A SEBI CSCRF audit is not optional for stock brokers, depository participants, AMCs, RTAs, and Market Infrastructure Institutions — SEBI conducts periodic thematic inspections, and non-compliance attracts penalties, trading restrictions, and public disclosure. Compliance is not optional — SEBI conducts periodic thematic inspections, and non-compliance attracts penalties, trading restrictions, and public disclosure. This field guide is the operational reference we use with capital-markets clients in Bangalore and Mumbai: what CSCRF requires, how the audit cycle works, and what a regulator-ready implementation looks like.
The article moves top-down: what CSCRF is, who it covers, the six control domains, the audit and attestation cycle, and common findings that trigger SEBI escalation.
What SEBI CSCRF actually is
The CSCRF was first issued in 2019 and has been periodically updated. It establishes baseline cybersecurity and cyber-resilience requirements for SEBI-regulated entities. The framework is organised around six domains:
- Governance and organisation structure
- Identify and access management
- Data and information protection
- Network security and configuration
- Application security and software development
- Cybersecurity operations and monitoring
In addition, SEBI introduced the Market SOC (MSOC) concept — a Security Operations Centre capability that monitors market infrastructure and participant systems for threats.
Who CSCRF applies to
| Entity type | CSCRF applicability | MSOC applicability |
|---|---|---|
| Stock brokers (TM, CM, TM-CD) | Full | Required for top 100 brokers by turnover |
| Depository participants | Full | Required for DPs with > 10 lakh accounts |
| AMCs | Full | Required for top 10 AMCs by AUM |
| RTAs | Full | As directed by SEBI |
| Market Infrastructure Institutions (MIIs) | Full + enhanced | Mandatory (NSE, BSE, NSDL, CDSL, NCCML) |
The six CSCRF control domains in detail
Domain 1: Governance and organisation structure
Requirement: A board-approved cybersecurity policy, a CISO or equivalent, a cybersecurity committee, and annual board review.
Common finding: The cybersecurity policy exists but has not been reviewed in 18+ months, or the CISO reports to IT rather than the board.
Domain 2: Identity and access management
Requirement: Role-based access control, MFA for privileged access, quarterly access reviews, and unique user IDs.
Common finding: Shared admin accounts, dormant accounts not disabled, or MFA not enforced on VPN access.
Domain 3: Data and information protection
Requirement: Encryption at rest and in transit, data classification, DLP controls, and backup with quarterly restore testing.
Common finding: Encryption missing on internal network segments, or backups stored in the same availability zone as primary data.
Domain 4: Network security and configuration
Requirement: Network segmentation, firewall rule reviews, intrusion detection, and remote-access controls.
Common finding: Flat networks with no DMZ segmentation, or firewall rules that have not been reviewed in 12 months.
Domain 5: Application security and software development
Requirement: Secure SDLC, code review, vulnerability management, and change management.
Common finding: No secure coding training, or production changes that bypass the CAB process.
Domain 6: Cybersecurity operations and monitoring
Requirement: 24×7 monitoring, incident response, threat intelligence, and annual penetration testing by a CERT-In empanelled firm.
Common finding: Monitoring is business-hours only, or the VAPT firm is not CERT-In empanelled for the correct category.
The CSCRF audit and attestation cycle
| Activity | Frequency | Auditor requirement |
|---|---|---|
| Self-assessment | Annual | Internal |
| VAPT (external) | Annual | CERT-In empanelled |
| MSOC readiness review | Annual | SEBI-recognised auditor |
| Cyber resilience drill | Annual | SEBI-coordinated |
| Thematic inspection | As directed | SEBI officials |
Common CSCRF compliance mistakes
- Using a non-empanelled VAPT firm. SEBI explicitly requires CERT-In empanelment. Non-empanelled reports are rejected.
- Treating MSOC as a SIEM purchase. MSOC is a capability, not a product. It requires people, processes, and threat-intelligence integration.
- Ignoring the cyber-resilience drill. SEBI coordinates sector-wide drills. Participation is mandatory and documented.
