SEBI CSCRF Compliance Playbook — 12-Step SOP for REs

TL;DR for founders

SEBI's Cybersecurity and Cyber Resilience Framework ('CSCRF') — circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024 — binds every SEBI-regulated entity. Self-classify into one of five categories (MII, Qualified RE, Mid-size, Small-size, Self-certification); appoint a dedicated CISO; stand up the six NIST CSF-aligned control families; onboard a SOC (in-house or the NSE/BSE Market-SOC); file an annual CERT-In-empanelled cyber audit; and maintain a 2-hour RTO, 15-minute RPO, 6-hour CERT-In incident clock. First-year build: 9–14 months, ₹15–40 lakh. First step: do the maturity-level self-classification using Clauses 2.1/2.2 of the 30 April 2025 Clarifications circular — every downstream obligation flows from this.

Who this playbook is for

In scope:

• Market Infrastructure Institutions ('MIIs') — stock exchanges, clearing corporations, depositories
• Qualified REs — Qualified Stock Brokers ('QSBs'), large mutual funds, KRAs, large depository participants, large RTAs (KRAs are statutorily categorised as Qualified REs — FAQ 56, CSCRF FAQs)
• Mid-size REs
• Small-size REs
• Self-certification REs — smaller brokers, AIFs, PMS, investment advisers, research analysts
• Banker-to-Issue (BTI) and Self-Certified Syndicate Banks ('SCSBs') submit a compliance certificate under the RBI cyber regime (FAQ 1)
• Depository Participants that are also registered as Banks / NBFCs / Mutual Funds / RTAs / Financial Institutions / Custodians / Clearing Corporations / Public Financial Institutions / State Finance Corporations are classified as Qualified REs (Table 2, 30 April 2025 Clarifications)

Not in scope:

• Brokers with fewer than 1,000 clients and turnover below ₹1,000 crore that do not hold any other SEBI registration are exempt under the 30 April 2025 Clarifications
• Operations and infrastructure of a multi-licence bank that do not serve SEBI-RE activities (FAQ 8)

Fintechs serving SEBI REs (API providers, cloud service providers, KYC tech, algo platforms) are not directly regulated, but are contractually pulled into CSCRF via the third-party obligations (FAQ 38-40) — expect SOC 2, ISO 27001, SBOM and audit-right flow-downs from every RE customer.

Prerequisites

Documents needed:

• Board / Partners / Proprietor resolution approving the Cybersecurity Policy and IT governance framework
• Current-state IT asset inventory (can be manual Excel for lean REs — FAQ 9)
• Data classification register (critical vs non-critical — FAQ 10, 12)
• Existing VAPT reports (last 12 months, if any)
• Outsourcing contracts with CSPs / SaaS providers — reviewed against Principle 7 of the SEBI Cloud Adoption Framework
• ISO 27001 certificate (for PDC, DR, NDR, SOC, Colocation — or a gap-assessment report with closure plan)
• Software Bill of Materials ('SBOM') for core/critical applications (FAQ 35-37)

Roles required:

• Chief Information Security Officer ('CISO') — dedicated resource; for MIIs and Qualified REs, level/grade/standing equivalent to CTO/CIO (FAQ 2); reporting to MD/CEO or to Executive Director–Risk in banks (FAQ 2); group-level CISO permitted (FAQ 3); part-time CISO not permitted (FAQ 4)
• IT Committee (reference Section 3, CSCRF, Page 44)
• Board-level or Board-committee-level sponsor
• Authorised Signatory for SEBI filings

Approvals needed:

• Board approval of Cybersecurity Policy
• Board approval of the list of critical systems (CSCRF: Identify: Asset Management: Standard 4)
• Board approval of cloud / outsourcing engagements (SEBI Cloud Adoption Framework)

Step-by-step compliance process

Step 1: Maturity-level self-assessment and RE classification

What: Classify the entity into one of MII / Qualified RE / Mid-size RE / Small-size RE / Self-certification RE.

