• What is SEBI CSCRF compliance? Understanding India's cybersecurity framework
  • Who needs to comply with SEBI’s CSCRF guidelines?
  • Key SEBI CSCRF compliance requirements explained
  • What causes SEBI CSCRF non-compliance? Common challenges and penalties
  • How AD360 simplifies SEBI CSCRF compliance
  • What's next for SEBI CSCRF compliance?
  • FAQs

What would happen if your next access violation triggered a SEBI audit?

That’s the critical risk every SEBI-regulated entity now faces.

India's financial markets are under increasing scrutiny, and the Securities and Exchange Board of India (SEBI) has made its Cybersecurity and Cyber Resilience Framework (CSCRF) mandatory. This framework dictates precisely how brokers and other market participants must manage cybersecurity risks.

Whether you're a stock broker, listed company, or depository participant, SEBI expects you to prove that your systems control access, track user activity, detect threats in real time, and respond without delay.

On this page, we’ll break down what SEBI CSCRF compliance really means, highlight common mistakes that lead to non-compliance, and demonstrate how ManageEngine AD360 will help you meet the requirements without slowing down your operations, ensuring a strong cyber resilience framework for your organization.

What is SEBI CSCRF compliance? Understanding India's cybersecurity framework

SEBI CSCRF compliance refers to the mandatory cybersecurity and cyber resilience framework issued by the SEBI. These regulations apply to all regulated entities that support India’s financial markets, ensuring they secure their IT systems, control user access, detect threats early, and respond to incidents effectively.

The core goal? Prevent cyberattacks, respond fast, and protect investor data.

CSCRF isn’t about who you are—it’s about what your systems do. If they’re part of the market pipeline, you’re accountable.

Who needs to comply with SEBI’s CSCRF guidelines?

The CSCRF applies to a broad range of entities in India’s securities market—not just brokers or exchanges.

SEBI has classified registered entities (REs) into five groups based on factors like trading volume, client size, operational complexity, and assets under management (AUM):

  • Market infrastructure institutions (MIIs)
  • Qualified REs
  • Mid-size REs
  • Small-size REs
  • Self-certification REs

If your organization handles investor data, provides access to securities platforms, or is part of trade execution or clearing, you fall under this mandate for SEBI cybersecurity framework adherence.

Entities covered under SEBI CSCRF compliance

  • Stock brokers
  • Stock exchanges and clearing corporations
  • Depositories
  • Mutual funds and asset management companies (AMCs)
  • Alternative investment funds (AIFs)
  • Credit rating agencies (CRAs)
  • Portfolio managers
  • Investment advisers and analysts

Key SEBI CSCRF compliance requirements explained

SEBI’s CSCRF spells out what every regulated entity must do to stay compliant. This isn’t about installing firewalls and calling it a day. SEBI expects a complete cybersecurity posture—one that anticipates risks, protects critical systems, and recovers quickly from disruptions.

At its core, the CSCRF is built around six functional areas: Governance, Identify, Protect, Detect, Respond, and Recover. These domains reflect how cybersecurity should be embedded into day-to-day operations, from board-level decisions to how systems are monitored on the ground.

1. Governance: Establishing cybersecurity oversight for SEBI compliance

Organizations must establish formal cybersecurity oversight with active board involvement, a dedicated cyber committee, and a qualified Chief Information Security Officer (CISO). This leadership structure is responsible for aligning cybersecurity practices with business risk, reviewing policies, and overseeing incident trends.

2. Access control and least-privilege: Securing user access for CSCRF

Under the Identify and Protect domains, SEBI expects entities to enforce strict access policies. Only authorized users should access sensitive systems, and even then, only with the minimal permissions required. Multi-factor authentication (MFA) is mandatory for critical systems, and user actions must be logged for full traceability. This is foundational to identity and access management (IAM) for SEBI compliance.

3. 24/7 threat monitoring and detection: Meeting SEBI SOC requirements

SEBI requires most regulated entities to operate a round-the-clock security operations centre (SOC). The goal is to use anomaly detection and threat intelligence feeds to monitor systems in real time, allowing threats to be detected before they cause harm.

