Every requirement from SEBI’s Cybersecurity and Cyber Resilience Framework (August 2024) is pre-loaded — classified by mandatory/advisory, applicable RE type, and reporting frequency.
The Cognisec Intelligent Engine continuously collects evidence for the automatable functions directly from your assets; the rest are handled through guided attestation.
| Function | Code | Applicable To | Automation | Key Focus |
|---|---|---|---|---|
| Governance | GOVERN | All REs | Mostly manual | Board policy, CISO, risk framework, CCI |
| Identify | IDENTIFY | All REs | Largely automatable | Critical systems, asset inventory, classification |
| Protect | PROTECT | All REs | Largely automatable | Access control, MFA, encryption, VAPT, patching |
| Detect & Respond | DETECT | All REs | SIEM-automatable | Continuous monitoring, IRP, SEBI incident reporting |
| Recover & Evolve | RECOVER | All REs | Hybrid | DRP, backup testing, red team, audit |
SEBI issues the consolidated Cybersecurity and Cyber Resilience Framework (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113) covering all Regulated Entities.
REs already covered by a prior cybersecurity circular were required to adopt CSCRF first — MIIs, stock brokers, depositories and AMCs. Please refer to SEBI for the dates applicable to your category.
Other REs adopting CSCRF for the first time — AIFs, merchant bankers, credit rating agencies, debenture trustees, custodians and venture capital funds. Refer to SEBI for category-specific timelines.
REs must submit structured compliance reports on the schedule SEBI prescribes for their category to their respective regulator — MIIs to SEBI, stock brokers to stock exchanges, depository participants to depositories.
MIIs and Qualified REs must measure SOC efficacy and submit CCI scores every 6 months. Third-party CCI assessment required for MIIs.
SEBI has established a tiered penalty regime enforced by the Data Protection Board and SEBI itself.
Failure to implement adequate security safeguards leading to a personal data or system breach.
Failure to notify SEBI and affected parties of a cybersecurity incident within prescribed timelines.
Non-compliance with additional obligations for Significant Data Fiduciaries and MII-level requirements.