulated entity and one caused by a vendor acting on its behalf. The licence holder bears full liability. With DPDP Act penalties of up to ₹250 crore for data protection failures — including those caused by vendors — the cost of an inadequate TPRM programme has never been higher.
SEBI CSCRF Identify domain sub-category ID.2 covers the full lifecycle of third-party cyber risk management. The framework requires regulated entities to demonstrate:
The most important TPRM decision is vendor tiering — the basis for all subsequent assessment frequency, contractual requirements, and monitoring intensity. SEBI expects a documented, risk-based rationale for each vendor's tier assignment.
| Tier | Description | Examples | Assessment Frequency |
|---|---|---|---|
| Tier 1 — Critical | Direct access to core systems or regulated data; failure could halt operations | CBS (Finacle/Temenos), payment switches, cloud infrastructure (AWS/Azure), NPCI gateway, SIEM platform | Semi-annual; on-site audit right |
| Tier 2 — Important | Indirect access or supporting functions; significant but manageable failure impact | HR system, CRM, analytics platform, cybersecurity tools, email security gateway | Annual; questionnaire + call |
| Tier 3 — Standard | No system access; low data sensitivity; easily replaceable | Stationery, office maintenance, training providers, event management | Onboarding only; contract review |
During an inspection, SEBI may request 2–3 vendor contracts for review. These six clauses are specifically checked — their absence is a finding:
The regulated entity must retain the right to conduct or commission a security audit of the vendor's systems and processes, on reasonable notice (typically 30 days). This right should extend to sub-contractors who access regulated data. Many legacy contracts signed before CSCRF was enforced lack this clause — a SEBI finding if uncorrected.
Vendors must notify the regulated entity of any security incident affecting shared systems or data within 2 hours of discovery — consistent with the 6-hour CERT-In reporting window that the regulated entity itself must meet. A 24-hour or "reasonable time" SLA does not satisfy CSCRF ID.2.
Upon contract termination, the vendor must return all regulated data in a specified format within a defined period (typically 30 days) and provide a certificate of deletion. The deletion must include backups and disaster recovery copies. This is the "exit strategy" element of ID.2.6.
The vendor must disclose all sub-contractors who will access the regulated entity's data or systems, and obtain prior written approval before adding new sub-contractors. This provision prevents "fourth-party risk" from materialising invisibly — a growing concern as cloud vendors increasingly chain sub-processors.
Vendor access must follow a formal provisioning process aligned with the regulated entity's IAM policy. Access must be deprovisioned within 24 hours of contract termination or personnel change. Shared service accounts for vendor access are specifically prohibited under SEBI CSCRF ID.1.
The contract must specify baseline security requirements: MFA for remote access, encryption of regulated data in transit and at rest, patch management SLA (critical patches within 30 days), and compliance with applicable Indian regulations (CERT-In, DPDP where applicable).
SEBI does not distinguish between a breach caused by you and one caused by your vendor — the licence holder is liable. Your TPRM programme is your first line of defence against inherited liability.
SEBI expects vendor risk tier assignments to be supported by an inherent risk score, not just judgment. A defensible scoring model considers four dimensions:
Inherent Risk Score = (Data Sensitivity × 0.35) + (System Criticality × 0.35) + (Geography × 0.15) + (Concentration × 0.15). Scores above 3.5 automatically qualify for Tier 1 regardless of perceived criticality.
SEBI's inspection framework implicitly assesses TPRM maturity. Understanding where your programme sits helps prioritise remediation before an inspection:
| Level | Characteristics | SEBI Inspection Outcome |
|---|---|---|
| Ad-hoc | No formal vendor register. Contracts reviewed only at signing. No risk tiering. Vendor incidents unknown until they cause outages. | Multiple major findings. Likely remediation action with timeline. |
| Managed | Vendor register exists. Annual assessments for key vendors. Tier 1/2/3 classification in place. Contractual controls partially implemented. | Minor findings. Observations on monitoring frequency and documentation gaps. |
| Optimised | Full vendor inventory with inherent risk scores. Continuous monitoring for Tier 1. Automated contract tracking. Sub-contractor visibility. Documented exit tested annually. | Clean or single observation. SEBI inspection confidence. |
AI-Powered Vendor Risk Scoring
Import your vendor list, and RiskSage AI applies the inherent risk scoring model, assigns tiers, flags contractual gaps, and generates an ID.2-compliant TPRM report ready for your SEBI inspection pack.
Score My Vendor Portfolio →We use cookies and analytics (Google Analytics) to improve your experience. Under India's Digital Personal Data Protection Act, 2023, we require your consent before collecting any usage data. Privacy Policy