The Securities and Exchange Board of India (SEBI) introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) in March 2024, marking a significant shift in how cybersecurity is regulated across India’s financial markets. This new framework consolidates various existing SEBI circulars, creating a standardized compliance structure that applies to a wide range of regulated entities (REs).
Under this framework, SEBI has established January 1, 2025, as the compliance deadline for entities already covered under previous cybersecurity guidelines. Those newly brought under regulatory oversight must comply by April 1, 2025. This structured approach reflects SEBI’s intention to strengthen cyber resilience, incident response preparedness, and data protection measures across India’s financial ecosystem.
Expanding the Scope of Cybersecurity Compliance
Unlike previous sector-specific guidelines, the CSCRF applies to a broader set of entities, including stock exchanges, mutual funds, asset management companies (AMCs), credit rating agencies, portfolio managers, alternative investment funds (AIFs), depositories, clearing corporations, and more. This expansion means that organizations that previously had limited or no regulatory cybersecurity obligations must now build compliance structures aligned with SEBI’s stringent expectations.
One of the key aspects of this framework is its emphasis on risk-based cybersecurity governance. Entities classified as Market Infrastructure Institutions (MIIs) and large regulated entities will be required to conduct a Cyber Capability Index (CCI) assessment to determine their level of cybersecurity maturity. Additionally, third-party vendor risk management is now a mandatory requirement, including concentration risk evaluation, which ensures that businesses do not over-rely on a single service provider for critical cybersecurity functions.
Data Protection and Localization as a Regulatory Priority
The new framework introduces strict guidelines around data classification and storage. SEBI now mandates that all Regulatory Data must be stored within India, ensuring data sovereignty for financial institutions. Furthermore, organizations will be required to enforce encryption protocols, secure data transmission, and Data Loss Prevention (DLP) measures to safeguard sensitive information.
A major shift in policy also includes the adoption of a Software Bill of Materials (SBOM), a practice that enhances supply chain security by ensuring transparency around third-party software components used within an organization’s digital infrastructure. By implementing SBOMs, companies can proactively identify vulnerabilities in their IT environments and mitigate the risks associated with unverified external software dependencies.
Strengthening Identity and Access Controls
SEBI’s cybersecurity framework also reinforces the Zero Trust Model, requiring organizations to implement Multi-Factor Authentication (MFA) for all privileged access and external-facing systems. The framework includes additional requirements for API security, emphasizing rate limiting and strong authentication mechanisms to prevent unauthorized access.
By enforcing stricter access control measures, SEBI aims to curb unauthorized internal or external access to sensitive financial data. Compliance teams must ensure that their identity and access management policies align with these new security mandates to prevent unauthorized system intrusions and data leaks.
Security Monitoring, Incident Response, and Compliance Audits
One of the most critical elements of the CSCRF is the requirement for organizations to establish or participate in Security Operations Centers (SOC) for continuous threat monitoring. Large regulated entities are expected to set up their own dedicated in-house SOCs, while mid-sized and smaller entities must integrate with the Market SOC established by NSE and BSE.
In addition to real-time monitoring, organizations must conduct regular vulnerability assessments and penetration testing (VAPT), ensuring that any security gaps are proactively identified and mitigated. These tests must be conducted at least once a year for general entities and bi-annually for larger firms. Any cybersecurity incidents must be reported to SEBI and CERT-In within the prescribed timeframes, ensuring that financial institutions maintain transparency and accountability in their cybersecurity practices.
To ensure compliance, SEBI has also mandated periodic third-party security audits by CERT-In empanelled Information Security auditors. Organizations must standardize their cybersecurity reporting formats and prepare for regulatory inspections, ensuring that their security controls meet SEBI’s prescribed benchmarks.
Preparing for the Compliance Deadline
Ensuring alignment with the CSCRF requires a structured approach. Organizations should begin by conducting a gap analysis, identifying areas where their current cybersecurity practices do not meet SEBI’s updated guidelines.
Strengthening data governance, implementing robust access controls, establishing security monitoring protocols, and preparing for cybersecurity audits should be immediate priorities. With the compliance deadlines approaching in early 2025, financial entities must act now to integrate these changes into their cybersecurity frameworks.
By enforcing a risk-based, standardized cybersecurity model, SEBI is setting the stage for a more secure, resilient, and transparent financial ecosystem. Organizations that proactively align with this new framework will not only ensure compliance but also enhance their overall cybersecurity posture in an era of increasing digital threats.
