What is the SEBI CSCRF and when did it take effect?

The Cybersecurity and Cyber Resilience Framework (CSCRF) is SEBI’s comprehensive framework for cybersecurity in India’s securities markets, notified on 20 August 2024. It harmonised and replaced earlier sectoral circulars covering stock exchanges, depositories, clearing corporations, and other regulated entities. The framework is mandatory for all SEBI-Regulated Entities (REs) at varying intensities depending on entity classification, and is in force.

How is CSCRF different from earlier SEBI cybersecurity circulars?

CSCRF is structured around the NIST CSF 2.0 functions — Identify, Protect, Detect, Respond, Recover, Govern — and adds CERT-In direction harmonisation. It introduces five entity classifications (Market Infrastructure Institutions, Qualified REs, Mid-size REs, Small-size REs, Self-certified REs) with proportionate obligations. The Market SOC (MSOC) requirement is formalised. Quarterly VAPT, half-yearly comprehensive audit, and annual cyber-resilience drill are codified. Reporting cadences and content are specified rather than left to interpretation.

What is a Market SOC, and do we need our own?

A Market SOC (MSOC) is a 24×7 security operations capability that monitors cyber events and supports incident response. CSCRF requires MIIs and Qualified REs to operate or subscribe to an MSOC. SEBI has authorised certain entities to operate as Aggregator MSOCs serving multiple smaller REs; participation in an aggregated MSOC satisfies the requirement for entities below the MII / Qualified RE threshold. Our engagement assesses your obligation level and either prepares your own MSOC for compliance or onboards you to an authorised Aggregator.

How is "Qualified RE" defined?

Qualified REs are SEBI-registered entities that meet specified thresholds on (a) registered investors, (b) trade volume, (c) AUM, or (d) other operational metrics defined in the framework. The classification is reviewed periodically. Examples include large stock brokers above specified investor counts, large AMCs, large RTAs, and certain alternative investment fund managers. We help you assess your classification.

What is the audit cadence for an MII?

Quarterly VAPT against external-facing systems and critical applications. Half-yearly comprehensive cybersecurity audit covering the framework controls. Annual cyber-resilience drill (red-team / scenario-based). Continuous MSOC operation. Plus event-driven reporting per CERT-In Direction 20(3)/2022 and SEBI’s own incident-reporting cadence. The audit volume is significant, which is why most MIIs engage a single panel partner rather than fragmenting across multiple firms.

Will the report be accepted by SEBI’s exchanges?

Yes. We have placed CSCRF audit reports with NSE, BSE, MCX, and the depositories on behalf of 40+ market participants since 2018. The report follows SEBI’s prescribed format, references the CSCRF control numbers, and is signed by a CERT-In empanelled lead auditor. Where additional sectoral certificates are required (e.g., specific MCX submissions), we extend the deliverable accordingly.

Do you handle the CERT-In incident reporting required under SEBI alongside CSCRF reporting?

Yes — managed within the engagement. CERT-In Direction 20(3)/2022 reporting and SEBI incident-reporting requirements have overlapping but not identical scopes. Our incident-response runbook handles both submissions; you have one workflow rather than two parallel ones to maintain.

How much does a CSCRF engagement cost?

Standard MII engagement starts at ₹6,50,000 for a half-yearly comprehensive audit. Quarterly VAPT cycles are scoped separately at ₹2,80,000–₹4,50,000 per cycle depending on perimeter. Annual cyber-resilience drill is ₹3,40,000–₹5,80,000 per drill. Most MIIs purchase an annual retainer covering all four cadences plus MSOC operation; pricing typically ₹28–48 lakh / year for that scope.

Are you on the panel of any specific exchange or MII?

Yes — we are an empanelled cybersecurity auditor for several exchanges, depositories, and clearing corporations. Specific empanelment depends on each entity’s panel construction and is updated periodically. We will share current empanelment list during the scoping call.

How does CSCRF interact with ISO 27001 / SOC 2 / RBI / DPDP?