- Board review as a checkbox. The board must actually review and question the cybersecurity posture, not just minute receipt of the report.
- Stale policies. A policy not reviewed in 18 months is a finding, even if the technical controls are current.
Vendor evaluation rubric for CSCRF audit
- Are you CERT-In empanelled for VAPT and Information Security Audit? SEBI requires both categories for a full-scope engagement.
- Have you conducted CSCRF audits for stock brokers or MIIs? Capital-markets context is not generic; regulator expectations differ.
- Do you include MSOC readiness assessment in the scope? Some firms separate VAPT and MSOC, creating coordination overhead.
- Will the partner attend the SEBI inspection if required? Partner continuity matters for regulator interactions.
- Do you fix the fee in INR before kickoff? Variable billing is a red flag.
We answer all five specifically and in writing during scoping.
Cross-framework mapping
- ISO 27001:2022 — CSCRF Domain 1–6 map to Annex A controls. A combined ISO 27001 + CSCRF audit reduces cost. See our ISO 27001 service page.
- CERT-In Directions — Incident reporting under Direction 20(3)/2022 overlaps with CSCRF Domain 6. See our CERT-In runbook.
- SOC 2 — US-listed broker-dealers or AMCs with US LPs may also need SOC 2 Type II. See our SOC 2 service page.
Entity-specific CSCRF application
The six-domain framework applies broadly; entity-specific variations matter for audit scope and SEBI inspection focus.
Stock brokers — TM, CM, TM-CD
Brokers face the most-frequent SEBI inspections. Domain 6 (cybersecurity operations) and Domain 5 (application security for trading platforms) receive the most scrutiny. Specific findings that trigger SEBI escalation: trading-platform vulnerabilities discovered in VAPT but not closed within prescribed timelines; surveillance-system gaps that allow market-manipulation patterns to go undetected; CISO designation that does not meet SEBI’s senior-management expectation.
Asset Management Companies (AMCs)
AMCs face additional scrutiny on Domain 3 (data protection) because of unitholder data sensitivity, and Domain 1 (governance) because of fiduciary obligations. Common findings: encryption of unitholder data missing on internal segments; CISO not reporting to the board in alignment with SEBI’s governance expectations.
Depository Participants (DPs)
DPs handle DEMAT account data which is high-sensitivity. Domain 3 (data protection) and Domain 6 (operations) are scrutinised. Common findings: backup integrity not tested in last 12 months; access controls on DEMAT operations not segregated from regular IT.
Registrars and Transfer Agents (RTAs)
RTAs handle investor-data flows across multiple AMCs and issuers. The compounding risk is that a single RTA breach affects multiple regulated entities. SEBI scrutinises Domain 3 (data isolation between client AMCs) and Domain 2 (access governance for personnel handling multi-client data).
Market Infrastructure Institutions (MIIs) — NSE, BSE, NSDL, CDSL, NCCML
MIIs face the most-comprehensive CSCRF application plus additional MII-specific obligations. The annual cyber-resilience drill is mandatory and SEBI-coordinated. The MSOC capability is mandatory and audited annually.
MSOC implementation depth
The Market SOC concept introduced by SEBI is operationally significant for entities meeting the applicability thresholds. MSOC is not a SIEM purchase; it is a capability with people, processes, and tools.
People
Minimum staffing for an effective MSOC includes 24×7 coverage, which typically requires 6–8 FTEs across L1 (alert triage), L2 (investigation), and L3 (incident response and forensics) tiers. Most entities below the top-100 broker threshold engage managed-MSOC services rather than building in-house.
Processes
Documented runbooks for the most-likely incident types, escalation procedures aligned with SEBI inspection expectations, evidence-preservation protocols, and integration with CERT-In Direction 20(3)/2022 reporting workflows.
Tools
SIEM (Splunk, QRadar, ELK / OpenSearch with detection rules), SOAR for response automation, threat-intelligence feeds (commercial + sectoral), and integration with the broader IT operations stack.
