SEBI CSCRF Framework: A Comprehensive Guide for Self-Certified Regulated Entities

Mohan Gandhi Ponnaganti
May 2, 2025
SEBI CSCRF

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) introduces a structured approach to cybersecurity compliance for all Regulated Entities (REs) in the Indian securities market. This comprehensive guide focuses specifically on Self-certification REs and breaks down the mandatory and optional controls they must implement to maintain compliance with this crucial framework.

Introduction to CSCRF and Self-Certified REs

SEBI issued the Cybersecurity and Cyber Resilience Framework (CSCRF) for Regulated Entities on August 20, 2024, with the aim of strengthening cybersecurity measures and ensuring adequate cyber resiliency across the securities market ecosystem. The framework follows a graded approach, classifying REs into five distinct categories based on their operational scope and specific thresholds:

  1. Market Infrastructure Institutions (MIIs)
  2. Qualified REs
  3. Mid-size REs
  4. Small-size REs
  5. Self-certification REs

Self-certification REs represent entities that fall below certain operational thresholds established by SEBI. As the name suggests, these organizations can self-certify their compliance rather than requiring external audit validation in all cases, though they must still implement all applicable controls.

It's worth noting that SEBI has recently extended the compliance timeline for all REs (except MIIs, KRAs, and QRTAs) until June 30, 2025, providing Self-certification REs additional time to implement the necessary controls.

Mandatory Controls for Self-Certified REs

The following controls are explicitly marked as "Mandatory" for Self-certification REs based on the CSCRF framework:

Governance Controls (GV)

  1. GV.RR.S3: Designated Officer Appointment - Self-certification REs must designate a senior official or management personnel (Designated Officer) responsible for assessing, identifying, and reducing cybersecurity risks, responding to incidents, establishing appropriate standards and controls, and implementing processes and procedures in accordance with the cybersecurity policy approved by the Board/Partners/Proprietor.
  2. GV.RR.S4: Budget Allocation for Cybersecurity - Self-certification REs must allocate an adequate percentage of their total IT budget specifically to cybersecurity initiatives. This allocation must be documented under a separate budgetary head for monitoring by top-level management. Resources should be defined in terms of budgetary allocation, people, and material, with requirements revisited regularly based on implementation progress.
  3. GV.OC.S2 & GV.OC.S3: Compliance and Role Coordination - Self-certification REs must understand, manage, and comply with relevant cybersecurity and data security protection requirements mentioned in government guidelines, laws, circulars, and regulations (including IT Act 2000, DPDP Act 2023). Additionally, cybersecurity roles and responsibilities must be coordinated and aligned with internal roles and external partners.

Identification Controls (ID)

  1. ID.AM.S1 & ID.AM.S4: Critical Systems Classification and Asset Inventory - Self-certification REs must identify and classify critical systems based on their sensitivity and criticality for business operations, services, and data management. The Board/Partners/Proprietor must formally approve the list of critical systems. Additionally, REs must maintain an up-to-date inventory of hardware, systems, software, digital assets, shared resources, interfacing systems, network resources, connections, and data flows.
  2. ID.AM.S7: Asset Inventory in ITSM Tool - All IT assets must be inventoried in an IT Service Management (ITSM) tool, ensuring comprehensive asset tracking and management.

Protection Controls (PR)

  1. PR.AA.S6: Authentication Policy - Self-certification REs must implement effective authentication policies with defined password complexity requirements. All generic user IDs and email IDs not in use must be removed. Strong password controls must be implemented for systems, applications, networks, and databases, including first login password changes, minimum password length and history, complexity requirements, and maximum validity periods. User credentials must be stored using strong hashing algorithms.
  2. PR.AT.S3: Dark Web Monitoring and Phishing Protection - Self-certification REs should engage dark web monitoring for brand intelligence, customer protection, and takedown services as a cyber-defense strategy. They should also subscribe to anti-phishing and anti-rogue app services to mitigate potential phishing or impersonation attacks.
  3. PR.AA.S1, PR.AA.S2 & PR.AA.S3: Access Controls - Self-certification REs must implement robust access controls. No person should have intrinsic access rights based solely on rank or position. Access to systems must be for defined purposes and periods, granted on a need-to-use basis following the principle of least privilege. User access rights must be reviewed periodically, and records of user access to critical systems must be uniquely identified and logged for audit purposes.
  4. PR.MA.S2: Remote Access Policy - Self-certification REs must ensure proper remote access policy frameworks that incorporate specific requirements for securely accessing enterprise resources from remote locations over internet connections.