CSCRF is the lex specialis for SEBI-regulated entities; it overrides general-purpose frameworks where they conflict. The control set has substantial overlap with ISO 27001:2022 Annex A (roughly 70%) and SOC 2 Common Criteria (roughly 65%). For an MII or Qualified RE that also holds ISO / SOC 2 certifications, we operate the audits as a joint engagement; the evidence-collection cycle is unified and the cost saving is roughly 25%.

SEBI CSCRF & MSOC Audit Services in Bangalore

India’s securities market regulator has historically taken cybersecurity seriously, and the Cybersecurity and Cyber Resilience Framework notified in August 2024 codifies that posture into a comprehensive, NIST-CSF-2.0-aligned regime. The CSCRF is now the single reference document governing cybersecurity obligations for SEBI-regulated entities — replacing roughly seven earlier sectoral circulars and harmonising the audit cadence, scope, and reporting expectations across stock brokers, AMCs, RTAs, mutual funds, depositories, exchanges, and clearing corporations. For Bangalore-headquartered SEBI REs and the Bangalore offices of nationally-headquartered MIIs, the framework is operational and the audit calendar is full. This page describes our engagement model.

What SEBI CSCRF actually requires

The Cybersecurity and Cyber Resilience Framework, notified by SEBI on 20 August 2024, structures cybersecurity obligations for regulated entities around six functional pillars (drawn from NIST CSF 2.0): Identify, Protect, Detect, Respond, Recover, and Govern. The framework is mandatory and includes specific control objectives, audit cadences, reporting requirements, and the new MSOC operational requirement.

The framework applies in graduated fashion across five classifications:

Market Infrastructure Institutions (MIIs) — exchanges, depositories, clearing corporations, KRAs. Highest obligation; most rigorous audit cadence.
Qualified REs — large stock brokers, large AMCs, large RTAs above specified thresholds.
Mid-size REs — REs above small-size thresholds but below Qualified.
Small-size REs — smaller registered intermediaries.
Self-certified REs — smallest entities; primarily self-attestation with periodic verification.

Each classification has obligations proportionate to scale and impact. The framework is published on SEBI’s site and is the canonical reference for any compliance work.

Who is regulated — MIIs, REs, Qualified REs

The full universe of SEBI-regulated entities is large; for the purpose of CSCRF compliance work in Bangalore, the following are the specific buyer categories we engage with most often.

Stock brokers

Bangalore is one of India’s major stockbroking centres (Zerodha is headquartered here; many others operate significant Bangalore offices). Stock brokers are REs with classification depending on registered investors and turnover. Discount brokers above scale generally fall in the Qualified RE category.

AMCs and mutual funds

Asset management companies and mutual fund schemes; classification depends on AUM and investor base. Several India-based AMCs have material Bangalore operations.

RTAs and KRAs

Registrars and Transfer Agents and KYC Registration Agencies — high-volume data-handling entities, typically classified as Qualified REs or higher.

Exchanges and depositories

NSE, BSE, MCX, NCDEX, CDSL, NSDL — all MIIs. Bangalore offices of these entities are part of the in-scope estate.

Alternative Investment Funds

AIFs registered with SEBI; classification depends on fund size and structure.

Investment advisers and research analysts

Generally smaller entities falling into Mid-size or Small-size classifications.

The six functional pillars

Identify

Asset inventory, data classification, threat-and-risk assessment, third-party risk management, regulatory and contractual obligation mapping. The foundation for the rest of the framework.

Protect

Identity and access management, data protection at rest and in transit, secure configuration, vulnerability management, change management, security awareness training. The largest of the six pillars by control count.

Detect

Continuous monitoring (the MSOC requirement falls here), anomaly detection, threat intelligence, vulnerability scanning, log management.

Respond

Incident response capability, communication, analysis, mitigation, regulator-reporting workflow.

Recover

Recovery planning, recovery time / point objectives, recovery validation, lessons learned, communication during recovery.

Govern

Governance structure, accountability, policy framework, supply chain risk management, organisational context. Added in NIST CSF 2.0 and inherited into CSCRF; emphasises board-level cyber accountability.