Where: Apply Section 2 of CSCRF read with Clauses 2.1 (client-based brokers) and 2.2 (proprietary brokers) of SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60 dated 30 April 2025.

How:

1. Identify every SEBI registration the entity holds (broker, DP, MF, PMS, AIF, KRA, RTA, RA, IA, REIT, InvIT).
2. Compute aggregate gross traded value (Buy+Sell) for FY 2024-25 across equity, equity derivative, currency derivative and commodity derivative segments.
3. For proprietary brokers, compute collateral/assets held with Clearing Corporations: Qualified (N/A); Mid-size (>₹1,000 crore); Small-size (₹10 crore–₹1,000 crore); Self-certification (below ₹10 crore).
4. Where multiple categories could apply, the highest category prevails (Section 2, Point 23, CSCRF).
5. Freeze the classification at the start of the financial year and retain for the whole FY irrespective of mid-year changes (FAQ 7).

Templates: Annex A (Classification Memorandum) — attach the gross-traded-value computation with NSE/BSE trade-member statements.

Common mistakes: Reclassifying downward mid-year after a revenue dip (not permitted); ignoring group affiliations; treating KRAs as Mid-size — KRAs are statutorily Qualified REs (FAQ 56).

Step 2: Board-level Cybersecurity Policy and IT Committee formation

What: Adopt a written Cybersecurity Policy covering Govern/Identify/Protect/Detect/Respond/Recover and approve the IT Committee composition.

Where: Board meeting; minute the resolution. Policy text aligned with CSCRF Section 3 ('IT Committee for REs', Page 44).

How: Draft a Cybersecurity Policy that cross-references (a) the six NIST CSF-aligned functions, (b) the cyber resiliency goals (Anticipate, Withstand, Contain, Recover, Evolve), (c) the RE's maturity classification, (d) CERT-In Directions 2022. Present to Board; obtain resolution authorising CISO appointment and initial budget. Constitute an IT Committee with named members.

Common mistakes: Policy that copies the CSCRF text without customisation for the RE's actual IT estate; IT Committee with only one member from IT (Board wants IT + Risk + Legal + Business).

Step 3: CISO appointment and reporting line

What: Appoint a dedicated, full-time CISO — or a group-level CISO if within a corporate group.

Where: Board meeting; intimate SEBI via routine-compliance channel.

How: For MIIs and Qualified REs, the CISO's level/grade/standing must be at least CTO/CIO equivalent (FAQ 2). Reporting to MD/CEO for MIIs/Qualified REs; reporting to ED–Risk acceptable for banks with SEBI registrations (FAQ 2). The CISO must be dedicated to this organisation — a remote CISO is permitted if dedicated to this one entity only (FAQ 4). A group-level CISO serving multiple group entities is expressly allowed (FAQ 3).

Common mistakes: Engaging a CISO-as-a-service vendor whose personnel serves five unrelated REs — expressly prohibited by FAQ 4; silence on the reporting line in the Board resolution.

Step 4: Asset and data inventory; critical/non-critical classification

What: Stand up an IT asset inventory (hardware, software, APIs, digital assets) and a data-classification register.

Where: ITSM tool (multiple tools permitted — FAQ 11) or manual Excel for lean REs (FAQ 9).

How: Identify every asset that processes, stores or transmits RE data. Apply the 'Critical Systems' definition in CSCRF Definitions. Non-critical systems include internet-facing tools like survey forms or loan calculators even if connected to critical systems (FAQ 10, 12). Obtain Board/Partners/Proprietor approval of the critical-systems list (CSCRF: Identify: Asset Management: Standard 4). Maintain a cryptographic-asset inventory to prepare for Post-Quantum Cryptography migration (FAQ 13).

Templates: Annex B (Critical Systems Register).

Common mistakes: Missing cryptographic-asset inventory; classifying every internet-facing system as critical; no PQC-migration plan.

Step 5: Implement controls across NIST CSF functions

What: Implement the CSCRF control catalogue across Govern / Identify / Protect / Detect / Respond / Recover.

