On August 20, 2024, the Securities and Exchange Board of India (SEBI) introduced the Cybersecurity and Cyber Resilience Framework (CSCRF). Click here to download the circular.
The framework is a comprehensive set of guidelines to enhance cybersecurity for Market Infrastructure Institutions (MIIs) and Regulated Entities (REs), including Portfolio Managers (PMS), stock brokers, mutual funds, and others.
The framework adopts a graded approach, classifying REs into categories—Qualified, Mid-size, Small-size, and Self-Certification—based on thresholds like client numbers, trade volume, or Assets Under Management (AUM).
Following feedback from REs, SEBI issued clarifications on April 30, 2025, revising categorization thresholds.
One of the major modifications was exempting standalone Investment Advisers (IAs) from CSCRF compliance unless registered in other capacities, similar to Research Analysts (RAs).
Portfolio Managers with an AUM less than ₹3,000 crore are classified as Self-Certification REs, while those with AUM above ₹3,000 crore fall under Mid-size REs.
If an IA or RA is also registered as a Portfolio Manager, they must comply with CSCRF requirements applicable to the PMS category.
Below are the detailed compliance requirements for PMS entities classified as Self-Certification REs.
Key Compliance Requirements for Self-Certification REs (PMS)
#1 – Market Security Operations Center (M-SOC)
CSCRF mandates REs to establish appropriate security monitoring mechanisms through Market Security Operation Centre (M-SOC). M.Soc is offered by NSE and BSE, to enhance monitoring capabilities.
For Self-Certification REs with fewer than 100 clients, maintaining an M-SOC is not mandatory. However, it is suggested to adopt an M-SOC to ensure operational efficacy and robust cybersecurity.
#2 – IT Committee Requirements
- Establishing an IT Committee is not mandatory for Self-Certification REs.
- Given the growing role of IT in the securities market, SEBI advises including an IT expert in decision-making processes.
- In the absence of an IT Committee, CSCRF compliance must be reviewed and approved by a Designated Officer (e.g., MD, CEO, Board Member, or Partner).
#3 – Vulnerability Assessment and Penetration Testing (VAPT) (DE.CM.S5)
- Self-Certification REs are required to do the following:
- Conduct VAPT annually through a CERT-In empaneled IS auditing organization.
- Submit a self-declaration to SEBI signed by an authorized signatory, such as the MD, CEO, Board Member, Partner.
- Timelines:
- The VAPT activity has to commence in the first quarter of the same financial year.
- The report and a self-certification to confirm compliance with applicable CSCRF provisions shall be submitted to SEBI within 1 month of Completion of VAPT. The due date for submission of the VAPT report for FY 2025-26 is 30-07-2025.
- Closure of observations should be completed within 3 months of submission of the VAPT report.
- Any open vulnerabilities after 3 months of VAPT activity shall be approved by the CISO / Designated Officer and shall be closed before the start of next VAPT exercise.
- In case of observations, revalidation of VAPT should be done within 5 months of completion of VAPT.
#4 – Mandatory Policies
Self-Certification REs must formulate and maintain the policies, approved by the Board of Directors or Partners. The policy documents have to be reviewed annually with a view to strengthen and improve cyber resilience posture.
Here are the details of the policies to be maintained by the REs.
1. Cybersecurity & Cyber Resilience Framework Policy (GV.PO.S2)
There needs to be a policy in place for an operational risk management framework to manage risks to systems, networks and databases from cyber-attacks and threats.
2. Risk Management Policy (GV.PO.S5)
There needs to be a policy in place and include the process to identify, assess, and manage cybersecurity risks associated with processes, information, networks and systems.
3. Third Party Risk Management Policy (GV.SC.S4)
The policy should include appropriate monitoring mechanisms through a clearly defined framework to ensure responsibility, accountability and ownership of outsourced activities.
NDAs, and certification that third-party vendors comply with CSCRF should be in place. Periodic SEBI reports must highlight critical third-party activities.
4. Network Segmentation & Security Policy (PR.AA)
The purpose of this policy is to establish guidelines for ensuring robust network security and effective network segmentation to minimize cybersecurity risks and protect sensitive information.
5. Access Control Policy (PR.AA)
This policy is to ensure adequate control on access to IT systems, establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices, enterprise mobile devices etc within the IT environment and Log retention as per IT Act 2000, Digital Personal Data Protection Act (DPDP) 2023, and as required by CERT-In, NCIIPC or any other government agency.
6. Employee Cyber Security Training Policy (PR.AT.S1)
Training has to be done annually for the employees on cyber security and CSCRF policies.
7. Data Encryption Policy (PR.DS)
Policy should ensure information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Strong data protection measures, with industry standard encryption algorithms, shall be put in place by all REs.
8. Vulnerability & Patch Management Policy (PR.IP)
A vulnerability management plan should be developed and implemented. Security policies and procedures should be maintained and used to manage protection of information systems and assets.
9. Business Continuity & Disaster Recovery Policy (PR.IP)
While it is not mandatory for self-certified REs to maintain a Business Continuity and Disaster Recovery policy, it is advisable to do so. The policy should include guidance on restoration of data with the backup software used by the REs in case of any disaster faced by the REs.
10. Security Operations Centre (SOC) Policy (DE.CM)
CSCRF mandates that all REs are required to establish appropriate security monitoring mechanisms through M-SOC.
11. Incident Management Plan (RS.MA)
There needs to be a policy stating incident response plans and procedures which will be executed and maintained in order to ensure response to detected / known cybersecurity incidents.
12. Cyber Crisis Management Plan (RS.MA.S1)
The plan should align with CERT-In’s Cyber Crisis Management Plan (CCMP) , including an Incident Response Management Plan.
Action points for Self-certified REs:
1 – PMS entities should assess the feasibility of integrating with an M-SOC, those offered by NSE or BSE.
2 – Appoint a Designated Officer to oversee CSCRF compliance and consider consulting an IT expert for strategic decisions.
3 – Schedule annual VAPT with a CERT-In empaneled auditor and ensure timely submission of reports to SEBI.
4 – Draft and approve the policies, ensuring alignment with CSCRF standards, and review them annually.
5- Train employees annually on cybersecurity best practices.
Self-Certification REs are exempt from periodic cyber audits to be conducted by CERT-In empanelled Information Security (IS) auditing organizations, unlike Qualified or Mid-size REs.
SEBI’s CSCRF, introduced on August 20, 2024, consolidates and supersedes prior cybersecurity guidelines, aiming to strengthen cyber resilience across the Indian securities market.
All Self-Certification REs must achieve full CSCRF compliance by June 30, 2025.