Every requirement from SEBI’s Cybersecurity and Cyber Resilience Framework (August 2024) is pre-loaded — classified by mandatory/advisory, applicable RE type, and reporting frequency.
| Pillar | Code | Controls | Mandatory | Applicable To | Key Focus |
|---|---|---|---|---|---|
| Governance | P-1 | 8 | 6 mandatory | All REs | Board policy, CISO, risk framework, CCI |
| Identify | P-2 | 8 | 7 mandatory | All REs | Critical systems, asset inventory, SBOM |
| Protect | P-3 | 10 | 9 mandatory | All REs | Access control, MFA, encryption, VAPT, API |
| Detect & Respond | P-4 | 7 | 6 mandatory | All REs | 24x7 SOC, IRP, SEBI incident reporting |
| Recover & Evolve | P-5 | 7 | 5 mandatory | All REs | DRP, backup testing, red team, audit |
SEBI issues the consolidated Cybersecurity and Cyber Resilience Framework (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113) covering all Regulated Entities.
All REs where a cybersecurity and cyber resilience circular already existed must adopt CSCRF fully by this date. MIIs, stock brokers, depositories, AMCs.
All other REs adopting CSCRF for the first time — AIFs, merchant bankers, credit rating agencies, debenture trustees, custodians, venture capital funds.
REs must submit structured compliance reports to their respective regulator — MIIs to SEBI, stock brokers to stock exchanges, depository participants to depositories.
MIIs and Qualified REs must measure SOC efficacy and submit CCI scores every 6 months. Third-party CCI assessment required for MIIs.
SEBI has established a tiered penalty regime enforced by the Data Protection Board and SEBI itself.
Failure to implement adequate security safeguards leading to a personal data or system breach.
Failure to notify SEBI and affected parties of a cybersecurity incident within prescribed timelines.
Non-compliance with additional obligations for Significant Data Fiduciaries and MII-level requirements.