Threat intelligence integration
Sectoral threat-intelligence is increasingly available through SEBI-coordinated sharing forums and through commercial providers focused on Indian capital markets. MSOC effectiveness depends materially on consuming this intelligence and translating it into detection rules.
Recent SEBI inspection findings — what to prepare for
SEBI has stepped up thematic inspections since 2024. The most-common findings from publicly disclosed inspection reports:
Finding 1 — Stale documentation. Cybersecurity policies last reviewed more than 18 months ago, even when controls are current.
Finding 2 — VAPT firm not CERT-In empanelled for the correct category. A firm empanelled for “Information Security Audit” but not for “Penetration Testing and Vulnerability Assessment” — see our CERT-In auditor list.
Finding 3 — Cyber-resilience drill not conducted. Either skipped entirely or conducted internally rather than as part of the SEBI-coordinated drill.
Finding 4 — Board review as a checkbox. Minutes show the board “received” the report; no evidence of substantive review or questioning.
Finding 5 — Access reviews ad-hoc. Quarterly access reviews not conducted with documented evidence; dormant accounts identified but not disabled.
Finding 6 — Backup restore not tested. Quarterly restore testing not documented or not conducted.
Practical next steps
If you are preparing for a SEBI inspection, start with the six domains self-assessment. If you need a CERT-In empanelled auditor, see our Empanelled Auditor List guide. If you want to scope a CSCRF + MSOC engagement, our SEBI CSCRF service page walks through the methodology and pricing.
For organisations that want a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope, fixed price in INR, and direct partner-level accountability through the engagement.
SEBI CSCRF FAQ
Does CSCRF apply to small brokers below the top-100? Full CSCRF applies to all SEBI-regulated entities; MSOC requirements apply to top-100 brokers by turnover. Smaller brokers have proportionate but not zero obligations.
Is annual VAPT sufficient for CSCRF? Annual VAPT is the floor; brokers handling digital trading channels typically need quarterly testing per RBI-aligned expectations. SEBI inspections increasingly look for quarterly cadence.
What MSOC capability is required? A 24×7 monitoring capability with documented use-cases mapped to MITRE ATT&CK, log retention per CSCRF schedule, incident triage with defined SLAs, threat-intelligence integration, and periodic SOC scoring submission.
Can I outsource MSOC entirely? Yes, to an Aggregator MSOC authorised by SEBI. Subscription to an Aggregator satisfies the requirement for entities below the top-tier threshold while preserving in-house obligations around runbook ownership and regulator liaison.
How often does SEBI conduct thematic inspections? Periodic; specific cadence varies by entity classification. Top-tier brokers and MIIs see annual or more-frequent inspections; smaller entities see less-frequent but still recurring inspections.
Does the cyber-resilience drill require third-party participation? Yes, the drill is sector-coordinated by SEBI with multiple participants. Member firms participate in a structured exercise that tests cross-entity coordination during simulated incidents.
Are CSCRF audit reports public? Generally no. Reports are submitted to SEBI through prescribed channels and may be shared with sectoral coordination forums. Public disclosure is rare and typically only follows enforcement action.
Can I use ISO 27001 certification as evidence of CSCRF compliance? Substantially. ISO 27001:2022 Annex A maps to most CSCRF domains. The mapping reduces incremental audit cost but does not eliminate CSCRF-specific obligations.
What is the penalty for CSCRF non-compliance? Penalties under SEBI’s general framework, ranging from monetary fines to trading restrictions to enforcement action against directors. Quantum varies by severity and prior compliance history.
Does CSCRF apply to depository participants and their sub-brokers? Yes. Depository participants face full CSCRF; sub-brokers face proportionate obligations through their parent broker’s compliance programme.
Can I conduct the cyber-resilience drill internally? No — the drill is SEBI-coordinated and involves cross-entity coordination. Internal tabletop exercises are valuable preparation but do not substitute for participation in the SEBI drill.
What is the typical engagement timeline for first-time CSCRF audit? 12–16 weeks for an established broker; 20–24 weeks for greenfield programmes requiring substantial control implementation.
