SEBI's Cyber Security and Cyber Resilience Framework (CSCRF), issued through Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2023/131, establishes a comprehensive, risk-based cyber security framework for all SEBI-regulated entities (REs) — stock exchanges, depositories, clearing corporations, stock brokers, depository participants, mutual fund AMCs, KYC Registration Agencies, Registrar and Transfer Agents, investment advisers, and research analysts. The framework classifies REs into three categories: Qualified REs, Mid-size REs, and Small REs — with progressively stringent requirements based on size, trading volumes, and systemic importance.
The SEBI CSCRF introduces several significant new mandates: a Security Operations Centre (SOC) for Qualified and Mid-size REs, mandatory annual cyber audit by a CERT-In empanelled auditor, mandatory cyber incident reporting within 6 hours, a Board-approved Cyber Security Policy, and the requirement to maintain a Cyber Capability Index (CCI) score above minimum thresholds. The framework references NIST CSF, ISO 27001, and CERT-In directions as the baseline control standards.