Where: Part II of CSCRF (standard-by-standard mapping).

How: Prioritise:

• Protect: patch management — high-severity patches within 1 week (PR.MA.S3); data security — encryption at rest, in motion and in use (Protect: Data Security Standard 1-3, Page 105); access control (PR.AA standards); log management (all system/application/network/database/security/performance/audit-trail/event logs — FAQ 54).
• Detect: continuous monitoring per DE.CM; capacity-utilisation monitoring (DE.CM.S4 — FAQ 66).
• Respond and Recover: Incident classification per CSCRF Annexure-O; disaster declaration within 30 minutes of a critical-system disruption; RTO 2 hours; RPO 15 minutes (FAQ 71).

Templates: Annex C (Patch-Management SLA template).

Common mistakes: Treating RTO/RPO as aspirational rather than contractual for CSPs; missing the 1-week patch-closure clock on high-severity items.

Step 6: Cyber Crisis Management Plan ('CCMP')

What: Document the CCMP covering scenario-based drills, DC-DR drills and live exercises.

Where: CSCRF: Governance: Risk Management: Standard 3; Recover: Incident Recovery Plan Execution.

How: Write the CCMP with (a) an incident-classification matrix mapped to Annexure-O, (b) roles of CISO, IT Committee, Board, External Affairs, Legal, (c) a scenario-based drill calendar (ransomware, DDoS, data exfiltration, insider threat, CSP outage, third-party compromise), (d) a DC-DR drill schedule — live drills are mandatory; table-top exercises are not a substitute (FAQ 70), (e) post-drill RCA protocol. All scenarios must be covered within one audit period (FAQ 69).

Templates: Annex D (CCMP Table of Contents — see Section 6 of this playbook).

Common mistakes: Substituting table-top walkthroughs for live drills; CCMP that does not identify Board-reporting timelines.

Step 7: Security Operations Centre ('SOC') — in-house, group or Market-SOC

What: Establish SOC coverage.

Where: In-house SOC; group SOC; or the NSE/BSE Market-SOC ('M-SOC') for smaller REs.

How:

• MIIs and Qualified REs: in-house SOC typically; group SOC permitted for globally-present REs (FAQ 64).
• Small-size REs and Self-certification REs: onboard the M-SOC run by NSE and BSE (FAQ 61). Enrolment facilitated by NSE and BSE. REs with an existing own SOC may continue to use it but must submit a periodic SOC-efficacy report (FAQ 60).
• SOC tooling list in CSCRF Annexure-N; DAM, EDR, SIEM, etc. — RE evaluates before onboarding (FAQ 62).

Templates: Annex E (SOC-efficacy reporting template per Table 27 CCI parameter basis).

Common mistakes: Onboarding M-SOC without a contractual carve-out of CSP-managed workloads; no SOC-efficacy measurement.

Step 8: VAPT and patch management

What: Run Vulnerability Assessment and Penetration Testing ('VAPT') on the specified cadence and close findings within the prescribed timelines.

Where: CSCRF Section 4.3; Table 19; PR.MA.S3 (Page 116-117).

How:

• QSBs: half-yearly VAPT and half-yearly cyber audit (FAQ 14)
• Other REs: per CSCRF Section 4.3 table
• High-severity vulnerabilities caused by unpatched systems: close within 1 week (FAQ 17(a))
• Other vulnerabilities: close within 3 months of VAPT report submission (FAQ 15, 17(b))
• Patches must be tested in a non-production environment before production / DR rollout (FAQ 19)
• Virtual patching is permitted where OEM patches have long lead times, subject to IT Committee confirmation (FAQ 15)

Templates: Annex F (VAPT finding-closure register — CSCRF Annexure-A format).

Common mistakes: Missing the 1-week high-severity clock; deploying patches to DR without testing; no SLA with third-party providers on finding closure (FAQ 15).

Step 9: Cyber incident reporting — parallel SEBI + CERT-In

What: Report cyber incidents to SEBI under CSCRF Annexure-O AND to CERT-In under Section 70B(6) IT Act.