4. Continuous risk assessments and vulnerability management: Proactive CSCRF security

Staying secure means staying proactive. SEBI mandates regular risk assessments, vulnerability scans, and penetration testing. Organizations must document known risks—including those from third-party vendors—and act on them without delay. A live risk register is essential for CSCRF security.

5. Data encryption and localization: SEBI data protection standards

Sensitive data must be encrypted both at rest and in transit. SEBI also requires regulated data to be stored within India, ensuring local control and compliance with data localization laws. Automated controls should prevent unauthorized data access or movement, strengthening data protection under SEBI CSCRF.

6. Incident response and reporting: Preparing for cyber incidents under SEBI CSCRF

Every organization must have a tested incident response plan and a trained response team in place. Incidents must be reported via the SEBI portal promptly. This ensures timely containment, reduces business impact, and improves trust among stakeholders.

7. Proving compliance: SEBI audit and certification requirements

Finally, compliance is not a one-time task. SEBI requires regular cybersecurity audits conducted by CERT-In empanelled auditors. For higher-risk entities such as MIIs and qualified REs, ISO 27001 certification is mandatory. They must also report their Cyber Capability Index (CCI) to prove continuous maturity.

What causes SEBI CSCRF non-compliance? Common challenges and penalties

Even with clear rules in place, many SEBI-regulated entities still fall short. Here’s why.

1. Inadequate investment in cybersecurity resources

Building a resilient cybersecurity program takes time, money, and the right tools. Many smaller firms don’t have the budget or resources to meet all of SEBI’s expectations—especially when it comes to setting up SOCs, buying monitoring tools, or hiring qualified security staff.

2. Cybersecurity skill gaps and staff shortages

There’s a shortage of cybersecurity professionals in the market. Many organizations struggle to hire or train people who understand both security and regulatory requirements. Without the right team, even basic tasks—like risk assessments or incident response drills—can fall behind.

3. Poor management of third-party vendor risks

SEBI makes it clear: third-party vendors are part of your security perimeter. But many firms still manage vendor risks manually, or not at all. Without a system to assess, track, and control vendor security, you’re leaving gaps that attackers can exploit.

4. Ineffective or missing SOCs

The framework requires 24/7 threat monitoring through a SOC. But some firms either haven’t set one up or don’t have the staff to run it properly. Without real-time monitoring, threats go undetected—and reporting gets delayed.

5. Reactive vs. proactive cybersecurity approaches

SEBI wants entities to anticipate and respond to threats before they happen. But many firms take a reactive approach—patching systems after an incident or waiting until audits to take action. That delay puts compliance and investor data at risk.

6. Lack of strong broad-level governance

Without strong board oversight and a dedicated cybersecurity committee, many programs lack direction. SEBI expects cybersecurity to be a board-level priority, not just an IT issue. Weak governance means slower decision-making and missed risks.

7. Incomplete risk assessments and register maintenance

SEBI mandates regular assessments of critical assets, threats, and supply chain risks. But if you’re not tracking these risks or maintaining a live risk register, you’ll struggle to prove compliance—and you may miss major threats altogether.

8. Weak data protection and access controls

Sensitive data must be encrypted, stored in India, and protected by strict access rules. Yet many entities still rely on basic passwords, skip MFA, or fail to block unauthorized access. These gaps increase both security and compliance risks.

9. Untested incident response

SEBI wants to see a tested plan, not just a PDF. If your team hasn’t run an incident response drill, assigned roles, or set up the right reporting process, you’ll be unprepared during a real attack—and may miss SEBI’s reporting deadlines.

10. Confusion from overlapping regulatory requirements

Some organizations feel stuck. They’re already trying to meet RBI, IRDAI, or DPDP requirements, and now CSCRF adds more layers. Without a clear roadmap or the right tools, many firms delay implementation or overlook critical controls.

How AD360 simplifies SEBI CSCRF compliance

ManageEngine AD360 is an integrated identity governance and administration (IGA) platform designed to help organizations secure, monitor, and govern user access across Active Directory (AD), Entra ID (formerly Azure AD), Office 365, and other IT systems. For entities governed by SEBI’s CSCRF, AD360 offers a centralized approach to enforce security controls, automate access governance, and maintain audit-readiness—without disrupting day-to-day operations.