Market SOC requirement and scoring

The Market SOC requirement is the most operationally significant addition to CSCRF. MIIs and Qualified REs must operate or subscribe to a 24×7 security operations centre with specified capabilities:

Continuous monitoring of in-scope systems
Documented detection use cases mapped to MITRE ATT&CK
Incident triage and escalation per defined SLA
Log retention per CSCRF schedule
Threat-intelligence integration
Periodic SOC scoring submitted to SEBI
Integration with the MSOC reporting framework

SEBI has authorised certain entities to operate as Aggregator MSOCs serving smaller REs that cannot economically run their own. Mid-size and Small-size REs typically subscribe to an Aggregator; we operate as the audit / advisory partner overlay rather than the SOC operator itself.

Quarterly VAPT, half-yearly audit, annual drill

The audit calendar for an MII or Qualified RE is full year-round.

Quarterly

VAPT against external-facing systems, critical applications, and customer-facing infrastructure. Methodology described on our VAPT page; CERT-In empanelment is mandatory.

Half-yearly

Comprehensive cybersecurity audit covering all CSCRF controls. Output: an audit report mapped to the framework, signed by an empanelled auditor, submitted to SEBI through the regulated entity’s prescribed channel.

Annual

Cyber-resilience drill — typically a red-team or scenario-based exercise testing detection, response, and recovery capability. Output: a drill report with findings and remediation roadmap.

Continuous

MSOC operation, log management, threat-intelligence consumption, change-management evidence, awareness-training records.

Event-driven

CERT-In Direction 20(3)/2022 reporting (six-hour clock for specified incidents); SEBI incident reporting per CSCRF schedule.

Reporting to SEBI and exchanges

CSCRF reports are submitted through the entity’s prescribed regulatory channel. For exchanges, the regulator is SEBI directly. For depositories, SEBI directly. For stock brokers, AMCs, RTAs, the report is submitted through the relevant exchange / depository which forwards consolidated reports to SEBI.

Report format is prescribed by CSCRF Annexures: cover page, executive summary, scope, findings (severity-graded and mapped to CSCRF control numbers), remediation status, auditor sign-off, and required annexures (asset inventory, risk register, incident log).

Eight-to-twelve week engagement roadmap

Weeks 0–1 · Scoping and asset inventory

Workshop with your CISO / CTO, asset inventory mapping, classification of in-scope systems, identification of critical applications.

Weeks 2–3 · Documentation review and gap analysis

Review of policies, procedures, runbooks against CSCRF control set. Gap matrix produced.

Weeks 4–6 · Technical audit (VAPT scope)

Penetration testing of in-scope systems following CSCRF requirements. Findings fed into the comprehensive audit report.

Week 7 · Process audit and management interviews

Walkthrough of governance, identity-and-access, change management, vendor management, incident response, business continuity.

Week 8 · MSOC review

For MIIs and Qualified REs operating their own MSOC, we audit the MSOC against CSCRF requirements (use-case coverage, log retention, response SLA, scoring submission).

Weeks 9–10 · Reporting

Comprehensive audit report drafted, peer-reviewed, signed. Executive summary for board consumption. SEBI submission package prepared.

Weeks 11–12 · Remediation and re-test

Critical findings remediated; re-test confirms closure. Retainer continues for the next quarterly VAPT cycle.

Pricing in INR

Tier 1 · Half-yearly audit

CSCRF Comprehensive Audit

₹6,50,000+ GST

10–12 week engagement
Full CSCRF control coverage
VAPT included for one cycle
SEBI submission package

Tier 2 · Annual retainer

CSCRF Annual Retainer

₹32,00,000/ year + GST

4× quarterly VAPT cycles
2× half-yearly comprehensive audits
1× annual cyber-resilience drill
Continuous CERT-In reporting support
MSOC advisory

Tier 3 · MSOC operation

Managed MSOC

Quoteon scoping

24×7 SOC operation
Detection use-case management
Incident response integrated
SEBI MSOC scoring submission
For Mid-size and Small-size REs

