What is SEBI CSCRF?
SEBI CSCRF (Cyber Security and Cyber Resilience Framework) is a comprehensive cybersecurity regulation issued by the Securities and Exchange Board of India through Circular SEBI/HO/ITD/ITD-SEC-1/P/CIR/2023/032. It mandates specific security controls for all SEBI-regulated entities — stock brokers, depository participants, mutual funds, portfolio managers, KRAs, and all market intermediaries. Non-compliance can result in trading terminal suspension and penalties up to ₹25 crore.
Who Must Comply?
Market Infrastructure Institutions
NSE, BSE, CDSL, NSDL — highest requirements
Qualified Stock Brokers
Top 50 by client base — SOC + cyber insurance mandatory
All Stock Brokers
Annual VAPT, IR plan, MFA, log retention
Depository Participants
Client data encryption, access controls
Mutual Funds / AMCs
NAV system security, investor data protection
SME Board Listed Entities
Basic cyber hygiene + annual VAPT
⚠ Key Deadline: 30 June 2026
All regulated entities must be fully compliant by this date. System audits will verify compliance. Non-compliant entities face trading terminal suspension and penalties.
Mandatory Controls Checklist
01
Annual VAPT
Vulnerability Assessment and Penetration Testing — comprehensive, covering all systems. Certificate filed with the stock exchange.
02
Continuous Monitoring / SOC
24/7 security monitoring capability. In-house or managed SOC. Real-time threat detection and response.
03
Incident Response Plan
Documented, tested annually. CERT-In 6-hour notification process included. Contact tree and escalation matrix.
04
Cyber Insurance
Mandatory for QSBs and MIIs. Coverage adequate for AUM and client base.
05
Board Cyber Risk Reporting
Quarterly presentation to the board on cyber risk posture, incidents, and compliance status.
06
Data Localisation
All trading and customer data stored within India. No overseas processing or storage.
07
Network Segmentation
Trading network isolated from corporate network. DMZ for internet-facing services.
08
Multi-Factor Authentication
MFA on all admin access, trading terminals, VPN, and remote access.
09
Log Retention (2 Years)
All system access logs retained for minimum 2 years. Centrally stored, tamper-protected.
10
CISO / Security Officer
Designated person responsible for cybersecurity. QSBs require a dedicated CISO.
How SpectraAI Helps
SpectraAI maps every SEBI CSCRF control to your specific entity category, runs the assessment, identifies gaps, and provides the remediation roadmap. Our SpectraAgent provides the continuous monitoring that satisfies the SOC requirement. Our evidence vault stores every audit artefact for when the system auditor asks.
We've built SpectraAI specifically for the Indian market — we understand SEBI circulars, NSE/BSE requirements, and how system audits actually work. No foreign tools adapted for India. India-first.
FAQ
What happens if I miss the 30 June 2026 deadline?
SEBI can suspend your trading terminal, impose monetary penalties up to ₹25 crore, and the system auditor will file an adverse report. The exchanges (NSE/BSE) may also take independent action.
Do I need a CERT-In empanelled auditor for VAPT?
Yes — SEBI requires the VAPT to be conducted by a qualified auditor. The VAPT certificate must be filed with your stock exchange along with your system audit report.
I'm a small broker with 5 terminals. Does CSCRF apply to me?
Yes. CSCRF applies to ALL SEBI-regulated entities regardless of size. The depth of controls varies by entity category, but no one is exempt. Even if you're a non-QSB broker, you need annual VAPT, IR plan, MFA, and log retention.
How long does compliance take?
With SpectraAI, a typical broker can complete the assessment in 1 day, get the gap report in 24 hours, and achieve basic compliance readiness within 2-4 weeks depending on the number of gaps found.
Check your SEBI compliance status now
Free assessment. 5 minutes. Know your gaps before the auditor does.
Start SEBI Assessment →