Where: CSCRF Annexure-O (Classification and Handling); Direction No. (ii) CERT-In Directions dated 28 April 2022.

How:

1. Classify the incident as Low / Medium / High / Critical per Annexure-O.
2. Notify CERT-In within 6 hours of noticing the incident via the CERT-In Incident Reporting Form.
3. Notify SEBI on the Annexure-O timelines for the applicable category (typically immediate for High/Critical; next reporting cycle for Low/Medium).
4. For High / Critical incidents, engage a third-party forensic auditor and submit the forensic report (FAQ 76). Indian government forensic labs may be engaged where required. In-house / group-company forensic auditors are not permissible for mandated forensic audits (FAQ 75).
5. Where the incident is also a personal-data breach, notify the Data Protection Board of India within 72 hours under Rule 7 DPDP Rules 2025 — all three regimes run in parallel.

Templates: Annex G (SEBI Incident Report skeleton — see Section 6).

Common mistakes: Reporting only to CERT-In and missing the CSCRF Annexure-O flow; using a group-company in-house auditor for High/Critical forensics; ignoring the DPDP 72-hour clock.

Step 10: Third-party / outsourcing / cloud due diligence

What: Due diligence on every CSP, SaaS, managed-service provider, and data-centre vendor.

Where: CSCRF GV.SC (Cybersecurity Supply Chain Risk Management); SEBI Cloud Adoption Framework, 2023; SEBI Outsourcing Circulars (13 Sep 2017, 9 Dec 2015, 15 Dec 2011).

How:

• CSP must be MeitY-empanelled and hold STQC certification or equivalent (FAQ 48, 50).
• Encryption keys and key-management operations must be handled within India; BYOK recommended (FAQ 26). Data-localisation guidelines under active SEBI consultation.
• SBOM for every core / critical software (in-house or third-party) (FAQ 35-37); Board-approved exception for legacy systems where SBOM is unavailable (FAQ 37).
• Contract must include: audit rights for RE and SEBI; back-to-back compliance by subcontractors (FAQ 47); escalation for forensic-evidence sharing (FAQ 46); exit strategy on MeitY empanelment lapse (FAQ 45).
• Source code for critical applications developed for RE's sole use must be obtained; else source-code escrow (FAQ 41).
• Outsourcing does not dilute RE accountability — RE remains solely accountable for any third-party breach (FAQ 38, 39).

Templates: Annex H (CSP contract schedule — mandatory CSCRF clauses).

Common mistakes: CSP "India region" where key management routes through a foreign country (FAQ 26 — violates data-sovereignty expectation); no exit strategy for MeitY-empanelment lapse; over-broad reliance on "certified CSP" without verifying availability-zone-level STQC (FAQ 48).

Step 11: Cyber audit and assurance

What: Annual (or half-yearly, for QSBs) cyber audit by a CERT-In-empanelled IS auditor, covering all CSCRF controls.

Where: CSCRF Section 4.4; Table 21 (periodicity); Table 23 (reporting authority).

How:

• Select a CERT-In-empanelled auditor that has not provided consulting to the RE in the preceding two years (CSCRF Annexure-D — FAQ 29).
• Scope: only RE's SEBI-regulated IT estate, provided it is properly segregated; connected ancillary systems are also in scope (FAQ 27).
• DAST/SAST on COTS and in-house applications to be done by the CERT-In-empanelled auditor (FAQ 53).
• Tools: licensed or open-source permissible provided terms of use permit commercial audit (FAQ 28).
• Audit period runs on financial year (FAQ 20). FY 2025-26 audit starts after March 2026 (FAQ 22).
• Submit audit report to the reporting authority identified in Table 23 alongside all standards compliance (FAQ 34).
• Affiliated entities sharing SOC/IT/DC may file a common audit report provided the conditions in FAQ 63 are met.

Templates: Annex I (Auditor engagement letter; scope-of-work template).