Common findings in MIIs and REs

Privileged access without time-bound just-in-time provisioning
Log retention below CSCRF schedule
MSOC use-case coverage gaps against MITRE ATT&CK
Third-party risk management documentation incomplete for critical vendors
Annual cyber-resilience drill not conducted in the last 12 months
Change management without independent peer review for production-impacting changes
Internal-network segmentation insufficient between trading floor and corporate network
Workstation hardening below CIS benchmark baseline
Backup integrity not tested (last successful test > 6 months prior)
DR site not exercised within last 12 months
Vendor incidents not reported to entity within contractual SLA
CERT-In Direction 20(3)/2022 reporting workflow not tabletop-tested
Application-layer logging insufficient for forensic reconstruction
Identity federation with vendors using legacy SAML configurations
Mobile / remote-working endpoint security inconsistent

Why CERT-In + SEBI experience matters

CSCRF audit work is one of the most-specialised cybersecurity engagements in India. The framework is dense; the regulator is demanding; the operational tempo is high. CERT-In empanelment is the floor; SEBI-specific empanelment and demonstrated MII / RE delivery experience are what differentiate competent CSCRF practice from generic compliance work. We have filed CSCRF reports for 40+ market participants since 2018, and our partners are among the most-experienced auditors in the Indian capital-markets cybersecurity practice.

CSCRF application by SEBI-RE entity type

Each entity type within the CSCRF framework has specific obligations and audit-scope expectations. Below is the application of our methodology to the SEBI-RE classifications we deliver into most often.

Stock exchanges (NSE, BSE, MCX, NCDEX, MSE)

The most-rigorous CSCRF application. Quarterly VAPT covering the matching engine, market-data infrastructure, member-facing systems, surveillance systems, and regulatory-reporting infrastructure. Half-yearly comprehensive audit covering the full framework. Annual cyber-resilience drill in coordination with member firms (testing market-wide resilience under specified scenarios). MSOC operation is mandatory and is one of the most-mature SOC operations in India by sophistication. Our exchange engagements are typically multi-quarter retainers with named partner accountability.

Depositories (NSDL, CDSL)

Custody-of-record systems with dematerialised securities for hundreds of millions of investor accounts. Audit scope concentrates on data-integrity, identity-verification, and audit-trail integrity — the three properties without which the depository’s role would be untenable. Specific test areas: nominee-update workflow, off-market transfer authorisation, corporate-action processing, KYC integration with KRAs, system-resilience testing for end-of-day batch operations.

Clearing corporations

Risk-management and settlement infrastructure for market participants. Audit scope concentrates on margin-calculation system integrity, settlement-bank integration security, default-management workflow, and the specific cybersecurity expectations applicable to qualified central counterparties. Our clearing-corp engagements include parallel review of business-continuity and recovery infrastructure.

KYC Registration Agencies (KRAs)

High-volume customer-data infrastructure shared across the securities-market ecosystem. Audit scope: data-segregation across registered intermediaries, API security for KYC retrieval, audit-trail per-record-access, retention compliance per the KRA framework, identity-verification integration with UIDAI / NSDL e-KYC. The risk profile is concentrated and the regulatory expectation is high.

Stock brokers — Discount brokers (Zerodha, Groww, Upstox, Angel One)

Bangalore is the centre of mass for India’s discount-broking industry. Discount brokers above scale fall in the Qualified RE classification with full CSCRF obligations. Specific test areas: trading-platform security (web, mobile, API), customer-onboarding integration with KRAs / depositories, fund-segregation system audit, payout-workflow security, integration with exchange / clearing-corporation systems.

Asset Management Companies (AMCs) and mutual funds

AMCs above AUM thresholds fall in Qualified RE; below, in Mid-size or Small-size depending on scale. Specific test areas: investor-onboarding security, transaction-platform security, RTA integration security, NAV-calculation audit-trail integrity, distribution-channel security (for AMCs operating their own digital channels).

