SEBI CSCRF: the compliance guide for regulated entities
SEBI's Cybersecurity and Cyber Resilience Framework consolidates years of circulars into one graded standard. Here is what it means for your firm.
SEBI introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) to bring its regulated entities under a single, consistent cyber standard, replacing a patchwork of earlier circulars. It applies across market participants and is graded by the size and nature of the entity.
CSCRF is notable for framing security as resilience: not just preventing incidents, but anticipating, withstanding, containing, recovering from, and learning from them. This guide explains what that means in practice.
- CSCRF consolidates SEBI's prior cyber circulars into one graded framework.
- It applies across regulated entities, from stockbrokers and AMCs to depositories and KRAs.
- Requirements are graded by entity size and are built around five cyber-resilience goals.
- SOC coverage, VAPT, cyber audit, and incident reporting are core obligations.
Who it applies to
CSCRF covers SEBI Regulated Entities (REs), a broad set that includes stockbrokers and depository participants, asset management companies and mutual funds, KYC registration agencies, clearing corporations, depositories, and other intermediaries. Obligations are graded, so smaller REs face a proportionate subset while larger ones face the full standard.
The five resilience goals
CSCRF organises requirements around cyber-resilience outcomes rather than a flat control checklist:
- Anticipate: understand your risks, assets, and exposure before incidents occur.
- Withstand: put controls in place to resist attacks.
- Contain: limit the blast radius when something gets through.
- Recover: restore operations quickly and predictably.
- Evolve: learn from incidents and continuously improve.
Core obligations and how to meet them
In practice CSCRF expects Security Operations Centre coverage (in-house, a market SOC, or a managed SOC), regular VAPT, periodic cyber audit, governance and reporting structures, and time-bound incident reporting to SEBI and CERT-In.
The efficient path is to unify these: continuous monitoring and detection support the resilience goals, automated evidence supports the audit, and a single risk view keeps governance honest. That avoids running each requirement as a separate, manual project.
Frequently asked questions
Meet CSCRF without the scramble
Unify monitoring, VAPT, and audit evidence in one platform. See your exposure first with a free check.
Run a free check