LexOrbis

Navigating SEBI’s Cybersecurity And Cyber Resilience Framework: Key Clarifications For SEBI Regulated Entities

Navigating SEBI's Cybersecurity And Cyber Resilience Framework: Key Clarifications For SEBI Regulated EntitiesThe Securities and Exchange Board of India (SEBI) in August 2024 issued a circular on “Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities” to address the evolving cyber threats, to align with the industry standards, to encourage efficient audits and to ensure compliance by SEBI Regulated Entities.

Recently, intending to provide better clarity on several concepts related to CSCRF and also to provide a framework for the adoption of cloud services, on June 11, 2025, SEBI released detailed Frequently Asked Questions (FAQs) on Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs and Framework for Adoption of Cloud Services by SEBI REs, followed by clarifications and explanations for the benefit of the Regulated Entities governed by SEBI. The present article succinctly encapsulates the clarification and explanations provided by SEBI.

The explanations and clarifications are bifurcated in the following categories:

  1. Governance and Chief Information Security Officer (CISO) Related Guidelines
  • Bankers to an Issue (BTI) and SCSBs shall have to submit a certificate of compliance to SEBI on the cybersecurity guidelines issued by the RBI.
  • Other banks that have taken other SEBI registrations must comply with the CSCRF guidelines (as applicable).
  • Reporting by CISO, level and grade, and standing of those who are to be at least equivalent to Chief Technology Officer/ Chief Information Officer, Executive Director or MD/ CEO as per organisational structure will be deemed compliant.
  • A group-level CISO can be designated as the effective CISO for multiple entities within the same group.
  • REs can onboard a remote CISO, provided he is dedicated to one specific organisation and is not managing more than one organisation simultaneously. No part-time CISO is allowed to be onboarded.

 

  1. Threshold for REs Categorisation
  • The term ‘other than stock brokers’ in the revised criteria and threshold for categorisation of Depositories Participants is clarified to include Banks, NBFC, Mutual Funds, Registrar and Transfer Agents, Financial Institutions, Custodians, Clearing Corporations, Public Financial Institutions, and State Finance Corporation.
  • The computation of trading volume for a client-based stockbroker (who is required to comply with CSCRF) is to include each trading member’s aggregate turnover (Gross level) during the financial year across Equity, Equity Derivatives, Currency Derivatives and Commodity Derivatives as follows:
  • For the Equity segment, Gross Traded Value = Buy value + Sell Value (excluding auction trades) shall be considered.
  • For all future contracts in Derivates Segments, Gross Traded Value= Buy Value + Sell value shall be considered
  • For all option contracts in Derivatives Segments, Gross Traded Value = Buy Premium Value + Sell Premium Value shall be considered.
  • For proprietary stockbrokers, the parameter is to access the amount of collateral/ assets with Clearing Corporations (CCs) and for mid-size REs, it should be more than 1000 crores, for small-size REs, it should be more than 10 crores, and for self-certification REs, it is below 10 crores.
  • The category for each RE is fixed at the beginning of the financial year based on the previous year’s data and remains unchanged during the year.

 

  • Asset Inventory and Classification of Critical/ Non-Critical Systems
  • Smaller REs with limited IT setups can maintain manual IT asset inventories (e.g. using Excel) but must ensure periodic updates and compliance with SEBI CSCRF asset management requirements.
  • REs have the flexibility to use multiple tools for asset management based on feasibility and accessibility, provided they maintain accurate inventory.
  • REs must also maintain inventories for cryptographic assets in preparation for Post-Quantum Cryptography migration.

 

  1. Vulnerability Assessment and Penetration Testing (VAPT) and Patch Management
  • The periodicity of VAPT and cyber audit for Qualified Stock Brokers will be half-yearly, irrespective of the category in which they fall as per CSCRF.
  • All vulnerabilities identified during VAPT activity are to be closed within 3 months of submission of the VAPT report.
  • High-severity vulnerabilities due to non-implementation of patches must be fixed within 1 week
  • Patch testing in a non-production environment is mandatory before deploying.

 

  1. Cyber Audit and Timelines
  • Reporting of compliances for the Framework for the adoption of cloud services is to be done as per the existing mechanism of reporting for cybersecurity audits.
  • REs should conduct a cyber audit after the end of the audit period.
  • Entities with multiple SEBI registrations must follow the compliance applicable to their highest RE category.
  • All intermediaries, irrespective of whether they are operational or not, are to comply with the provisions and requirements of CSCRF.
  • Encryption keys and key management operations must be handled within the boundaries of India. Any routing through a foreign country breaches SEBI data sovereignty expectations.
  • In the case of RE having business in other sectors, the audit coverage is limited to SEBI-related infrastructure/ software/ applications unless systems are interconnected.

