SEBI CSCRF Compliance Checklist for Stockbrokers & DPs [2025]

What Is SEBI CSCRF?

The Cybersecurity & Cyber Resilience Framework (CSCRF) is SEBI's comprehensive directive that consolidates and strengthens cybersecurity requirements for all Regulated Entities (REs). Issued in August 2024 as a master framework, CSCRF replaces and supersedes prior SEBI circulars on cybersecurity and integrates international standards like NIST CSF, ISO 27001, and CERT-In guidelines into a single coherent structure. Every stockbroker, depository participant, investment adviser, and other market intermediary registered with SEBI must comply.

Who Must Comply: The Three RE Categories

SEBI CSCRF classifies all Regulated Entities into three tiers based on their systemic importance and transaction volumes. Understanding which category your firm falls into determines the depth of compliance required. For a detailed breakdown of each category's obligations, see our guide on SEBI CSCRF Requirements by RE Category: MII, QRE and SRE Explained.

• Market Infrastructure Institutions (MII): Stock exchanges, depositories, and clearing corporations. Highest compliance burden, including real-time SOC monitoring and independent board-level oversight.
• Qualified Regulated Entities (QRE): Stockbrokers and DPs above specified transaction thresholds. Require a formal CISO, dedicated IS policy framework, and annual CERT-In empanelled audits.
• Standard Regulated Entities (SRE): Smaller intermediaries with lower transaction volumes. Must implement core controls but with proportionally lighter governance requirements.

The SEBI CSCRF Compliance Checklist

The following controls are mandatory across all RE categories (with enhanced requirements for QREs and MIIs). Use this as your working checklist before your next SEBI cyber audit.

1. Governance & Policy

• Board-approved Information Security (IS) Policy
• Cyber Crisis Management Plan (CCMP) — documented and tested
• Designated CISO or senior IS ownership (mandatory for QRE and MII)
• IS policy reviewed at least annually or after significant incidents
• Vendor and third-party risk management policy

2. Access Control

• Role-based access control (RBAC) implemented for all systems
• Privileged Access Management (PAM) for admin and superuser accounts
• Multi-factor authentication (MFA) for remote access and critical systems
• Quarterly user access reviews with documented evidence
• Immediate revocation process for departing employees (with audit trail)

3. Vulnerability Assessment & Penetration Testing (VAPT)

• Half-yearly VAPT by a CERT-In empanelled auditor
• All critical findings remediated before the next audit cycle
• Web application penetration testing covering trading platforms and portals
• VAPT reports retained and available for regulatory inspection

4. Patch Management

• Documented patch management policy with defined SLAs (critical: 30 days, high: 60 days)
• Asset inventory covering all servers, endpoints, and network devices
• Evidence of monthly patch cycles — approved change records
• Exceptions documented with compensating controls and approvals

5. Incident Response

• Incident Response Plan (IRP) documented and board-approved
• Incident response tested at least annually (tabletop or simulation)
• Escalation matrix defined including CISO, management, and SEBI/CERT-In
• CERT-In incident reporting within 6 hours (per CERT-In 2022 direction)
• SEBI incident reporting as per CSCRF reporting timelines
• Post-incident review process with documented lessons learned

6. Log Management & Monitoring

• Centralized log management system (SIEM or equivalent)
• Logs retained for minimum 5 years per SEBI requirements
• Critical alerts reviewed daily; anomaly detection configured
• Network traffic monitoring including for trading systems

7. Business Continuity & Disaster Recovery

• BCP and DR plan documented and board-approved
• RTO and RPO defined for all critical systems
• DR drill conducted and documented at least annually
• Alternate site or cloud-based failover tested and verified

The CSCRF is not a one-time checklist exercise. SEBI auditors are increasingly looking for evidence of an ongoing programme — not a document binder assembled two weeks before the audit.

Infosek Team

The Annual Audit Timeline

SEBI requires annual IS audits for QREs and MIIs by a CERT-In empanelled auditor. The audit report must be submitted to SEBI within 30 days of completion. Most firms find that meaningful preparation needs to start at least 4–6 months before the audit date to address gaps identified in VAPT, policy reviews, and access control exercises. For common reasons firms fail at this stage, read our article on 5 Reasons Stockbrokers Fail Their SEBI Cyber Audit.

Key Takeaway

CSCRF compliance is not simply about having the right documents — auditors verify evidence of implementation and ongoing operation. Access control reviews need records. Patch management needs approved change logs. Incident response needs test reports. Start building your evidence trail well in advance of your audit date.