SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) represents a significant evolution in India's financial sector cybersecurity regulations. Introduced on August 20, 2024, this framework aims to strengthen the cybersecurity posture of all SEBI-regulated entities (REs) through standardized requirements and reporting formats. One of the most crucial aspects of compliance involves navigating the various annexures that provide templates, guidelines, and reporting formats. This comprehensive guide explores these annexures and their requirements for different categories of regulated entities.
The Securities and Exchange Board of India (SEBI) issued the Cybersecurity and Cyber Resilience Framework (CSCRF) to establish consistent cybersecurity guidelines for all regulated entities in the Indian securities marke. This framework supersedes all previous cybersecurity circulars, guidelines, and advisories issued by SEBI, creating a unified approach to cybersecurity governance.
The CSCRF follows a graded approach, classifying REs into five distinct categories based on their operational scope and specific thresholds:
These classifications determine which annexures and controls are mandatory for each entity type, allowing for proportionate cybersecurity requirements based on an organization's size, complexity, and risk profile.
SEBI has recently extended the compliance timeline for most REs (except MIIs, KRAs, and QRTAs) until June 30, 2025, providing additional time to implement the necessary controls.
The CSCRF document is structured into four distinct parts to facilitate better understanding and ease of compliance:
The CSCRF includes a comprehensive set of annexures designed to provide detailed guidance on various aspects of cybersecurity and cyber resilience. These annexures are critical for understanding the framework's full scope and ensuring that organizations can comply effectively. Let's examine each annexure:
This annexure provides a standardized format for Vulnerability Assessment and Penetration Testing (VAPT) reports. All categories of REs must comply with this annexure, though Self-certification REs don't need to engage CERT-In empaneled vendors for this purpose The VAPT report helps identify vulnerabilities in the IT infrastructure and suggests remediation measures to address them.
This standardized format for cyber audit reports ensures consistency in reporting across different REs. This is mandatory for all REs except Self-certification REs. The audit report provides a comprehensive assessment of an RE's cybersecurity posture, highlighting areas of compliance and non-compliance with the CSCRF.
This reference guide helps REs develop robust recovery plans to restore operations after cybersecurity incidents. All categories of REs must develop recovery plans, with the complexity varying according to their classification. For Self-certification REs, this serves as an indicative plan for response and recovery.
This annexure provides guidelines for auditors conducting cybersecurity audits of REs. While not mandatory for any specific category of RE, these guidelines help ensure that audits are conducted thoroughly and consistently across different organizations.
Mandatory only for MIIs, this annexure outlines approaches for testing cyber resilience through various scenarios. This testing helps MIIs evaluate their ability to respond to and recover from different types of cyber attacks.
This annexure provides guidelines for managing cybersecurity risks associated with outsourced activities. It is mandatory for all categories of REs, reflecting the importance of securing the supply chain and third-party relationships in cybersecurity.
This annexure focuses on security measures for authentication in applications. It is mandatory for MIIs, Qualified REs, Mid-size REs, Small-size REs, but not for Self-certification REs. These guidelines help ensure that access to applications is properly secured through robust authentication mechanisms.
This annexure provides guidelines for securing data in customer-facing applications. It is mandatory for MIIs, Qualified REs, and Mid-size REs, helping protect sensitive customer data from unauthorized access.
This annexure focuses on securing data during transmission. It is mandatory for MIIs, Qualified REs, and Mid-size REs, ensuring that data is protected while in transit between systems.
This annexure provides guidelines for securely adopting and using cloud services. It is mandatory for MIIs, Qualified REs, and Mid-size REs, helping these entities manage the specific security challenges associated with cloud environments.
This annexure outlines the Cyber Capability Index, a tool for measuring an organization's cybersecurity capabilities. It is mandatory for MIIs and Qualified REs, providing a quantitative assessment of cybersecurity maturity.
This annexure defines the scope for Vulnerability Assessment and Penetration Testing. It is mandatory for all categories of REs, ensuring that VAPT activities cover all necessary systems and components.
This annexure outlines the framework for establishing and operating a Cybersecurity Operations Center (SOC) specifically for Market Infrastructure Institutions. It is mandatory only for MIIs, reflecting their critical role in the financial ecosystem.
This annexure provides guidelines for measuring the effectiveness of a Security Operations Center. It is mandatory for MIIs and Qualified REs, ensuring that their SOCs are functioning effectively in detecting and responding to security incidents.