Other Applicable Controls for Self-Certified REs

Beyond mandatory controls, several other requirements apply to Self-certification REs but are not explicitly marked as "Mandatory":

  1. ID.RA.S1 & ID.RA.S2: Risk Assessment - Self-certification REs should conduct risk assessments of their IT environment to acquire visibility and an accurate assessment of their cybersecurity risk posture. This assessment should identify cyber risks, associated threats, and their impact on business operations.
  2. PR.AA.S4 & PR.AA.S5: Zero-Trust Security Model - Self-certification REs should follow a zero-trust security model where access from within or outside the RE's network to critical systems is denied by default and allowed only after proper authentication and authorization. Delegated access and unused tokens should be reviewed and cleaned periodically.
  3. PR.IP.S14: Periodic Audits - While not explicitly mandatory for Self-certification REs, it's recommended to engage CERT-In empaneled IS auditing organizations for conducting external audits to ensure compliance with the CSCRF framework.

Implementation Timeline Extension

SEBI has recognized the complexity of implementing comprehensive cybersecurity controls and has therefore extended the compliance timeline for most REs. As per Circular SEBI/HO/ITD-1/ITD/CSC/EXT/P/CIR/2025/45 dated March 28, 2025, Self-certification REs now have until June 30, 2025, to achieve full compliance with the CSCRF framework.

Addendum: CSCRF Implementation Using Ofofo.ai, Acronis, and Cloudflare Access ZTNA

Ofofo.ai, an agentic AI company specializing in CSCRF compliance management, offers a comprehensive solution for Self-certification REs that integrates with industry-leading security tools like Acronis End Point Protection and Cloudflare Access ZTNA. Here's how these technologies map to specific CSCRF controls:

Acronis End Point Protection Implementation

Acronis helps Self-certification REs meet several critical CSCRF requirements:

  1. Asset Management (ID.AM.S1, ID.AM.S7) - Acronis serves as an ITSM tool for centralizing asset tracking and management. The Acronis dashboard integrates with change management workflows, reflecting asset updates within the mandatory 3-day window required by CSCRF.
  2. Endpoint Security (PR.AA.S15) - Acronis provides comprehensive endpoint protection, scanning attachments and blocking non-permissible attachment types, helping REs enforce security controls for endpoint devices.
  3. Vulnerability Management - Acronis helps identify and address vulnerabilities in endpoint systems, enabling REs to maintain secure configurations and mitigate potential threats.

Cloudflare Access ZTNA Implementation

Cloudflare Access ZTNA enables Self-certification REs to implement:

  1. Zero-Trust Security Model (PR.AA.S4) - Cloudflare ZTNA deploys default-deny policies uniformly across all critical systems, aligns with CSCRF's requirements for zero-trust architecture, and enforces continuous authentication2.
  2. Network Segmentation (PR.AA.S5) - Cloudflare ZTNA enforces role-based access and segment-to-segment isolation for systems, adhering to the CSCRF requirement for network segmentation2.
  3. Multi-Factor Authentication (PR.AA.S1) - Cloudflare ZTNA implements MFA for all access to critical systems, ensuring robust authentication practices2.
  4. DNS Filtering and Web Application Firewall - Cloudflare ZTNA provides DNS filtering capabilities that prevent potential access to malicious domains and offers basic WAF protection for web applications2.

Ofofo.ai's Agentic AI for CSCRF Compliance

Ofofo.ai's agentic AI platform enhances CSCRF compliance through:

  1. Dark Web Monitoring (PR.AT.S3) - Ofofo.ai provides dark web monitoring of emails and domains, helping Self-certification REs detect potential data leaks and brand abuse2.
  2. Automated Compliance Reporting - The platform streamlines CSCRF reporting requirements, generating necessary documentation for self-certification2.
  3. Integrated Risk Management - Ofofo.ai conducts threat modeling and risk assessments, helping REs comply with ID.RA.S1 and ID.RA.S2 controls2.
  4. Virtual CISO Services - For REs without a full-time CISO, Ofofo.ai provides virtual CISO services to fulfill the leadership requirements outlined in GV.RR.S32.

