Understanding SEBI’s Cybersecurity & Cyber Resilience Framework (CSCRF): A Complete Guide for Compliance

Table of contents

Recent Post

Benefits of Network Segmentation
5 Benefits of Network Segmentation and Best Practices to Follow for Better Cybersecurity
Stages of SOC 2 Compliance Journey
Key 11 Stages of SOC 2 Compliance Journey
How To Implement Network Segmentation
How To Implement Network Segmentation (in 5 Steps) and its Use Cases
PCI DSS Certification for Airline Industry
Importance of PCI DSS Certification for Airline Industry’s Payment Data Protection
Benefits of Network Security Testing for Business
Top 8 Benefits of Network Security Testing

Author: Kavita Konar Published Date: March 21, 2025
Category: Blogs
Share:
Understanding SEBI’s Cybersecurity & Cyber Resilience Framework (CSCRF)

The financial sector is facing rising cyber threats that can impact operations and data security. To address these risks, the Securities and Exchange Board of India (SEBI) has introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) to improve cybersecurity for SEBI-regulated entities.

In this blog, we’ll explain what the CSCRF is, who needs to follow it, the key requirements, and how Ampcus Cyber can assist in strengthening your security.

What is CSCRF and Why It Matters?

The Cybersecurity & Cyber Resilience Framework (CSCRF) is designed to strengthen the cybersecurity posture of SEBI-regulated entities, ensuring they can anticipate, withstand, contain, and recover from cyber incidents. The framework establishes standards, guidelines, and mandatory requirements for real-time security monitoring, risk management, and incident response.

By implementing CSCRF, organizations can better protect sensitive data, maintain investor confidence, and ensure operational resilience in the face of rising cyber threats.

The Four Parts of the CSCRF Document

The CSCRF document is divided into four main parts:

  1. Objectives and Standards
    Outlines goals and security standards for identifying risks, preventing attacks, and ensuring continuity during a cyberattack.
  2. Guidelines
    Provides recommendations for implementing the standards, including data encryption, MFA, incident reporting, and vulnerability testing.
  3. Compliance Formats
    Offers standardized formats for audits, incident reports, and vulnerability assessments to simplify compliance reporting.
  4. Annexures and References
    Includes additional resources like disaster recovery templates, audit checklists, and case studies to support guideline implementation.

Mandatory and Recommended Services Under CSCRF

Below is a list of mandatory services, followed by additional recommended services based on Part II of the CSCRF guidelines. These services are essential for organizations to comply with SEBI’s regulations.