Capital-markets cybersecurity threat landscape
Bangalore-based brokers, AMCs, and capital-markets vendors operate against a specific threat landscape worth understanding.
Account takeover targeting retail traders
The largest single threat category. Compromised retail accounts are used for unauthorised trading, fund withdrawal, or coordinated market manipulation. CSCRF Domain 2 (identity and access management) addresses this directly — MFA on all customer-facing trading platforms is the operational floor.
Insider trading data exposure
APIs that expose pre-public information (research reports before publication, large-order pipeline before execution) create insider-trading opportunities. Domain 3 (data protection) addresses this through access segmentation and audit logging.
Trading-system manipulation
Direct manipulation of order-matching, market-data feeds, or trade-confirmation systems is a higher-impact lower-frequency threat. Domain 4 (network) and Domain 5 (application) address this through segmentation and secure development practices.
Vendor compromise
Capital-markets entities depend on extensive third-party ecosystems — data vendors, KYC providers, RTAs, depositories. Compromise of a shared vendor produces multi-firm impact. Domain 1 (governance) addresses this through vendor-risk management.
Regulatory disruption
Disruption of trading systems during market hours creates systemic risk. Cyber-resilience drills test multi-firm response to such scenarios.
Practical CSCRF programme priorities
For brokers and AMCs scoping CSCRF programmes, specific priorities sequence the work effectively.
First 90 days — governance and visibility. Establish CISO function with appropriate seniority, assemble cybersecurity committee, establish current-state visibility through baseline audit. Without governance, downstream technical work proceeds inconsistently.
Days 90–180 — high-impact controls. MFA universal, log centralisation, access reviews, basic vulnerability management. These are the controls SEBI inspections look at first.
Days 180–270 — depth controls. DLP, data-classification, advanced monitoring, business-continuity testing.
Days 270–365 — maturity. Threat intelligence, MSOC if applicable, cyber-resilience drill participation.
This sequence produces inspection-ready posture in under 12 months for most brokers; greenfield programmes may extend to 18 months.
CSCRF interaction with broader Indian regulatory frameworks
CSCRF does not exist in isolation. Capital-markets entities subject to CSCRF typically also operate under multiple parallel frameworks.
RBI Cyber Security Framework. Bank-affiliated brokers and AMCs face RBI cybersecurity expectations through their banking relationships. Where conflicts arise between RBI and SEBI requirements, the more-stringent applies. Most operationally, the requirements largely overlap with minor differences in reporting cadence.
CERT-In Direction 20(3)/2022. The six-hour incident-reporting window applies to capital-markets entities as Information Service Providers. CSCRF Domain 6 (cybersecurity operations) explicitly references CERT-In coordination. Most brokers’ CSCRF programmes incorporate CERT-In reporting workflow as part of incident-response planning.
DPDP Act 2023. Capital-markets entities are Data Fiduciaries for client personal data. CSCRF Domain 3 (data protection) overlaps materially with DPDP security-safeguard expectations. Operating both programmes through a unified compliance backbone reduces duplication.
Anti-Money Laundering frameworks. PMLA obligations apply to capital-markets entities through SEBI’s KYC framework. CSCRF Domain 3 supports PMLA’s data-protection expectations.
Sectoral licence frameworks. Stock brokers, depository participants, AMCs, RTAs each have specific licence frameworks with embedded cybersecurity expectations. CSCRF provides the unifying baseline; sectoral specifics layer on top.
For Bangalore capital-markets entities, the operationally-rational approach is to design a unified compliance programme that satisfies CSCRF as the primary structure with adjacent-framework specifics layered on. Running CSCRF as a separate programme from RBI / DPDP / CERT-In compliance produces duplicative effort.
Beyond compliance — capital-markets cybersecurity strategy
Looking beyond regulatory compliance to broader strategy, several considerations matter for capital-markets cybersecurity.
Threat-intelligence sharing. SEBI facilitates sectoral information-sharing forums. Active participation builds visibility into threat-actor patterns affecting the sector. Passive participation produces less benefit.