Conclusion

Self-certification REs must navigate a comprehensive set of cybersecurity controls under SEBI's CSCRF framework, balancing mandatory and recommended requirements. With the compliance deadline extended to June 30, 2025, these organizations now have additional time to implement necessary controls.

By leveraging integrated solutions like Ofofo.ai's agentic AI platform in conjunction with Acronis End Point Protection and Cloudflare Access ZTNA, Self-certification REs can efficiently meet CSCRF requirements while maintaining robust cybersecurity postures appropriate to their operational scale and risk profile.

Remember that this guide provides an overview of CSCRF requirements for Self-certification REs, but each organization should carefully review the complete framework to ensure full compliance by the extended deadline.

Frequently asked questions by Self-Certified REs

SEBI CSCRF Compliance: Key Exemptions for Self-Certified REs

Below are simplified answers to common questions about requirements that do NOT apply to Self-Certified REs under SEBI’s CSCRF framework but are mandatory for other RE categories (MIIs, Qualified, Mid-size, and Small-size REs).

1. Do Self-Certified REs need to conduct background checks on third-party vendors?

No.
Self-Certified REs are exempt from mandatory third-party vendor background checks, unlike MIIs and Qualified REs, which must verify vendors’ cybersecurity compliance.

2. Do Self-Certified REs require CERT-In empanelled audits?

No.
Periodic cyber audits by CERT-In empanelled organizations are optional for Self-Certified REs. Other REs must conduct these audits annually or half-yearly.

3. Do Self-Certified REs need a Chief Information Security Officer (CISO)?

No.
Only MIIs and Qualified REs must appoint a full-time CISO. Self-Certified REs can rely on senior management or external experts for cybersecurity oversight.

4. Do Self-Certified REs need an external consultant in the IT Committee?

No.
Self-Certified REs are not required to form a dedicated IT Committee. Mid-size and larger REs must have one with external cybersecurity experts.

5. Do Self-Certified REs need ISO 27001 certification?

No.
ISO 27001 certification is mandatory only for MIIs and Qualified REs. Self-Certified REs can adopt its principles voluntarily.

6. Do Self-Certified REs need to conduct red teaming exercises?

No.
Red teaming (simulated cyberattacks) is required only for MIIs and Qualified REs. Self-Certified REs focus on basic threat monitoring.

7. Do Self-Certified REs need to measure SOC efficacy?

No.
Self-Certified REs using third-party SOC services (like Market SOC) don’t need to measure SOC performance. MIIs and Qualified REs must evaluate SOC efficacy twice yearly.

8. Do Self-Certified REs need comprehensive risk assessments?

No.
In-depth risk assessments (e.g., post-quantum risks) are optional. Other REs must perform these assessments annually.

9. Do Self-Certified REs need strict data localization?

No.
Self-Certified REs can use global SaaS tools without storing all data in India. Larger REs must ensure critical data resides within India.

10. Do Self-Certified REs need complex contingency plans?

No.
Self-Certified REs aren’t required to maintain detailed disaster recovery systems (e.g., golden server images). MIIs and Qualified REs must test recovery plans twice yearly.

11. Do Self-Certified REs need to audit 100% of their IT systems?

No.
Cyber audits for Self-Certified REs are optional. Qualified and Mid-size REs must audit 100% of critical systems and 25% of non-critical systems annually

12. Do Self-Certified REs need to implement AI-driven threat detection?

No.
Advanced AI/ML security tools are optional. MIIs and Qualified REs must deploy such technologies for real-time threat analysis

13. Do Self-Certified REs need to conduct root-cause analysis (RCA) for incidents?

No.
Only Mid-size and Qualified REs must perform RCA for major incidents. Self-Certified REs focus on basic incident reporting to SEBI within 24 hours

Why These Exemptions Exist

SEBI’s CSCRF follows a graded approach, recognizing that Self-Certified REs have smaller operations and limited IT infrastructure. Their focus is on essential controls like endpoint security (e.g., Acronis), zero-trust access (e.g., Cloudflare ZTNA), and basic governance14. Larger REs face stricter rules due to systemic risks and larger attack surfaces.

For more details, refer to:

  • SEBI Circular SEBI/HO/ITD-1/ITD/CSC/EXT/P/CIR/2024/113 (Aug 20, 2024)
  • CSCRF Exemption Tables (Section 8, Part I)

Check out to Ofofo.ai to implement CSCRF through Agentic AI for Self-certification REs.