ServiceDescriptionApplicability
Security Operations Center (SOC)Continuous monitoring and management of security events and incidents to detect and respond to threats in real-time.All REs (Mandatory)
Vulnerability Assessment & Penetration Testing (VAPT)Regular testing of systems, networks, and applications to identify and address vulnerabilities before they can be exploited.All REs (Mandatory)
Cybersecurity AuditsPeriodic audits to assess compliance with SEBI’s cybersecurity guidelines and industry standards.All REs (Mandatory)
Incident Response Plan (IRP)A documented process for identifying, responding to, and managing cybersecurity incidents effectively.All REs (Mandatory)
Cyber Crisis Management Plan (CCMP)A plan for managing crises related to cybersecurity, including internal and external communication strategies.All REs (Mandatory)
Root Cause Analysis & Forensic InvestigationInvestigating the cause and impact of cybersecurity incidents to improve future defenses.All REs (Mandatory)
Red Teaming (Simulated Cyberattacks)Simulated cyberattacks to assess the effectiveness of an organization’s defenses against advanced threats.MIIs and Qualified REs (Mandatory)
ISO 27001 CertificationCertification to demonstrate adherence to international information security management standards.MIIs and Qualified REs (Mandatory)
Data Loss Prevention (DLP)Measures to prevent unauthorized access, transfer, or copying of sensitive data.All REs except small-size, self-certification REs (Mandatory)
Digital Risk Protection ServicesDark web monitoring (for brand intelligence, customer protection, etc.), and takedown services as a cyber-defence strategyMIIs, Qualified REs (Mandatory)
Data Encryption & ProtectionEncrypting data at rest, in transit, and in use to protect sensitive information from unauthorized access.All REs except small-size, self-certification REs (Mandatory)
Backup & Disaster RecoveryProcedures for recovering critical systems and data after an incident.All REs (Mandatory)
Cyber Awareness TrainingRegular training for employees to recognize and respond to cybersecurity threats like phishing, ensuring best practices in data handling.All REs except small-size, self-certification REs (Mandatory)
Identity & Access Management (IAM)Managing user identities, authentication, and access control across the organization to secure systems.Mandatory for MIIs, Qualified REs, Mid-Size REs, and Stockbrokers.
Endpoint Detection & Response (EDR)Continuous monitoring of endpoint devices to detect and respond to suspicious activity.All REs except small-size, self-certification REs (Mandatory)
Endpoint Protection Platform (EPP)Securing endpoint devices against malware, unauthorized access, and data leaks.All REs except small-size, self-certification REs (Mandatory)
Application & Endpoint SecuritySecuring software applications and endpoint devices (e.g., computers, mobile phones) from cybersecurity threats.Mandatory for all REs except small-size and self-certification REs.
Third-Party Risk ManagementEnsuring third-party service providers meet cybersecurity standards and do not pose risks to the organization.Mandatory for MIIs, Qualified REs, and Mid-Size REs.
Cyber Threat Intelligence (CTI)Receiving and implementing cybersecurity threat intelligence from reliable sources to mitigate risks.Mandatory for MIIs, Qualified REs, and Mid-Size REs.
Software Bill of Materials (SBOM)Maintaining a detailed list of all open-source and third-party components used in software to track vulnerabilities.Mandatory for all REs, with specific requirements for MIIs regarding new software procurement.
Cloud Services & Data LocalizationEnsuring cloud services comply with data protection and localization requirements, particularly for sensitive data.Mandatory for all REs except small-size, self-certification REs.
Mobile Application SecurityImplementing security measures to ensure mobile applications are protected from threats.All REs except small-size, Self-certification REs (Mandatory)
API SecurityEnsuring proper authentication and authorization of APIs, and implementing security protocols to prevent attacks.All REs except small-size, Self-certification REs (Mandatory)
Cyber Crisis CommunicationManaging internal and external communication during a cyber crisis to ensure transparency and coordination.Mandatory for MIIs, Qualified REs, and Mid-Size REs.
Continuous Automated Red Teaming (CART)Automating red team exercises to continuously test an organization’s defenses.MIIs and Qualified REs (Mandatory)

CSCRF Compliance, Audit Report Submission, and Timelines

SEBI has set clear deadlines for compliance with CSCRF:

  • January 1, 2025: For entities already covered by previous cybersecurity guidelines.
  • April 1, 2025: For entities that will be adopting the CSCRF for the first time.

After these dates, all regulated entities are required to submit their cyber audit reports in the structured formats specified in the CSCRF. Non-compliance may lead to penalties or other regulatory actions.

Structured Formats for CSCRF Compliance

To streamline the compliance process, the CSCRF document includes standardized formats for reporting and audits. These formats ensure uniformity in how cybersecurity compliance is tracked and reported across entities:

  • VAPT Reports: A template for reporting the findings of vulnerability assessments and penetration testing.
  • Cyber Audit Reports: A structured format for documenting the findings of cybersecurity audits, ensuring that entities adhere to SEBI’s guidelines.
  • Incident Reports: A format for detailing cybersecurity incidents, including root cause analysis and recovery actions taken.

The Path Forward in Enhancing Cybersecurity with Ampcus Cyber

To stay ahead of evolving cyber threats, SEBI-regulated entities must take proactive steps toward implementing the CSCRF framework. By adopting its guidelines, organizations can ensure data protection, operational continuity, and swift recovery from cyber incident.

Ampcus Cyber empowers your organization with complete CSCRF compliance support, offering cybersecurity audits, VAPT, and incident response planning. We help reinforce your cybersecurity defenses, ensure regulatory compliance, and protect your business from emerging threats.

Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.