Common mistakes: Engaging an auditor who consulted on the CSCRF gap assessment in the last two years; restricting audit scope and missing connected ancillary systems; late engagement (the audit must start after the audit period ends — FAQ 22).

Step 12: Cyber Capability Index ('CCI'); governance dashboard; annual recertification

What: CCI assessment per 23 weighted parameters in CSCRF Annexure-K and Table 27; build an automated dashboard integrated with a log aggregator.

Where: CSCRF Governance: Oversight (GV.OV) Standard 4; Annexure-K.

How:

• MIIs: third-party CCI assessment half-yearly (FAQ 31).
• Qualified REs: CCI self-assessment yearly (FAQ 31).
• Decimals permitted up to two places; undefined values default to max or min depending on parameter (FAQ 32).
• Partial scoring is allowed proportional to achievement (FAQ 33).
• Automated dashboard preferably integrated with log aggregator — itself a CCI parameter (FAQ 30).
• Submit CCI outcome with the annual cyber audit report.
• Feed CCI gaps into the next year's CISO work-plan; recertify annually.

Templates: Annex J (CCI Scoring Worksheet — Table 27 parameters).

Common mistakes: Treating CCI as a one-time exercise rather than a half-yearly / yearly cadence; scoring undefined-value parameters at zero when the formula permits maximum marks (FAQ 32(ii)).

Timeline

Template clauses

Cyber Crisis Management Plan — Table of Contents (Annex D)

1. Purpose and scope
2. Definitions (aligned with CSCRF Annexure-O incident classifications)
3. Governance
   3.1 CISO responsibilities
   3.2 IT Committee trigger thresholds
   3.3 Board notification triggers (High / Critical incidents)
4. Incident classification matrix
   4.1 Low, Medium, High, Critical
   4.2 Mapping to CERT-In Incident Categories
   4.3 Mapping to DPDP personal-data breach definition (Section 2(u) DPDP Act)
5. Response protocol
   5.1 Detect
   5.2 Contain (including isolation of golden-image systems — RC.RP.S1)
   5.3 Eradicate
   5.4 Recover (RTO 2h, RPO 15m; Disaster declaration within 30 minutes)
6. Communications
   6.1 Internal (CISO → IT Committee → Board)
   6.2 External (CERT-In — 6 hours; SEBI — Annexure-O; DPDP Board — 72 hours; customers per contractual SLAs)
   6.3 Public (press statement template; investor communication)
7. Forensic protocol (CERT-In-empanelled third-party)
8. Post-incident review (RCA, lessons-learned, control updates)
9. Drill calendar (scenario-based; DC-DR; live — not table-top)
10. Annexures: incident-report templates, contact matrix, vendor escalation tree

SEBI Incident Report skeleton (Annex G)

## Incident Report — [Incident ID] — [Date of Detection]
1. Reporting RE: [Name, SEBI registration(s), CSCRF category]
2. Incident classification: [Low / Medium / High / Critical] — per CSCRF Annexure-O
3. Detection time (IST) | Containment time (IST) | Restoration time (IST)
4. Summary (5–7 sentences): what happened, systems affected, data affected, business impact
5. Root Cause Analysis summary (attach full RCA if High/Critical)
6. CERT-In Incident Reference Number (reported within 6 hours)
7. Forensic Auditor (for H/C) — CERT-In empanelment ID; date of engagement
8. Personal-data breach? Y/N. If Y: DPDP Board reference (Rule 7 DPDP Rules, 2025)
9. Impact on RTO/RPO achievement
10. Immediate remedial actions taken
11. Long-term remediation plan with target dates
12. Attached: CCMP invocation log, communications timeline, forensic interim report
Signed: CISO | Countersigned: MD/CEO