Mid-size and small-size REs

Smaller registered intermediaries — investment advisers, research analysts, AIFs below scale, smaller stock brokers. CSCRF obligations are proportionate but real. Most subscribe to an Aggregator MSOC rather than operating their own; we deliver the audit and advisory overlay rather than SOC operation. Our Mid-size / Small-size engagements typically run quarterly VAPT plus annual comprehensive audit.

Aggregator MSOC framework — for entities that cannot run their own

SEBI’s Aggregator MSOC framework permits qualified entities to operate as Aggregator MSOCs serving multiple smaller REs. The arrangement reduces the operational burden on Mid-size / Small-size REs while maintaining the substantive 24×7 monitoring obligation. We work with several Aggregator MSOCs and provide the audit / advisory overlay for their RE clients; the operational SOC is run by the Aggregator and the compliance overlay (audit, framework reporting, regulatory engagement) is run by us.

Subscription to an Aggregator MSOC requires the RE to maintain certain controls in-house (detection-rule customisation, escalation tree, runbook ownership, regulatory liaison) even though the SOC operation is outsourced. Our advisory work covers these in-house obligations alongside the broader compliance posture.

The annual cyber-resilience drill in detail

The CSCRF annual cyber-resilience drill is the single most-distinctive obligation of the framework. The drill is a scenario-based exercise testing the entity’s detection, response, and recovery capability under simulated adversary conditions. SEBI prescribes scenario parameters and reporting expectations; specific scenarios are selected by the entity in consultation with the auditor.

Common scenario categories include: ransomware affecting trading-floor systems, data-integrity attack on a critical database, supply-chain compromise via a key vendor, distributed denial-of-service attack on customer-facing systems, insider-threat scenario with data-exfiltration objective, and combined-vector scenarios that test multi-control resilience.

Our drill engagements are structured as: (1) scenario design with the client’s leadership team, (2) drill preparation including injection points, success criteria, and observation methodology, (3) execution typically over 2–4 days with senior observers from our team and the client’s leadership, (4) hot-wash debrief immediately post-drill, (5) formal report with findings and remediation roadmap. Specific findings during drills regularly include detection-time gaps that surprise the client’s SOC team, communication-flow gaps during high-volume incident, escalation-tree gaps where named individuals are unreachable, and recovery-time-objective gaps where the documented capability does not match drill-observed capability.

CSCRF and CERT-In harmonisation

One of CSCRF’s structural achievements is the explicit harmonisation with CERT-In Direction 20(3)/2022 incident-reporting obligations. Earlier sectoral cybersecurity circulars had inconsistent reporting cadences and content requirements, leading to duplicative and sometimes conflicting submissions. CSCRF defines the reporting workflow such that a single incident produces aligned reports — CERT-In within six hours, SEBI within the framework-defined cadence — without conflicting content.

Our incident-response runbook for CSCRF clients handles both submissions through a single workflow. The CERT-In submission is the operational immediate response; the SEBI submission follows the framework cadence and incorporates the additional sectoral context. Both are produced by the same workflow with the same evidence base.

Cloud adoption and third-party risk under CSCRF

The CSCRF framework explicitly addresses cloud adoption and third-party risk — two areas where earlier sectoral circulars were sparse. For SEBI-regulated entities adopting cloud (which is now most of the population for non-MII REs), the framework specifies expectations on cloud-service-provider selection, due-diligence, contractual obligations, residency, audit-rights, and exit procedures.

Specific cloud-related expectations: data-residency for certain categories of regulated data; pre-deployment due-diligence on the cloud provider including review of their independent third-party assurance reports (SOC 2 Type II, ISO 27001 certificate, ISO 27017 attestation, CSA STAR registration); contractual right-to-audit for the regulated entity or its auditor; encryption-key custody (typically the entity’s control rather than the provider’s default); and documented exit plan with portability evidence. Our cloud security methodology — see our cloud security page — covers all of these and produces a CSCRF-aligned cloud audit annexure as part of the deliverable.