Peer benchmarking. Capital-markets entities benefit from understanding peer cybersecurity posture; SEBI’s MSOC scoring framework provides one comparative dimension. Industry forums provide qualitative peer benchmarking.
Technology adoption. Capital-markets entities increasingly adopt cybersecurity-relevant technologies — zero-trust architecture, behavioural-biometric authentication, AI-driven threat detection. Strategic technology adoption reduces compliance friction in subsequent regulatory cycles.
Talent investment. Cybersecurity talent for capital-markets is scarce in India; entities investing in talent development internally reduce dependency on external advisory and improve operational outcomes.
CSCRF programme governance — board accountability
Effective CSCRF programmes require board-level engagement that goes beyond receiving compliance reports. Specific governance practices distinguish mature programmes.
Cybersecurity committee charter. Documented charter specifying committee composition (typically including CISO, COO, audit-committee chair, independent director with cyber expertise), meeting cadence, scope of authority, and reporting line to the full board.
Quarterly board review. Substantive review including risk-register updates, incident summaries, regulatory engagement, programme spend versus plan, and forward-looking priorities. Pro-forma reviews fail SEBI inspection scrutiny.
Annual board cybersecurity training. Board members receive annual training on cybersecurity governance, regulatory expectations, and oversight responsibilities. Training records are reviewable by SEBI.
Independent director with cyber expertise. Best-practice for capital-markets entities; some regulators may move toward making this mandatory.
External cybersecurity advisor to the board. Senior external advisor (often a former CISO or regulator) provides independent perspective to the board beyond what internal CISO presents.
Cybersecurity in CEO scorecards. CEO performance evaluation includes cybersecurity programme outcomes. Board-level signal that cybersecurity is enterprise priority.
These governance practices are not formally required by CSCRF but are increasingly common at MIIs and major brokers. SEBI inspection scrutiny of governance has increased; mature governance reduces inspection-finding risk.
CSCRF programme economics for different entity classes
The financial economics of CSCRF compliance vary by entity classification.
MII economics. ₹1.5-3 Crore annual compliance budget for MIIs (NSE, BSE, NSDL, CDSL, NCCML). Includes MSOC operation, framework audits, cyber-resilience drill participation, ongoing programme maintenance.
Top-100 broker economics. ₹50-90 lakh annual compliance budget. Includes MSOC subscription, framework audits, mandatory testing cycles.
Mid-size broker economics. ₹20-40 lakh annual compliance budget. Aggregator MSOC subscription, annual framework audit, baseline testing.
Small broker economics. ₹8-15 lakh annual compliance budget. Aggregator MSOC subscription, basic compliance audit, baseline controls.
AMC economics. Varies with AUM scale; large AMCs comparable to top-100 brokers; small AMCs comparable to small brokers.
RTA / KRA economics. ₹30-60 lakh annual; data-volume sensitivity drives higher than equivalent-revenue brokers.
These benchmarks reflect operational compliance investment; building from greenfield baseline typically requires 1.5-2× year-one investment to establish foundation.
CSCRF programme outcomes worth tracking
Beyond inspection-pass, several programme outcomes inform whether the CSCRF investment is producing genuine value.
Reduced incident frequency. Mature programmes correlate with lower incident frequency. Tracking incident count, severity, and trend year-over-year reveals programme effectiveness.
Faster incident response. Time-to-detect, time-to-contain, time-to-recover metrics improve with programme maturity. Quarterly tracking surfaces trends.
Improved customer-facing metrics. Customer trust signals — vendor security review pass-through rates, customer-renewal rates, expansion-deal velocity — improve with mature compliance posture.
Reduced regulatory friction. SEBI inspection findings count, resolution timeline, and regulator-engagement quality improve over time with mature programmes.
Capital efficiency. Compliance investment per crore of revenue should stabilise or decline as programmes mature beyond initial setup phase.
These outcome metrics distinguish programmes generating genuine value from programmes operating as cost centres.