This annexure provides guidelines for classifying and handling different types of cybersecurity incidents. It is mandatory for all categories of REs, ensuring consistent incident response across the industry.
This annexure provides a specific reporting format for Self-certification REs. It is exclusively mandatory for Self-certification REs, simplifying the reporting process for smaller entities.
The CSCRF follows a graded approach, with different annexure requirements based on the category of the regulated entity. Here's a breakdown of which annexures are mandatory for each category:
As the most critical financial market infrastructures, MIIs have the most comprehensive requirements, including all annexures except Annexure P. This includes advanced requirements like scenario-based cyber resilience testing (Annexure E), a dedicated SOC framework (Annexure M), and measuring SOC efficacy (Annexure N).
Qualified REs must comply with most annexures (A, B, C, F, G, H, I, J, K, L, N, O). They are exempt from Annexure E (scenario-based testing) and Annexure M (SOC framework for MIIs), but must implement and measure the efficacy of their SOC (Annexure N).
Mid-size REs have fewer requirements than Qualified REs but still must comply with multiple annexures (A, B, C, F, G, H, I, J, L, O). They are exempt from requirements related to the Cyber Capability Index (Annexure K) and SOC efficacy measurement (Annexure N).
Small-size REs have reduced requirements, focusing on core security controls (Annexures A, B, C, F, G, L, O). They are exempt from requirements related to customer-facing application security (Annexure H), data transport security (Annexure I), cloud services (Annexure J), and SOC-related annexures.
Self-certification REs have the least stringent requirements, focusing on basic security controls (Annexures P, A, C, F, L, O). Notably, their VAPT reports don't need to be from CERT-In empaneled vendors, unlike other categories. They use Annexure P specifically designed for self-certification.
The Cybersecurity and Cyber Resilience Framework (CSCRF) is a comprehensive regulatory framework issued by the Securities and Exchange Board of India (SEBI) on August 20, 2024. It establishes standardized cybersecurity guidelines for all regulated entities in the Indian securities market, superseding all previous cybersecurity circulars, guidelines, and advisories.
The primary purpose is to strengthen the cybersecurity posture of all SEBI-regulated entities through standardized requirements and reporting formats. It aims to establish consistent cybersecurity governance across the financial sector to protect data and IT infrastructure from cyber threats.
The CSCRF document is structured into four distinct parts:
The CSCRF categorizes regulated entities into five distinct classifications:
This classification determines which annexures and controls are mandatory based on the organization's size, complexity, and risk profile.
SEBI has extended the compliance timeline for most Regulated Entities (except MIIs, KRAs, and QRTAs) until June 30, 2025, providing additional time to implement the necessary controls.
SEBI received multiple requests from regulated entities seeking additional time to ensure ease of compliance with the framework's requirements. In response, SEBI issued a circular on March 28, 2025, extending the timeline by three months.
The annexures provide detailed guidance, templates, and reporting formats essential for implementing various aspects of cybersecurity and cyber resilience. They ensure standardization and consistency in how regulated entities approach cybersecurity governance, risk assessment, incident handling, and reporting.
The CSCRF includes 16 annexures (A through P) covering various aspects such as:
Annexure A provides a standardized format for Vulnerability Assessment and Penetration Testing (VAPT) reports. All categories of REs must comply with this annexure, though Self-certification REs aren't required to engage CERT-In empaneled vendors. The VAPT report helps identify and remediate vulnerabilities in IT infrastructure.
Annexure B provides a standardized format for cyber audit reports, ensuring consistency in reporting across different REs. It's mandatory for all REs except Self-certification REs. The audit report comprehensively assesses an RE's cybersecurity posture, highlighting areas of compliance and non-compliance.
Annexure C provides a reference guide for developing recovery plans to restore operations after cybersecurity incidents. All categories of REs must develop recovery plans, with complexity varying according to their classification. For Self-certification REs, it serves as an indicative plan for response and recovery.
Annexure D provides guidelines for auditors conducting cybersecurity audits of REs. While not mandatory for any specific category, these guidelines help ensure that audits are conducted thoroughly and consistently across different organizations.
Annexure E outlines approaches for testing cyber resilience through various scenarios. It's mandatory only for MIIs and helps evaluate their ability to respond to and recover from different types of cyber attacks.
Annexure F provides guidelines for managing cybersecurity risks associated with outsourced activities. It's mandatory for all categories of REs, reflecting the importance of securing the supply chain and third-party relationships in cybersecurity.