Third-party risk is addressed similarly. The framework expects ongoing monitoring of third-party providers, particularly those with access to in-scope data or systems, with documented onboarding due-diligence and periodic re-assessment. The Master Direction-style of "outsourcing" thinking is extended in CSCRF to cover cloud and SaaS providers explicitly. Most MII and Qualified RE third-party portfolios contain 200–400 active vendors at varying risk-tier; the operational implementation involves automated vendor-monitoring tools layered on top of the manual due-diligence cadence.

Our CSCRF retainers include third-party risk programme review and (for clients that lack one) third-party risk programme stand-up as part of the engagement scope. The output is a vendor-risk register, a tiered onboarding workflow, and a periodic-review cadence aligned with CSCRF expectations. For larger entities, we integrate third-party risk into the broader vCISO function — see our vCISO page for the integrated retainer model.

Evaluating a CSCRF audit vendor — what to ask

The CSCRF audit market is concentrated. The framework is technical, the regulator is demanding, and the operational tempo is high; not many firms can deliver competent CSCRF practice across the full RE classification spectrum. The questions below separate vendors during procurement.

Empanelment status — current: is the firm CERT-In empanelled with current validity? Has the firm been engaged on the audit panel of major exchanges, depositories, or clearing corporations? The CERT-In list is the floor; specific MII / RE empanelment differentiates further. Filed reports: how many CSCRF or precursor-circular reports has the firm filed in the last 24 months? What entity types do those reports span (exchange, depository, AMC, broker, RTA)? Vendors with filed-report counts in single digits are typically not delivering CSCRF as a primary practice line.

Partner depth: who at the firm has the named relationships with SEBI’s technical-supervision teams? With NSE / BSE / MCX cybersecurity functions? With CERT-In’s capital-markets coordination? CSCRF audit is partly a relationship function; vendors with shallow regulator-network often produce reports that satisfy formal requirements but miss the regulator-engagement value.

MSOC operation experience: if the engagement includes MSOC review or MSOC-operation, what specifically has the firm delivered in MSOC operation? Operating an MSOC against CSCRF expectations is a different discipline from delivering generic SOC managed services. Cyber-resilience-drill design experience: how many drills has the firm designed and delivered? Drills are CSCRF’s most-distinctive obligation; competent drill design separates competent CSCRF practice from generic compliance work.

Multi-framework integration: can the firm deliver CSCRF alongside ISO 27001, SOC 2, DPDP, sectoral compliance? CSCRF runs alongside other frameworks for most regulated entities; integrated delivery is materially more efficient than fragmented vendor portfolios. Pricing transparency: can the firm publish pricing? Will they fix the engagement fee in writing? Vendors that decline both signal pricing-for-negotiation rather than pricing-for-delivery.

We answer all of these specifically and in writing during scoping. The questions are useful regardless of which vendor you ultimately engage.

Where CSCRF is heading — anticipated 2026–2027 evolution

CSCRF in its current form is roughly two years into operational reality, and SEBI’s pattern across other framework rollouts suggests a meaningful evolution over the next two years. Three changes we expect through 2026 and 2027 are worth flagging to clients during scoping: tighter MSOC scoring methodology (the current scoring is broad-brush; we expect specific use-case-coverage metrics to be added); expanded coverage to currently-borderline RE classifications (specifically Self-certified REs may face heightened obligations as the framework matures); and harmonisation with other Indian sectoral cybersecurity frameworks (RBI’s framework, IRDAI’s framework, MeitY’s telecom-specific obligations) into a more-integrated cross-sectoral view. Our engagements anticipate this trajectory rather than only complying with the current letter; clients building CSCRF programmes today should be designing for the framework as it is likely to look in 18 months rather than just the framework as it is today.

The CSCRF audit market in India is small, the regulator-engagement is intensive, and the framework is dense; substantive practice in this space is built over years, not weeks, and concentration is high. Most major Indian capital-market participants have engaged us at some point across the last decade, and the institutional knowledge accumulated across those engagements directly informs every new client’s engagement.

To start a CSCRF engagement, the next step is a thirty-minute call with a partner who has done your specific entity classification before. Most engagements begin within ten business days of contract signing; for clients with imminent regulatory deadlines we can accelerate the kickoff to within five days.