Back to Resources
SEBI Cybersecurity Framework Checklist — visual preview
Checklist

SEBI Cybersecurity Framework Checklist

Capital Markets & Intermediary Cyber Resilience

Overview

The Securities and Exchange Board of India (SEBI) issued the Cybersecurity and Cyber Resilience Framework (CSCRF) in June 2023, replacing its earlier cybersecurity guidelines. CSCRF applies to all SEBI-regulated entities including stock exchanges, depositories, clearing corporations, mutual funds, stockbrokers, portfolio managers, and other market intermediaries. The framework sets detailed prescriptive requirements across governance, protection, detection, response, and recovery, with compliance deadlines phased by entity type.

Applicability by Entity Category

CategoryEntitiesCompliance Standard
Market Infrastructure Institutions (MIIs)Stock exchanges, depositories, clearing corporationsHighest standard with dedicated SOC and CERT-Fin integration
Qualified RTsLarge brokers, depository participants with high trading volumesDedicated cybersecurity team and comprehensive controls
Mid-size RTsMedium-sized intermediariesSecurity operations with third-party SOC option
Small-size RTsSmall brokers, investment advisors, research analystsBasic security controls with managed services option
Self-certification RTsEntities below specified thresholdsSelf-assessment with periodic compliance reporting

Governance Requirements

The Board or senior management must approve the cybersecurity policy and allocate adequate resources for implementation. A Technology Committee must be constituted with cybersecurity as a standing agenda item. A designated CISO (or equivalent) must be appointed with direct reporting to the MD/CEO and the Board. The cybersecurity policy must be reviewed and updated at least annually. A Cyber Resilience Plan covering business continuity, disaster recovery, and incident response must be documented and tested. Board members must receive cybersecurity awareness training at least annually.

Technical Implementation Checklist

  • Establish or engage a Security Operations Centre (SOC) for continuous monitoring
  • Deploy network security controls including firewalls, IDS/IPS, and DLP solutions
  • Implement multi-factor authentication for all critical systems and remote access
  • Conduct Vulnerability Assessment and Penetration Testing (VAPT) by CERT-In empaneled auditors at least twice yearly
  • Deploy endpoint detection and response (EDR) solutions across all endpoints
  • Implement email security with anti-phishing, anti-spoofing, and DMARC controls
  • Establish a patch management process with critical patches applied within defined SLAs
  • Implement data encryption at rest and in transit for sensitive and personal data
  • Deploy privileged access management (PAM) solutions for administrative accounts
  • Maintain comprehensive audit logs with minimum 2-year retention
  • Conduct red team exercises annually for MIIs and Qualified RTs

Incident Response and Reporting

All cyber incidents must be reported to SEBI within 6 hours of detection. MIIs must also report to CERT-In and RBI concurrently, as applicable. The framework requires detailed incident classification, root cause analysis, and a corrective action plan submitted within 14 days of incident closure. SEBI expects regulated entities to participate in sector-wide cyber exercises conducted by CERT-Fin (CERT for the financial sector). Post-incident, entities must demonstrate steps taken to prevent recurrence through verifiable evidence.

Common Audit Findings

  • Insufficient segregation of duties for database and system administrators
  • Inadequate network segmentation between trading, clearing, and corporate networks
  • Missing or incomplete asset inventory covering all hardware, software, and data assets
  • Weak API security controls in trading platforms and client-facing applications
  • Delayed patching of critical vulnerabilities beyond the prescribed SLA
  • Lack of formalized vendor risk assessment for technology service providers
  • Insufficient board-level reporting on cybersecurity metrics and incidents

Frequently Asked Questions

What is the CSCRF compliance deadline?
Compliance deadlines are phased by entity type. MIIs and Qualified RTs had earlier deadlines in 2024. Mid-size and small-size RTs have extended timelines. SEBI has issued specific circular-level guidance on compliance dates for each category. Check the latest SEBI circulars for your entity type.
Can we use a third-party SOC?
MIIs must establish their own dedicated SOC. Qualified and mid-size RTs can use managed SOC services from empaneled providers. Small-size RTs can leverage third-party security monitoring services. The outsourcing entity remains fully responsible for compliance regardless of the SOC model.
What is CERT-Fin's role?
CERT-Fin (Computer Emergency Response Team for the Financial Sector) is a specialized body that coordinates cyber incident response across the Indian financial sector. MIIs must integrate with CERT-Fin for threat intelligence sharing, incident coordination, and participation in sector-wide cyber exercises.
How does CSCRF relate to RBI cybersecurity requirements?
Entities regulated by both SEBI and RBI (such as banks with broking operations) must comply with both frameworks. While there is significant overlap, SEBI CSCRF has specific requirements for capital market operations, trading infrastructure, and market data that go beyond RBI guidelines. A unified compliance program can address both.
What are the penalties for non-compliance?
SEBI can impose penalties under the SEBI Act and related regulations, including monetary penalties, suspension of registration, and restrictions on business operations. Non-compliance with cybersecurity requirements is increasingly treated as a material regulatory breach during SEBI inspections.

Ready to use this resource?

Download it now or schedule a demo to see how Hunto AI can automate your security workflows.

Book a Demo