AD360's support across CSCRF functional domains

CSCRF domain SEBI compliance expectation How AD360 helps
Governance Establish a robust cybersecurity governance framework with board oversight, clearly defined roles, a CISO, and a board-approved cybersecurity policy.
Identify Maintain an accurate inventory of assets, identify critical systems and data, and perform regular risk assessments. Third-party risks must be evaluated pre-procurement.
  • Automated discovery of users, groups, OUs, and privileged accounts in AD.
  • Periodic access certification campaigns and privilege reviews identify excessive access rights.
  • Account expiration tracking and redundant object cleanup workflows reduce stale access.
  • Integration with identity governance workflows supports third-party identity onboarding and review.
Protect Enforce least-privilege access, enable MFA for critical systems, secure data at rest and in transit, and store regulated data within India. Ensure secure third-party access.
  • Enforces MFA for sensitive logins, including VPN and cloud resources.
  • RBAC and role-specific access templates enforce least privilege.
  • Built-in support for strong password policies and complexity enforcement.
  • Auto-removal of stale or unused accounts supports minimal exposure.
  • Localized AD backup storage supports data residency requirements
Detect Set up real-time monitoring of privileged access and user activity through an SOC, supported by automated anomaly detection.
  • Detects unusual account activity such as logon failures, lockouts, and privilege escalations.
  • Real-time alerting and log exports that are compatible with SIEM systems.
  • Audit-ready event reports help support proactive threat hunting.
Respond Develop incident response plans, form dedicated response teams, promptly report incidents via SEBI’s portal, and ensure evidence preservation.
  • Exportable incident and audit reports for SEBI submission.
  • Logs support root cause analysis and attack chain reconstruction.
  • Quickly disable compromised accounts, revoke access, and restore policy baselines.
Recover Ensure recovery plans, restore operations in line with RTO/RPO targets, conduct drills, and coordinate response across stakeholders.
  • Granular AD backup and restore ensures fast recovery of users, OUs, groups, and GPOs.
  • Point-in-time snapshots allow rollback in case of ransomware or insider threats.
  • Drill-ready recovery workflows help validate business continuity planning.

What's next for SEBI CSCRF compliance?

August 31, 2025 is the new deadline most SEBI REs must meet for SEBI CSCRF compliance. This gives organizations more time to align with the CSCRF requirements. It’s your last window to prove your cybersecurity posture is audit-ready and aligned with SEBI’s expectations. However, not all entities get this flexibility.

Who must comply—and when?

  • New deadline: August 31, 2025 (applies to most REs)
  • Original deadlines:
    • January 1, 2025 (for previously regulated entities)
    • April 1, 2025 (for newly added entities)
  • No extension: MIIs, KRAs, and QRTAs must still meet original deadlines

Compliance isn’t the finish line—it’s the baseline. SEBI has made it clear: either adapt your cybersecurity operations or be prepared to answer for the gaps.

FAQ

The SEBI CSCRF is a mandatory guideline that outlines how SEBI-regulated entities must manage cybersecurity risks. It includes access controls, threat detection, data protection, incident response, and audit reporting to protect the securities market infrastructure.

As per SEBI’s latest circular, the revised deadline for most REs is August 31, 2025. MIIs, KRAs, and QRTAs must adhere to the original deadlines: January 1, 2025 or April 1, 2025 depending on their classification.

Stock brokers must implement identity access controls, continuous threat monitoring, and secure backup systems, as well as ensure timely incident reporting via SEBI’s portal. Using AD360, you can automate these requirements, facilitating compliance automation SEBI.

Cyber audits are mandatory annually for all regulated entities, with higher-tier firms possibly facing more frequent or event-driven audits. AD360 supports audit readiness with automated reporting and continuous monitoring.

AD360 centralizes identity and access management, automates privileged access reviews, and provides audit-ready reports, real-time alerts, and behavioral analytics—helping organizations streamline CSCRF compliance and quickly address security risks.

The Cyber Capability Index (CCI) is a metric that higher-tier entities (like MIIs and Qualified REs) are required to report to SEBI. It serves as a continuous measure of their cybersecurity maturity and posture, demonstrating ongoing adherence to the framework's requirements.