 

  1. Cyber Capability Index (CCI)
  • Automated Reporting – MIIs and qualified REs must build dashboards integrated with log aggregators to enable automated compliance reporting.
  • MII shall conduct a third-party assessment (half-yearly), while qualified REs can do self-assessment on a yearly basis.
  • Partial scores (decimal values up to 2 decimal points) are allowed. If undefined values arise during calculations, the highest or lowest score (based on the formula logic) is applied.

 

  • Software Bill of Materials (SBOM)
  • Scope of SBOM Requirement: Applies to all core and critical business software, whether in-house developed, third-party, legacy or SaaS applications.
  • Legacy software exceptions: If an SBOM cannot be obtained for legacy or proprietary systems, the board must formally approve it with documented risk mitigation measures.

 

  • Outsourcing-related guidelines
  • Third-party accountability: REs are solely responsible for ensuring third-party vendors’ compliance with CSCRF and cloud guidelines.
  • Cloud hosting for critical applications: Allowed, but REs must conduct in-depth risk evaluations, comparative analysis and regulatory assessment before adoption.
  • RE should establish a robust cybersecurity supply chain risk management strategy

 

  1. Cloud Service Providers (CSPs) and Hosted Services
  • The requirement to audit a CSP subcontractor is limited to material subcontractors- those whose failure would significantly impact the CSP’s ability to deliver services as per its agreement with the RE. Non-material subcontractors are excluded from this requirement.
  • REs must have robust contractual agreements with CSPs, ensuring continuous regulatory compliance.
  • In case of empanelment lapse, REs should assess risks and develop an action plan, which may include migration to a compliant CSP, Renegotiation for compliance measures, and invoking exit strategies mentioned in the contract.
  • REs must conduct regular audits to monitor CSPs’ adherence to security and certification requirements.
  • CSPs must provide data access during SEBI investigations.
  • REs to ensure that CSP uses only MeitY’s empanelled infrastructure for cloud services. The contract must include clauses mandating back-to-back compliance from all subcontractors and service providers.
  • REs should conduct periodic audits to confirm that no non-compliant services are used.
  • Data storage and processing must be done in data centres of MeitY-empanelled CSPs that hold valid STQC certification.
  • REs to ensure that cloud providers meet STQC certification requirements and should document compliance through contractual agreements.
  • RE can run their regulated workloads on the cloud, subject to compliance with the Framework for the Adoption of Cloud services.
  • Service providers whose data centres are outside India, RE to ensure compliance with the technical specification for ‘Hosted Services’ under CSCRF
  • RE, for development or testing purposes, can use Tier-3 servers, and these should not contain any production data, customer data, etc.

 

  1. Security Testing for COTS and In-House Applications
  • Commercial Off-The-Shelf (COTS) is a software and/or hardware product commercially ready-made for sale, lease, or license to the general public. COTS and in-house developed applications must undergo either Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST).
  • These tests must be conducted by CERT-In empanelled auditing organisations, regardless of the application’s internal use or the existence of compensating controls.

 

  1. Log Management and Data Security and Other Protect Guidelines
  • REs must collect logs from all identified sources, including system, application, network, database, security, performance, audit trail, and event logs. These logs should be protected to maintain their integrity and confidentiality, especially when shared externally. For data in use, encryption is required as per clause 6.2.9.i.3 of the SEBI Cloud Adoption Framework and CSCRF’s PR.DS guideline. SaaS providers must offer encryption tools for data at rest, in motion, and in use, complying with MeitY’s procurement guidelines for cloud services.
  • KRAs, since classified as Qualified REs under CSCRF, must use advanced automated cybersecurity tools such as BAS (Breach and Attack Simulation) and CART (Continuous Automated Red Teaming).
  • REs must adhere to the baseline security requirements for mobile applications as outlined in Standard 16 of the CSCRF’s “Identity Management, Authentication, and Access Control” section. These guidelines ensure that mobile apps meet minimum security standards, thereby protecting sensitive information and access credentials.

 

  • ISO 27001 Certification
  • Third-party providers handling critical services like Primary Data Centres (PDC), Disaster Recovery (DR) sites, Near DR (NDR) sites, Security Operations Centres (SOC), and colocation facilities must be ISO 27001 certified. The certification should cover all outsourced services to ensure consistent information security management across all operational areas.

