SEBI CSCRF Framework: A guide to periodicity requirements

Mohan Gandhi Ponnaganti
May 2, 2025
SEBI CSCRF

In the rapidly evolving digital financial landscape, timely and regular reporting is crucial for maintaining robust cybersecurity practices. The Securities and Exchange Board of India (SEBI) has established specific timelines for various cybersecurity assessments and reports under its Cyber Security and Cyber Resilience Framework (CSCRF). This guide breaks down the reporting periodicities for different categories of regulated entities.

Understanding the Reporting Categories

SEBI has categorized regulated entities into different tiers, each with specific reporting requirements:

  1. Market Infrastructure Institutions (MIIs)
  2. Qualified Regulated Entities
  3. Mid-size Regulated Entities
  4. Small-size Regulated Entities
  5. Self-certification Regulated Entities

Quarterly Reporting Requirements

For MIIs and Qualified REs:

  • IT Committee Meetings
  • Privileged Users' Activities Review
  • Threat Hunting Exercises

For All Categories:

  • IT Committee Meetings

Half-yearly Reporting Requirements

For MIIs:

  • Cyber Resilience Third-party Assessment (CCI)
  • Risk Assessment (Threat-based)
  • Third-party Systems Review
  • SOC Functional Efficacy Review
  • Red Teaming Exercise
  • Cybersecurity Scenario-based Drill
  • Review and update of contingency plan (COOP)

For Qualified REs:

  • Third-party Systems Review
  • User Access Rights Review
  • Red Teaming Exercise
  • Cybersecurity Drill Exercise
  • Review and update of contingency plan (COOP)

For Other Categories:

  • User Access Rights Review
  • Privileged Users' Activities Review

Annual Reporting Requirements

For All Categories:

  • Cybersecurity and Cyber Resilience Policy Review
  • Cybersecurity Risk Management Policy Review
  • Cybersecurity Training Program

For Qualified REs:

  • Cyber Resilience Self-assessment (CCI)

For Mid-size and Small-size REs:

  • Evaluation of Cyber Resilience Posture
  • Review and update of contingency plan (COOP)

For Other REs:

  • Third-party Systems Review
  • Cybersecurity Scenario-based Drill Exercise
  • Evaluation of Cyber Resilience Posture (if using third-party managed SOC or Market SOC)

VAPT Reporting Timeline

Frequency:

  • MIIs and Qualified REs: At least twice per year
  • Other Categories: At least once per year

Submission Deadlines:

  • Report submission: Within 1 month of completion
  • Closure of findings: Within 3 months
  • Revalidation: Within 5 months

Cyber Audit Reporting Timeline

Frequency:

  • MIIs and Qualified REs: At least twice per year
  • Mid-size and Small-size REs (with IBT/Algo trading): At least once per year
  • Other REs: At least once per year

Submission Deadlines:

  • Report submission: Within 1 month of completion
  • Closure of findings: Within 3 months
  • Follow-on audit: Within 5 months

ISO 27001 Certification Timeline

MIIs and Qualified REs must:

  • Obtain ISO 27001 certification within 1 year of CSCRF issuance
  • Submit certification evidence with cyber audit report

Market SOC Implementation Timeline

  • Implementation deadline: January 01, 2025
  • Regular reporting of functional efficacy to SEBI

Best Practices for Meeting Reporting Deadlines

  1. Create a Reporting Calendar: Develop a comprehensive schedule of all required reports and assessments.
  2. Set Internal Deadlines: Establish internal deadlines that are earlier than the regulatory deadlines to allow for review and corrections.
  3. Automate Reminders: Implement automated reminders for upcoming reporting requirements.
  4. Maintain Documentation: Keep all supporting documentation readily available for quick report preparation.
  5. Regular Status Updates: Conduct regular status checks on report preparation and submission.

FrequentlyAsked Questions: SEBI CSCRF Framework Periodicity Requirements

What arethe different categories of regulated entities under SEBI's CSCRF framework?

SEBI has categorized regulated entities into five distinct tiers: MarketInfrastructure Institutions (MIIs), Qualified Regulated Entities, Mid-sizeRegulated Entities, Small-size Regulated Entities, and Self-certificationRegulated Entities. Each category has specific reporting requirements appropriate to their size and risk profile.