Internal audit checklist

• RE classification memorandum Board-approved, frozen for the FY
• Cybersecurity Policy Board-approved and version-controlled
• CISO appointment letter; reporting line matches FAQ 2 for the RE category
• IT Committee minutes for the last 12 months
• Critical systems list Board-approved (Identify: Asset Management: Standard 4)
• SBOM register for core / critical software; Board approval for legacy-system exceptions (FAQ 37)
• Cryptographic-asset inventory with PQC-migration prioritisation (FAQ 13)
• Patch-management log showing high-severity closures within 1 week
• VAPT report with closure-status column (3-month SLA)
• SOC-efficacy report (periodic) — own SOC, group SOC, or M-SOC
• DC-DR drill log with live-drill evidence (not table-top — FAQ 70)
• Scenario-based cybersecurity drills covering all scenarios in one audit period (FAQ 69)
• CSP contracts — MeitY empanelment + STQC + back-to-back subcontractor clauses
• CCI worksheet with decimal handling per FAQ 32
• CERT-In-empanelled auditor engagement letter; no conflict in preceding two years
• Forensic audit reports on file for every High / Critical incident

What if things go wrong

Failure 1 — SEBI adjudication for non-compliant audit submission

• Symptom: SEBI show-cause notice under Section 15HB of the Securities and Exchange Board of India Act, 1992 ('SEBI Act').
• Likely cause: Cyber audit filed late, or by a non-empanelled auditor, or with scope-limitation on ancillary systems.
• Action: File a comprehensive supplementary audit by a CERT-In-empanelled auditor within 60 days; submit a remediation plan to SEBI with Board-level ownership; seek settlement under Section 15JB SEBI Act if adjudication proceeds.

Failure 2 — Missed CERT-In 6-hour clock on a High incident

• Symptom: Parallel proceedings under Section 70B(7) IT Act (up to 1 year imprisonment or ₹1 crore fine).
• Likely cause: Classification error — RE treats the incident as Medium; or CISO not informed for 8+ hours.
• Action: File the CERT-In report immediately with a timestamp-explanation annexure; update the CCMP to route anomaly alerts directly to CISO on-call; brief the Board within 48 hours; prepare a voluntary disclosure to SEBI to pre-empt an adjudication proceeding.

Failure 3 — Personal-data breach during cyber incident

• Symptom: DPDP Board show-cause under Section 33 of the DPDP Act (penalty up to ₹250 crore for significant breach).
• Likely cause: No joint DPDP + CSCRF incident playbook; Data Protection Officer not engaged.
• Action: File Rule 7 DPDP Rules 2025 notification to the DPDP Board within 72 hours AND CERT-In within 6 hours AND SEBI Annexure-O — all three in parallel. Engage CERT-In-empanelled forensic auditor. Brief affected Data Principals per Rule 7 content requirements.

Failure 4 — CSP MeitY-empanelment lapse mid-contract

• Symptom: Continued use of a CSP that has lost MeitY empanelment.
• Likely cause: No contract clause on empanelment, or no active monitoring.
• Action: Invoke the exit clause or migrate workloads to a compliant CSP; run a risk assessment and implement compensating controls; disclose to SEBI in the next compliance cycle (FAQ 45).

Failure 5 — Non-compliance with Data-Sovereignty expectation

• Symptom: Cloud provider's key-management operations routed through a foreign country.
• Likely cause: Default CSP configuration; no Bring-Your-Own-Key ('BYOK') implementation.
• Action: Transition to BYOK; audit key-management architecture; update CSP contract schedule (FAQ 26); retain forensic record of all prior key-operations until the Data-Localisation Rules (under active SEBI consultation) are finalised.

Founder checklist

• Freeze RE classification within 30 days of FY start using FY-end data; attach computation memo to Board minutes.
• Hire or retain a dedicated CISO — reject part-time-across-firms CISO models (FAQ 4 prohibits).
• Onboard the NSE/BSE Market-SOC if you fall under Small-size or Self-certification — it is materially cheaper than standing up an in-house SOC.
• Calendar the three parallel incident clocks — CERT-In 6 hours, SEBI Annexure-O, DPDP Board 72 hours — and run a joint tabletop annually.
• Budget for year-one build at ₹15–40 lakh and annual run-rate at ₹8–25 lakh; if a vendor pitches sub-₹5 lakh "full CSCRF", the scope is almost certainly deficient.

