SEBI CSCRF Framework

The Full CSCRF Framework
Pre-Mapped & Automated.

Every requirement from SEBI’s Cybersecurity and Cyber Resilience Framework (August 2024) is pre-loaded — classified by mandatory/advisory, applicable RE type, and reporting frequency.

SEBI CSCRF at a glance

The Cognisec Intelligent Engine continuously collects evidence for the automatable functions directly from your assets; the rest are handled through guided attestation.

FunctionCodeApplicable ToAutomationKey Focus
GovernanceGOVERNAll REsMostly manualBoard policy, CISO, risk framework, CCI
IdentifyIDENTIFYAll REsLargely automatableCritical systems, asset inventory, classification
ProtectPROTECTAll REsLargely automatableAccess control, MFA, encryption, VAPT, patching
Detect & RespondDETECTAll REsSIEM-automatableContinuous monitoring, IRP, SEBI incident reporting
Recover & EvolveRECOVERAll REsHybridDRP, backup testing, red team, audit

Key deadlines every RE must know

August 20, 2024

SEBI CSCRF Circular Released

SEBI issues the consolidated Cybersecurity and Cyber Resilience Framework (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113) covering all Regulated Entities.

Phase 1 — Existing REs

Existing REs Transition

REs already covered by a prior cybersecurity circular were required to adopt CSCRF first — MIIs, stock brokers, depositories and AMCs. Please refer to SEBI for the dates applicable to your category.

Phase 2 — New REs

New REs Transition

Other REs adopting CSCRF for the first time — AIFs, merchant bankers, credit rating agencies, debenture trustees, custodians and venture capital funds. Refer to SEBI for category-specific timelines.

Ongoing — Periodic

Compliance Reporting to SEBI

REs must submit structured compliance reports on the schedule SEBI prescribes for their category to their respective regulator — MIIs to SEBI, stock brokers to stock exchanges, depository participants to depositories.

Ongoing — Semi-Annual

CCI Assessment & SOC Efficacy

MIIs and Qualified REs must measure SOC efficacy and submit CCI scores every 6 months. Third-party CCI assessment required for MIIs.

Non-compliance is costly

SEBI has established a tiered penalty regime enforced by the Data Protection Board and SEBI itself.

₹250 Crore

Failure to implement adequate security safeguards leading to a personal data or system breach.

₹200 Crore

Failure to notify SEBI and affected parties of a cybersecurity incident within prescribed timelines.

₹150 Crore

Non-compliance with additional obligations for Significant Data Fiduciaries and MII-level requirements.