How does RegulatedEntity determine which category it falls under?

The categorization is typically based on factors like assets under management, client base, or transaction volume. Regulated Entity should review the specific thresholds outlined in the CSCRF circular to determine its classification. The category is decided at the beginning of the financial year based on data from the previous financial year and remains unchanged through out the year regardless of parameter changes.

Can Regulated Entity's category change during the financial year?

No. Once the category of Regulated Entity is decided at the beginning of the financial year based on previous year's data, it remains in the same category throughout the financial year, regardless of any changes in parameters during the year. The category is validated by the respective reporting authority at the time of compliance submission.

What are the quarterly reporting requirements for Regulated Entity?

If Regulated Entity is classified as an MII or Qualified RE, quarterly requirements include IT Committee Meetings, Privileged Users' ActivitiesReview, and Threat Hunting Exercises. For all other categories, IT CommitteeMeetings are required quarterly (except for Small-size and Self-certificationREs, which are exempt from forming an IT Committee).  

What half-yearly assessments must Regulated Entity conduct?

Half-yearly requirements vary by category. For MIIs, these include CyberResilience Third-party Assessment (CCI), Risk Assessment, Third-party SystemsReview, SOC Efficacy Review, Red Teaming, Cybersecurity Drills, and contingency plan reviews. For other categories, requirements may include User Access RightsReview and Privileged Users' Activities Review, depending on Regulated Entity's classification.

What are Regulated Entity's annual reporting obligations?

All categories, including Regulated Entity, must conduct annualCybersecurity and Cyber Resilience Policy Reviews, Cybersecurity RiskManagement Policy Reviews, and Cybersecurity Training Programs. Additional requirements based on category may include Cyber Resilience Self-assessment(for Qualified REs) and Evaluation of Cyber Resilience Posture (for Mid-size and Small-size REs).  

How frequently must Regulated Entity conduct VAPT assessments?

The VAPT frequency depends on Regulated Entity's classification. If identified as a Protected System by NCIIPC, VAPT must be conducted at least twice per year (one in each half of the financial year). For other categories,VAPT must be conducted at least once per year, commencing in the first quarter of the financial year.

What are the timelines for VAPT reporting and remediation?

Regulated Entity must submit the VAPT report within one month of completion after approval from the IT Committee. Findings must be closed within three months of report submission, with revalidation completed within five months of VAPT completion. A graded approach based on vulnerability criticality should be followed for closure.

Who can conduct VAPT assessments for Regulated Entity?

Regulated Entity must engage only CERT-In empanelled IS auditing organizations for conducting VAPT. For Regulated Entity's VAPT reporting, theCERT-In empanelled auditor should submit findings to the appropriate authority(SEBI, Stock Exchanges, or Depositories) depending on Regulated Entity's regulatory category.

What is the difference between VAPT and Cyber Audit?

While VAPT focuses specifically on identifying vulnerabilities and testing penetration capabilities, Cyber Audit is broader and verifies RegulatedEntity's compliance with the entire CSCRF framework. Cyber audit covers 100% of critical systems and 25% of non-critical systems chosen on a sample basis.

How long can Regulated Entity use the same auditing organization?

Regulated Entity can engage a CERT-In empanelled IS auditing organization for a maximum period of three consecutive years. Subsequently, that organization will only be eligible to audit Regulated Entity again after a cooling-off period of two years.

What documentation must Regulated Entity submit with the Cyber Audit report?

Regulated Entity must submit a declaration from the ManagingDirector/CEO along with the cyber audit report. For MIIs and Qualified REs, evidence of ISO 27001 certification must also be submitted with the cyber audit report.

Does RegulatedEntity need ISO 27001 certification?

It depends on Regulated Entity's classification. If Regulated Entity is categorized as an MII or Qualified RE, ISO 27001 certification is mandatory.For other categories (Mid-size, Small-size, and Self-certification REs), ISO certification is optional but recommended.

What is the timeline for obtaining ISO 27001 certification?

If required, Regulated Entity must obtain ISO 27001 certification within one year of CSCRF issuance. The evidence of certification must be submitted along with the cyber audit report to the appropriate regulatory authority.

What should be the scope of ISO 27001 certification for Regulated Entity?

The scope for ISO 27001 certification must include but is not limited to the Primary Data Center (PDC) site, Disaster Recovery (DR) site, Near DisasterRecovery (NDR) site, Security Operations Center (SOC), and Colocation facility if applicable to Regulated Entity.

When must Regulated Entity implement the Market SOC?

The Market SOC implementation deadline is January 1, 2025. Regulated Entity should prepare for integration with this timeline in mind.

How often must Regulated Entity report on SOC efficacy?

If Regulated Entity is an MII or Qualified RE, SOC efficacy must be reviewed and reported half-yearly. For other REs utilizing third-party managedSOC or Market SOC services, annual reporting is required.

Can Regulated Entity use a third-party SOC instead of implementing its own?

Yes, Regulated Entity can utilize third-party managed SOC or Market SOC services. If doing so, Regulated Entity must still report on the functionalefficacy of the SOC annually to demonstrate proper security monitoring.

Does RegulatedEntity need to constitute an IT Committee?

If Regulated Entity falls into the MII, Qualified RE, or Mid-size RE categories, it must constitute an IT Committee. For Small-size REs andSelf-certification REs, forming an IT Committee is not mandatory but is considered desirable.

Who should be part of Regulated Entity's IT Committee?

Regulated Entity's IT Committee must include at least one external independent expert on cybersecurity matters. This requirement applies to all categories that must form an IT Committee (MIIs, Qualified REs, and Mid-sizeREs).

What if RegulatedEntity doesn't have an IT Committee?

If Regulated Entity is a Small-size RE or Self-certification RE and doesn't have an IT Committee, the compliance to CSCRF shall be reviewed andapproved by the MD/CEO/Board member/Partners/Proprietor instead.

What happens if Regulated Entity fails to meet the compliance deadlines?

Non-compliance with CSCRF requirements may result in regulatory actions, potential suspension of services, operational risks, and reputational damage toRegulated Entity. SEBI has the authority to take appropriate enforcement actions for non-compliance.

How can RegulatedEntity best manage all these periodic requirements?

Regulated Entity should create a comprehensive reporting calendar, set internal deadlines earlier than regulatory deadlines, implement automated reminders, maintain readily available documentation, and conduct regular status checks on report preparation and submission.

Has SEBI extended any compliance deadlines for CSCRF implementation?

Yes, SEBI has extended the compliance timeline for all REs (except MIIs,KRAs, and QRTAs) until June 30, 2025. This gives Regulated Entity additional time to implement the necessary controls if it falls into an eligible category.

How can Acronis End Point Protection help Regulated Entity comply with CSCRF requirements?

Acronis End Point Protection can help Regulated Entity meet severalCSCRF requirements related to endpoint security, data protection, anti-malware capabilities, and security training. This comprehensive security solution addresses many of the mandatory controls required under the Protection (PR)domain of the framework.

How does Cloudflare Access ZTNA support Regulated Entity's CSCRF compliance?

Cloudflare Access ZTNA helps Regulated Entity implement Zero TrustNetwork Access, which aligns with CSCRF requirements for user access controls, secure remote access, and network security. This solution can help satisfy several mandatory controls under the Access Authorization (PR.AA) standards of the framework.

How can Ofofo.ai assist Regulated Entity with CSCRF compliance management?

Ofofo.ai, as an agentic AI company specializing in CSCRF compliance, can help Regulated Entity streamline compliance through automated assessment tools, compliance tracking dashboards, and integration with security tools like Acronis and Cloudflare. Ofofo.ai's platform can help Regulated Entity manage the complex periodicities and reporting requirements more efficiently.

Conclusion

Meeting SEBI's reporting periodicities is crucial for maintaining compliance and demonstrating commitment to cybersecurity. By understanding and planning for these reporting requirements, regulated entities can ensure timely submission of all required reports and assessments.

Remember that these reporting requirements are not static and may be updated by SEBI from time to time. It's essential to stay informed about any changes to the reporting periodicities.