Annexure G focuses on application authentication security measures. It's mandatory for all RE categories except Self-certification REs and helps ensure that access to applications is properly secured through robust authentication mechanisms.
Annexure H provides guidelines for securing data in customer-facing applications. It's mandatory for MIIs, Qualified REs, and Mid-size REs, helping protect sensitive customer data from unauthorized access.
Annexure I focuses on securing data during transmission. It's mandatory for MIIs, Qualified REs, and Mid-size REs, ensuring that data is protected while in transit between systems.
Annexure J provides guidelines for securely adopting and using cloud services. It's mandatory for MIIs, Qualified REs, and Mid-size REs, helping these entities manage the specific security challenges associated with cloud environments.
Annexure K outlines the Cyber Capability Index, a tool for measuring an organization's cybersecurity capabilities. It's mandatory for MIIs and Qualified REs, providing a quantitative assessment of cybersecurity maturity.
Annexure L defines the comprehensive scope for Vulnerability Assessment and Penetration Testing. It's mandatory for all categories of REs, ensuring that VAPT activities cover all necessary systems and components.
Annexure M outlines the framework for establishing and operating a Cybersecurity Operations Center (SOC) specifically for Market Infrastructure Institutions. It's mandatory only for MIIs, reflecting their critical role in the financial ecosystem.
Annexure N provides guidelines for measuring the effectiveness of a Security Operations Center. It's mandatory for MIIs and Qualified REs, ensuring that their SOCs are functioning effectively in detecting and responding to security incidents.
Annexure O provides guidelines for classifying and handling different types of cybersecurity incidents. It's mandatory for all categories of REs, ensuring consistent incident response across the industry.
Annexure P provides a specific reporting format for Self-certification REs. It's exclusively mandatory for Self-certification REs, simplifying the reporting process for smaller entities.
MIIs have the most comprehensive requirements and must comply with all annexures except Annexure P. This includes advanced requirements like scenario-based cyber resilience testing (Annexure E), a dedicated SOC framework (Annexure M), and measuring SOC efficacy (Annexure N).
Qualified REs must comply with most annexures (A, B, C, F, G, H, I, J, K, L, N, O). They are exempt from Annexure E (scenario-based testing) and Annexure M (SOC framework for MIIs), but must implement and measure the efficacy of their SOC (Annexure N).
Mid-size REs must comply with multiple annexures (A, B, C, F, G, H, I, J, L, O). They are exempt from requirements related to the Cyber Capability Index (Annexure K) and SOC efficacy measurement (Annexure N).
Small-size REs have reduced requirements, focusing on core security controls (Annexures A, B, C, F, G, L, O). They are exempt from requirements related to customer-facing application security (Annexure H), data transport security (Annexure I), cloud services (Annexure J), and SOC-related annexures.
Self-certification REs have the least stringent requirements, focusing on basic security controls (Annexures P, A, C, F, L, O). Their VAPT reports don't need to be from CERT-In empaneled vendors, unlike other categories. They use Annexure P specifically designed for self-certification.
For Self-certification REs, compliance with mandatory annexures (P, A, C, F, L, O) can be achieved through existing security solutions like Acronis End Point Protection, Cloudflare Access ZTNA, and Axiom IO, with Ofofo.ai providing support for compliance management.
With the extended compliance deadline of June 30, 2025, REs should focus on reviewing and refining their cybersecurity controls to ensure full compliance with the CSCRF requirements. They should prioritize mandatory annexures applicable to their category and leverage existing security solutions to enhance their cybersecurity posture.
SEBI's CSCRF represents a significant step forward in establishing a standardized approach to cybersecurity for regulated entities in the Indian securities market. The framework's annexures provide detailed guidance for implementing various aspects of cybersecurity and cyber resilience.
For a Self-certification RE, compliance with the mandatory annexures (P, A, C, F, L, O) is achievable through the existing security stack of Acronis End Point Protection, Cloudflare Access ZTNA, and Axiom IO, with Ofofo.ai providing valuable support for compliance management.
With the extended compliance deadline of June 30, 2025, the REs has sufficient time to review and refine its cybersecurity controls to ensure full compliance with the CSCRF requirements. By focusing on the mandatory annexures and leveraging existing security solutions, can enhance its cybersecurity posture and demonstrate compliance with SEBI's requirements.