Demystifying SEBI’s CSCRF

Demystifying SEBI’s CSCRF

If you’ve ever stared at a SEBI circular wondering whether it’s written for lawyers, CISOs, or superhumans, you’re not alone. Let’s break it down and make it real.

SEBI, which stands for the Securities and Exchange Board of India, is a regulatory body established to oversee and regulate the Indian securities market. Its primary function is to protect the interests of investors and ensure the fair and transparent functioning of the market.

CSCRF — Why now?

SEBI, in response to the growing threat of cyberattacks, including ransomware and other sophisticated attacks, introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) to enhance cybersecurity and cyber resilience within the Indian securities market, specifically among its regulated entities. This framework aims to address the increasing cyber risks and threats faced by the financial sector, ensuring a more robust and secure environment for all participants.

In a hurry? — A 5-Step Action Plan to Get Compliant

If you are short on time, or you don’t want to get into the details, here is an Action Plan

  • Run a CSCRF Gap Assessment — Know where you stand.
  • Update Policies & Get Board Buy-In — Governance starts at the top.
  • Map Controls & Collect Evidence — Align people, process, and tech.
  • Run Drills & Conduct Trainings — Prepare your people for real threats.
  • Continuously Monitor & Improve — Use dashboards and alerts to stay ahead.

If you have time though, read along to understand the “Whats?” and “Hows?”, and some “Whys” too.

Demystifying it all

CSCRF is SEBI’s way of saying:

Cyber threats are real, and we expect you — stock exchanges, clearing corporations, mutual funds, portfolio managers, AIFs, RTAs — to be ready.

Instead of broad advisories or vague checklists, CSCRF lays down specific, enforceable actions across:

  • Governance
  • Risk Management
  • Technical Controls
  • Incident Response
  • Vendor Oversight
  • Regulatory Reporting In short: if you’re a regulated entity, CSCRF isn’t just compliance — it’s now part of how you do business.

Role-based breakdown

The Pillars of CSCRF In Plain English

1. Governance & Oversight

  • You must have a Cybersecurity Policy approved by the Board or MD/CEO.
  • A CISO should be appointed and report regularly to senior management.
  • Set up a Cybersecurity Steering Committee for oversight.

2. Risk Assessment & Asset Inventory

Theme: You can’t secure what you don’t know.

  • Maintain a real-time inventory of systems, software, data flows.
  • Conduct risk assessments at least annually.
  • Include third-party dependencies in your analysis.

Note:

  • Maintain a risk register, risk matrix and update it based on asset and vendor changes

3. Access Control & Authorization

Theme: Keep the doors locked and track who walks through them.

  • Enforce Multi-Factor Authentication (MFA), especially for privileged access.
  • Implement RBAC (Role-Based Access Control).
  • Maintain access logs for at least 2 years.

Note:

  • Conduct user access reviews and access entitlements regularly. Link it to employee on-boarding, off-boarding and role changes

4. Vulnerability Management & Patch Hygiene

Theme: Think like an attacker and patch before a real one attacks

  • Regular Vulnerability Assessments (VA) and - Penetration Tests (PT) are mandatory.
  • Apply critical patches within defined timelines.
  • Maintain a patch management policy with audit logs.

Note:

  • Maintain VA and PT test reports and proof of remediation of those findings. SEBI might ask for them if breach happens

5. Cyber Awareness & Training

Theme: Your security tools are only as strong as the people in your organization

  • Conduct periodic cybersecurity awareness sessions.
  • Simulate phishing attacks and share results.
  • Include third-party staff and interns in your training scope for improved effectiveness.

Note:

  • Attendance logs for these trainings are auditable artefacts.

6. Third-Party Risk Management

Theme: You are responsible for your vendors

  • Conduct vendor due diligence before onboarding.
  • Include cyber clauses in contracts and SLAs.
  • Periodically review vendor security posture.

Note:

  • Include vendor risks in your risk register

7. Incidence Response & Reporting

Theme: Act swiftly, should there be a cyber incident

  • Maintain a tested Incident Response Plan (IRP).
  • Log incidents and actions taken.
  • Report to SEBI promptly as per circular guidelines.

Note:

  • You have just 6 hours to report critical breaches.

8. Backup & Recovery

Theme: Ransomware attacks are regular. Have tested backups for quick recovery

  • Document Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
  • Test your Disaster Recovery (DR) and Business Continuity (BCP) plans regularly.
  • Protect backups from tampering (offline, immutable storage).

Mistakes and Pitfalls

Finally…

Compliance is a Culture, Not a Checklist

CSCRF is not about fear. It’s about resilience. It gives you the blueprint to protect your systems, your customers, and India’s financial ecosystem. It tells that Cybersecurity is everyone’s responsibility.

CISOGenie can help you with CSCRF readiness. Talk to us at https://www.cisogenie.com/talk-to-us/ to understand how you can benefit by using CISOGenie — the next generation AI powered Agentic GRC platform.

Table of Contents