FAQ

Which CSCRF maturity category applies to our entity?

Categorisation is frozen at the beginning of each financial year based on the previous FY's data (FAQ 7, SEBI CSCRF FAQs, 11 June 2025). Client-based stockbrokers use the turnover/client thresholds in SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60 dated 30 April 2025; proprietary brokers use collateral/asset thresholds (Qualified: N/A; Mid-size: >₹1,000 crore; Small-size: ₹10 crore–₹1,000 crore; Self-certification: below ₹10 crore). Where an RE holds multiple SEBI registrations, the highest applicable category prevails (Section 2, Point 23, CSCRF).

Is MSSP or M-SOC outsourcing allowed?

Yes. Small-size and Self-certification REs can onboard the Market-SOC operated by NSE and BSE (FAQ 59–61). Qualified REs and MIIs typically run in-house SOCs; a group SOC is permissible for globally-present REs provided a SOC-efficacy report is filed periodically (FAQ 64). MSSP outsourcing is permitted but the RE remains solely accountable for confidentiality, integrity and availability (FAQ 38). Contracts must demarcate CSP vs RE responsibilities for patch closure (FAQ 18).

How does CSCRF overlap with the CERT-In 6-hour incident-reporting rule?

CSCRF incident reporting and CERT-In Direction No. (ii) dated 28 April 2022 are parallel, non-overlapping regimes — both must be complied with. A reportable cyber incident must be notified to CERT-In within 6 hours of noticing the incident (Section 70B(6) IT Act) and to SEBI under CSCRF Annexure-O on the timelines specified there. For High / Critical incidents, a third-party forensic audit is mandatory (FAQ 76); in-house or group-company auditors are not permissible (FAQ 75).

How does CSCRF intersect with the DPDP Act, 2023?

A personal-data breach at a SEBI RE triggers Rule 7 of the Digital Personal Data Protection Rules, 2025 (notification to the Data Protection Board of India within 72 hours) AND CERT-In 6-hour reporting AND the CSCRF Annexure-O flow. Penalties can stack: up to ₹250 crore under Section 33 of the Digital Personal Data Protection Act, 2023, plus SEBI Section 15HB adjudication (up to ₹1 crore), plus CERT-In Section 70B(7) IT Act exposure. Encryption keys and key-management operations must be handled within India (FAQ 26).

What is the cyber-audit frequency?

Qualified Stock Brokers audit half-yearly irrespective of CSCRF category (FAQ 14). For other REs, cyber-audit periodicity is prescribed in Table 21 of CSCRF — typically annual for Qualified REs / Mid-size REs and lighter for Small-size / Self-certification. The audit period runs on financial year (FAQ 20); for FY 2025-26 the audit commences after March 2026 (FAQ 22). Auditors must be CERT-In-empanelled information-systems auditing organisations and must not have consulted for the RE in the preceding two years (Annexure-D; FAQ 29).

Sources

• SEBI CSCRF Master Circular (20 August 2024) — SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113: https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html
• SEBI CSCRF Clarifications (31 December 2024) — SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/184: https://www.sebi.gov.in/legal/circulars/dec-2024/clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_90401.html
• SEBI CSCRF Clarifications (30 April 2025) — SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60: https://www.sebi.gov.in/legal/circulars/apr-2025/
• SEBI CSCRF Technical Clarifications (28 August 2025) — SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119: https://www.sebi.gov.in/legal/circulars/aug-2025/technical-clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_96329.html
• SEBI FAQs on CSCRF (11 June 2025): https://www.sebi.gov.in/sebi_data/faqfiles/jun-2025/1749647139924.pdf
• CERT-In Directions dated 28 April 2022: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
• Information Technology Act, 2000, Section 70B: https://www.indiacode.nic.in/handle/123456789/1999
• Digital Personal Data Protection Act, 2023 (MeitY): https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf