Understanding SEBI CSCRF Annexures: A Comprehensive Guide for Regulated Entities

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) represents a significant evolution in India's financial sector cybersecurity regulations. Introduced on August 20, 2024, this framework aims to strengthen the cybersecurity posture of all SEBI-regulated entities (REs) through standardized requirements and reporting formats. One of the most crucial aspects of compliance involves navigating the various annexures that provide templates, guidelines, and reporting formats. This comprehensive guide explores these annexures and their requirements for different categories of regulated entities.

‍

Introduction to SEBI CSCRF Framework

The Securities and Exchange Board of India (SEBI) issued the Cybersecurity and Cyber Resilience Framework (CSCRF) to establish consistent cybersecurity guidelines for all regulated entities in the Indian securities marke. This framework supersedes all previous cybersecurity circulars, guidelines, and advisories issued by SEBI, creating a unified approach to cybersecurity governance.

The CSCRF follows a graded approach, classifying REs into five distinct categories based on their operational scope and specific thresholds:

1. Market Infrastructure Institutions (MIIs)
2. Qualified REs
3. Mid-size REs
4. Small-size REs
5. Self-certification REs

These classifications determine which annexures and controls are mandatory for each entity type, allowing for proportionate cybersecurity requirements based on an organization's size, complexity, and risk profile.

SEBI has recently extended the compliance timeline for most REs (except MIIs, KRAs, and QRTAs) until June 30, 2025, providing additional time to implement the necessary controls.

‍

The CSCRF Document Structure

The CSCRF document is structured into four distinct parts to facilitate better understanding and ease of compliance:

1. Part I: Objectives and Standards – Contains definitions, framework compliance matrix, audit report timelines, objectives, and standards.
2. Part II: Guidelines – Provides recommendations or suggestions on implementing standards, with certain guidelines explicitly marked as mandatory.
3. Part III: Compliance Formats – Contains standard formats for reporting CSCRF compliance.
4. Part IV: Annexures and References – Includes detailed guidelines, templates, and reporting formats to support implementation

‍

Overview of CSCRF Annexures

The CSCRF includes a comprehensive set of annexures designed to provide detailed guidance on various aspects of cybersecurity and cyber resilience. These annexures are critical for understanding the framework's full scope and ensuring that organizations can comply effectively. Let's examine each annexure:

Annexure A: VAPT Report Format

This annexure provides a standardized format for Vulnerability Assessment and Penetration Testing (VAPT) reports. All categories of REs must comply with this annexure, though Self-certification REs don't need to engage CERT-In empaneled vendors for this purpose The VAPT report helps identify vulnerabilities in the IT infrastructure and suggests remediation measures to address them.

Annexure B: Cyber Audit Report Format

This standardized format for cyber audit reports ensures consistency in reporting across different REs. This is mandatory for all REs except Self-certification REs. The audit report provides a comprehensive assessment of an RE's cybersecurity posture, highlighting areas of compliance and non-compliance with the CSCRF.

Annexure C: Recovery Plan Template

This reference guide helps REs develop robust recovery plans to restore operations after cybersecurity incidents. All categories of REs must develop recovery plans, with the complexity varying according to their classification. For Self-certification REs, this serves as an indicative plan for response and recovery.

Annexure D: Audit Guidelines

This annexure provides guidelines for auditors conducting cybersecurity audits of REs. While not mandatory for any specific category of RE, these guidelines help ensure that audits are conducted thoroughly and consistently across different organizations.

Annexure E: Scenario-based Cyber Resilience Testing

Mandatory only for MIIs, this annexure outlines approaches for testing cyber resilience through various scenarios. This testing helps MIIs evaluate their ability to respond to and recover from different types of cyber attacks.

Annexure F: Guidelines on Outsourcing of Activities

This annexure provides guidelines for managing cybersecurity risks associated with outsourced activities. It is mandatory for all categories of REs, reflecting the importance of securing the supply chain and third-party relationships in cybersecurity.

Annexure G: Application Authentication Security

This annexure focuses on security measures for authentication in applications. It is mandatory for MIIs, Qualified REs, Mid-size REs, Small-size REs, but not for Self-certification REs. These guidelines help ensure that access to applications is properly secured through robust authentication mechanisms.

Annexure H: Data Security on Customer Facing Applications

This annexure provides guidelines for securing data in customer-facing applications. It is mandatory for MIIs, Qualified REs, and Mid-size REs, helping protect sensitive customer data from unauthorized access.

Annexure I: Data Transport Security

This annexure focuses on securing data during transmission. It is mandatory for MIIs, Qualified REs, and Mid-size REs, ensuring that data is protected while in transit between systems.

Annexure J: Framework for Adoption of Cloud Services

This annexure provides guidelines for securely adopting and using cloud services. It is mandatory for MIIs, Qualified REs, and Mid-size REs, helping these entities manage the specific security challenges associated with cloud environments.

Annexure K: Cyber Capability Index (CCI)

This annexure outlines the Cyber Capability Index, a tool for measuring an organization's cybersecurity capabilities. It is mandatory for MIIs and Qualified REs, providing a quantitative assessment of cybersecurity maturity.

Annexure L: VAPT Scope

This annexure defines the scope for Vulnerability Assessment and Penetration Testing. It is mandatory for all categories of REs, ensuring that VAPT activities cover all necessary systems and components.

Annexure M: Cyber-SOC Framework for MIIs

This annexure outlines the framework for establishing and operating a Cybersecurity Operations Center (SOC) specifically for Market Infrastructure Institutions. It is mandatory only for MIIs, reflecting their critical role in the financial ecosystem.

Annexure N: Functional Efficacy of SOC

This annexure provides guidelines for measuring the effectiveness of a Security Operations Center. It is mandatory for MIIs and Qualified REs, ensuring that their SOCs are functioning effectively in detecting and responding to security incidents.

Annexure O: Classification and Handling of Cybersecurity Incidents

This annexure provides guidelines for classifying and handling different types of cybersecurity incidents. It is mandatory for all categories of REs, ensuring consistent incident response across the industry.

Annexure P: Reporting Format for Self-certification REs

This annexure provides a specific reporting format for Self-certification REs. It is exclusively mandatory for Self-certification REs, simplifying the reporting process for smaller entities.

Annexure Requirements by RE Category

The CSCRF follows a graded approach, with different annexure requirements based on the category of the regulated entity. Here's a breakdown of which annexures are mandatory for each category:

MIIs (Market Infrastructure Institutions)

As the most critical financial market infrastructures, MIIs have the most comprehensive requirements, including all annexures except Annexure P. This includes advanced requirements like scenario-based cyber resilience testing (Annexure E), a dedicated SOC framework (Annexure M), and measuring SOC efficacy (Annexure N).

Qualified REs

Qualified REs must comply with most annexures (A, B, C, F, G, H, I, J, K, L, N, O). They are exempt from Annexure E (scenario-based testing) and Annexure M (SOC framework for MIIs), but must implement and measure the efficacy of their SOC (Annexure N).

Mid-size REs

Mid-size REs have fewer requirements than Qualified REs but still must comply with multiple annexures (A, B, C, F, G, H, I, J, L, O). They are exempt from requirements related to the Cyber Capability Index (Annexure K) and SOC efficacy measurement (Annexure N).

Small-size REs

Small-size REs have reduced requirements, focusing on core security controls (Annexures A, B, C, F, G, L, O). They are exempt from requirements related to customer-facing application security (Annexure H), data transport security (Annexure I), cloud services (Annexure J), and SOC-related annexures.

Self-certification REs

Self-certification REs have the least stringent requirements, focusing on basic security controls (Annexures P, A, C, F, L, O). Notably, their VAPT reports don't need to be from CERT-In empaneled vendors, unlike other categories. They use Annexure P specifically designed for self-certification.

‍

Frequently Asked Questions (FAQs) About SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF)

What is the SEBI CSCRF Framework and when was it introduced?

The Cybersecurity and Cyber Resilience Framework (CSCRF) is a comprehensive regulatory framework issued by the Securities and Exchange Board of India (SEBI) on August 20, 2024. It establishes standardized cybersecurity guidelines for all regulated entities in the Indian securities market, superseding all previous cybersecurity circulars, guidelines, and advisories.

What is the primary purpose of the CSCRF Framework?

The primary purpose is to strengthen the cybersecurity posture of all SEBI-regulated entities through standardized requirements and reporting formats. It aims to establish consistent cybersecurity governance across the financial sector to protect data and IT infrastructure from cyber threats.

How is the CSCRF document structured?

The CSCRF document is structured into four distinct parts:

• Part I: Objectives and Standards – Contains definitions, framework compliance matrix, audit timelines, objectives, and standards
• Part II: Guidelines – Provides recommendations for implementing standards, with some guidelines marked as mandatory
• Part III: Compliance Formats – Contains standard formats for reporting CSCRF compliance
• Part IV: Annexures and References – Includes detailed guidelines, templates, and reporting formats

Classification and Compliance Timelines

What are the different categories of Regulated Entities under CSCRF?

The CSCRF categorizes regulated entities into five distinct classifications:

1. Market Infrastructure Institutions (MIIs)
2. Qualified REs
3. Mid-size REs
4. Small-size REs
5. Self-certification REs

This classification determines which annexures and controls are mandatory based on the organization's size, complexity, and risk profile.

What are the current compliance timelines for CSCRF implementation?

SEBI has extended the compliance timeline for most Regulated Entities (except MIIs, KRAs, and QRTAs) until June 30, 2025, providing additional time to implement the necessary controls.

Why did SEBI extend the compliance timeline?

SEBI received multiple requests from regulated entities seeking additional time to ensure ease of compliance with the framework's requirements. In response, SEBI issued a circular on March 28, 2025, extending the timeline by three months.

Annexures Overview

What is the importance of the CSCRF Annexures?

The annexures provide detailed guidance, templates, and reporting formats essential for implementing various aspects of cybersecurity and cyber resilience. They ensure standardization and consistency in how regulated entities approach cybersecurity governance, risk assessment, incident handling, and reporting.

How many annexures are included in the CSCRF, and what do they broadly cover?

The CSCRF includes 16 annexures (A through P) covering various aspects such as:

• Reporting formats (VAPT, cyber audit, self-certification)
• Templates (recovery plan)
• Guidelines (audit, outsourcing, authentication security)
• Frameworks (SOC operations, cloud adoption)
• Assessment methodologies (CCI, incident classification)1

Specific Annexures

What is Annexure A and who must comply with it?

Annexure A provides a standardized format for Vulnerability Assessment and Penetration Testing (VAPT) reports. All categories of REs must comply with this annexure, though Self-certification REs aren't required to engage CERT-In empaneled vendors. The VAPT report helps identify and remediate vulnerabilities in IT infrastructure.

What is Annexure B and what is its purpose?

Annexure B provides a standardized format for cyber audit reports, ensuring consistency in reporting across different REs. It's mandatory for all REs except Self-certification REs. The audit report comprehensively assesses an RE's cybersecurity posture, highlighting areas of compliance and non-compliance.

What does Annexure C cover regarding recovery planning?

Annexure C provides a reference guide for developing recovery plans to restore operations after cybersecurity incidents. All categories of REs must develop recovery plans, with complexity varying according to their classification. For Self-certification REs, it serves as an indicative plan for response and recovery.

What guidance does Annexure D provide for auditors?

Annexure D provides guidelines for auditors conducting cybersecurity audits of REs. While not mandatory for any specific category, these guidelines help ensure that audits are conducted thoroughly and consistently across different organizations.

What is the purpose of Annexure E on scenario-based testing?

Annexure E outlines approaches for testing cyber resilience through various scenarios. It's mandatory only for MIIs and helps evaluate their ability to respond to and recover from different types of cyber attacks.

How does Annexure F address outsourcing risks?

Annexure F provides guidelines for managing cybersecurity risks associated with outsourced activities. It's mandatory for all categories of REs, reflecting the importance of securing the supply chain and third-party relationships in cybersecurity.

What security measures are covered in Annexure G?

Annexure G focuses on application authentication security measures. It's mandatory for all RE categories except Self-certification REs and helps ensure that access to applications is properly secured through robust authentication mechanisms.

What is the focus of Annexure H?

Annexure H provides guidelines for securing data in customer-facing applications. It's mandatory for MIIs, Qualified REs, and Mid-size REs, helping protect sensitive customer data from unauthorized access.

How does Annexure I address data security?

Annexure I focuses on securing data during transmission. It's mandatory for MIIs, Qualified REs, and Mid-size REs, ensuring that data is protected while in transit between systems.

What guidance does Annexure J provide for cloud adoption?

Annexure J provides guidelines for securely adopting and using cloud services. It's mandatory for MIIs, Qualified REs, and Mid-size REs, helping these entities manage the specific security challenges associated with cloud environments.

What is the Cyber Capability Index (CCI) described in Annexure K?

Annexure K outlines the Cyber Capability Index, a tool for measuring an organization's cybersecurity capabilities. It's mandatory for MIIs and Qualified REs, providing a quantitative assessment of cybersecurity maturity.

What does Annexure L specify regarding VAPT scope?

Annexure L defines the comprehensive scope for Vulnerability Assessment and Penetration Testing. It's mandatory for all categories of REs, ensuring that VAPT activities cover all necessary systems and components.

What is the purpose of Annexure M?

Annexure M outlines the framework for establishing and operating a Cybersecurity Operations Center (SOC) specifically for Market Infrastructure Institutions. It's mandatory only for MIIs, reflecting their critical role in the financial ecosystem.

How does Annexure N help measure SOC effectiveness?

Annexure N provides guidelines for measuring the effectiveness of a Security Operations Center. It's mandatory for MIIs and Qualified REs, ensuring that their SOCs are functioning effectively in detecting and responding to security incidents.

What guidance does Annexure O provide for incident handling?

Annexure O provides guidelines for classifying and handling different types of cybersecurity incidents. It's mandatory for all categories of REs, ensuring consistent incident response across the industry.

What is Annexure P and who needs to use it?

Annexure P provides a specific reporting format for Self-certification REs. It's exclusively mandatory for Self-certification REs, simplifying the reporting process for smaller entities.

Implementation Requirements by Entity Type

What annexures must Market Infrastructure Institutions (MIIs) comply with?

MIIs have the most comprehensive requirements and must comply with all annexures except Annexure P. This includes advanced requirements like scenario-based cyber resilience testing (Annexure E), a dedicated SOC framework (Annexure M), and measuring SOC efficacy (Annexure N).

What annexures are mandatory for Qualified REs?

Qualified REs must comply with most annexures (A, B, C, F, G, H, I, J, K, L, N, O). They are exempt from Annexure E (scenario-based testing) and Annexure M (SOC framework for MIIs), but must implement and measure the efficacy of their SOC (Annexure N).

What are the compliance requirements for Mid-size REs?

Mid-size REs must comply with multiple annexures (A, B, C, F, G, H, I, J, L, O). They are exempt from requirements related to the Cyber Capability Index (Annexure K) and SOC efficacy measurement (Annexure N).

What annexures must Small-size REs implement?

Small-size REs have reduced requirements, focusing on core security controls (Annexures A, B, C, F, G, L, O). They are exempt from requirements related to customer-facing application security (Annexure H), data transport security (Annexure I), cloud services (Annexure J), and SOC-related annexures.

What are the minimal requirements for Self-certification REs?

Self-certification REs have the least stringent requirements, focusing on basic security controls (Annexures P, A, C, F, L, O). Their VAPT reports don't need to be from CERT-In empaneled vendors, unlike other categories. They use Annexure P specifically designed for self-certification.

How can existing security solutions help with CSCRF compliance?

For Self-certification REs, compliance with mandatory annexures (P, A, C, F, L, O) can be achieved through existing security solutions like Acronis End Point Protection, Cloudflare Access ZTNA, and Axiom IO, with Ofofo.ai providing support for compliance management.

What should REs focus on during the extended compliance period?

With the extended compliance deadline of June 30, 2025, REs should focus on reviewing and refining their cybersecurity controls to ensure full compliance with the CSCRF requirements. They should prioritize mandatory annexures applicable to their category and leverage existing security solutions to enhance their cybersecurity posture.

‍

‍

Conclusion

SEBI's CSCRF represents a significant step forward in establishing a standardized approach to cybersecurity for regulated entities in the Indian securities market. The framework's annexures provide detailed guidance for implementing various aspects of cybersecurity and cyber resilience.

For a Self-certification RE, compliance with the mandatory annexures (P, A, C, F, L, O) is achievable through the existing security stack of Acronis End Point Protection, Cloudflare Access ZTNA, and Axiom IO, with Ofofo.ai providing valuable support for compliance management.

With the extended compliance deadline of June 30, 2025, the REs has sufficient time to review and refine its cybersecurity controls to ensure full compliance with the CSCRF requirements. By focusing on the mandatory annexures and leveraging existing security solutions, can enhance its cybersecurity posture and demonstrate compliance with SEBI's requirements.

‍