 

  • Security Operations Centre (SOC) and Market-SOC (M-SOC)
  • REs with a global footprint may qualify as small-sized or self-certification REs based on their Indian market presence. Such REs can use their global SOCs but must submit periodic efficacy reports as mandated by CSCRF. Similarly, small and self-certifying REs with their own SOCs can continue using them, provided they comply with reporting requirements. For others, SEBI has directed NSE and BSE to set up a centralised Market-SOC, which REs can join to benefit from collective security resources. The onboarding process is facilitated by NSE and BSE via publicly available circulars.
  • The tools listed in Annexure-N serve as a reference for technologies used in SOCs to monitor and detect security anomalies. While not all tools are mandatory, REs are expected to evaluate these tools based on their functionalities and onboard those that suit their operational needs.
  • Affiliated entities that share services like SOCs, IT infrastructure, or data centres can rely on a common audit report to demonstrate compliance. This is allowed only if the services are implemented uniformly across entities, the report format aligns with CSCRF, and there is thorough documentation of shared responsibilities and controls. REs must ensure comprehensive coverage of all services in the shared audit documentation.
  • SEBI permits global REs to submit their global SOC efficacy reports, provided the cybersecurity controls are uniformly implemented across all locations. This approach ensures consistency while accommodating the operational models of global entities.
  • REs may supplement the prescribed SOC tools with additional technologies relevant to their business requirements. The CSCRF’s flexible format allows for such enhancements.
  • Regarding capacity utilisation, the requirement under DE.CM.Standard 4 pertains to monitoring anomalies like unusual traffic or abnormal resource usage, not just routine IT functions.

 

  • Threat Intelligence

Although intelligence shared by NCIIPC and CERT-In is crucial, REs are encouraged to complement this with industry-specific threat feeds, commercial intelligence providers, and internal threat-hunting mechanisms. This layered approach would enable REs to better assess and respond to threats in their unique operational environments.

 

  1. DC-DR Drills
  • Scenario-based cybersecurity drills and red/blue teaming exercises serve distinct purposes. Red Teaming relates to the simulation of real threats to identify vulnerabilities in RE’s IT environment, and Blue Team relates to analysing such attacks and defending RE’s IT environment from the Red Team.
  • All incident scenarios must be tested within a single audit period, and all stakeholders must be present and aware of their roles and responsibilities.
  • Drills test incident response and recovery strategies under simulated scenarios, and tabletop exercises, being theoretical, are not a substitute for live drills, focusing more on discussions and walkthroughs.
  • In case of disruption of any one or more of the critical systems, the RE must declare that incident as ‘Disaster’, within 30 minutes of the incident. RTO (Recovery Time Objective) and RPO (Recovery Point Objective) must be 2 hours and 15 minutes, respectively, as recommended by IOSCO to resume critical operations.

 

  • Response and Recovery
  • Qualified REs and MIIs must maintain spare hardware and up-to-date golden images in isolated environments. These provisions are critical for fast and effective disaster recovery.
  • Alternatively, cloud-based high-availability solutions may be used if they comply with all relevant SEBI frameworks.
  • To validate recovery plans, REs must conduct periodic business continuity drills simulating diverse scenarios. These drills should be followed by identifying gaps, assessing response times, and implementing improvements.

 

  • Classification and Handling of Cybersecurity Incidents

Forensic audits must be conducted by third-party auditors for incidents classified as High or Critical. These audits can also be performed by government forensic labs when necessary. For incidents classified as low or medium, forensic audits are required if the Root Cause Analysis (RCA) is inconclusive or upon SEBI’s instruction. In-house forensic teams from group companies are insufficient; third-party engagement is mandatory to ensure independence and thoroughness.

Concluding Comments

The FAQs serve as a comprehensive blueprint to assist SEBI Regulated Entities in navigating the regulatory expectations under the CSCRF and the Framework for Adoption of Cloud Services. The clarifications provided address a wide range of operational, governance, technical, and audit-related queries that REs may encounter during implementation and ongoing compliance.

REs are expected to proactively assess their cybersecurity posture, strengthen internal governance, ensure data sovereignty, and manage third-party risks diligently. While technology adoption, including cloud services, is encouraged, REs must remain fully accountable for regulatory compliance, data protection, and operational resilience.

Given the evolving threat landscape and regulatory developments, it would be ideal for REs to periodically review SEBI circulars, updates, and advisories to remain aligned with the latest compliance requirements. A risk-based and governance-driven approach, coupled with continuous monitoring and timely reporting, will be critical in ensuring the security, resilience, and integrity of the market ecosystem.

Authors: Nisha Sharma and Shivi Gupta

First Published by: Mondaq here