SEBI CSCRF FAQ 2025: What Regulated Entities Need to Know
Introduction: Why This FAQ Matters
In August 2024, SEBI introduced its Cybersecurity and Cyber Resilience Framework (CSCRF) to strengthen the security posture of Regulated Entities (REs). On June 11, 2025, SEBI released a comprehensive FAQ (76 questions across 17 sections) to clarify CSCRF implementation, covering governance, audits, cloud adoption, operational resilience, and emerging threats.
This blog provides actionable insights for CISOs, CTOs, compliance teams, and IT heads in SEBI-regulated organizations, ensuring they meet CSCRF requirements effectively.
What’s new in SEBI FAQ
Quick Recap: What Is CSCRF?
CSCRF sets minimum cybersecurity standards for SEBI REs by:
- Mitigating evolving cyber threats
- Promoting incident preparedness and resilience
- Enhancing audit and compliance mechanisms
- Enforcing cloud data control and risk frameworks
REs are tiered into Market Infrastructure Institutions (MIIs), Qualified REs (e.g., Qualified Stock Brokers), Mid-size REs, Small-size REs, and Self-certification REs, with obligations scaled to risk profiles. The framework also integrates SEBI’s Cloud Adoption guidelines (Circular SEBI/HO/ITD1/ITD_CSC_EXT/P/CIR/2024/113).
20 Key Clarifications from SEBI’s FAQ
Top Clarification
1.Dedicated, Full-Time CISO
REs must appoint a full-time CISO. No part-time or dual-role arrangements are allowed, except group-level CISOs across affiliated entities. (FAQ Q3-Q4, Page 4)
Action: Define the CISO’s role in org charts, ensuring they report to the MD/CEO for MIIs/Qualified REs.
Example: Use governance tools to document reporting structures.
- Audit Scope Limited to SEBI-Relevant IT
CSCRF applies only to IT systems used for SEBI-regulated activities. Segregation is key. (FAQ Q8, Q27, Page 6, 11)
Action: Document segregation of SEBI-related systems and include connected ancillary systems in audit scopes.
Example: Use network segmentation tools to isolate SEBI systems.
- Virtual Patching Allowed
For third-party delays, REs can apply virtual patching as a compensatory control. Patches must close within 3 months. (FAQ Q15, Page 8)
Action: Implement virtual patching via WAFs and align SLAs with vendors to meet closure timelines.
Example: Deploy SiteWALL WAF with integrated virtual patching and vulnerability management capabilities.
- Cloud Data Sovereignty
All encryption keys and processing must stay in India. Use Bring Your Own Key (BYOK) strategies. (FAQ Q26, Page 11)
Action: Verify CSP contracts for Indian key management and include BYOK clauses.
Example: Use key management services with BYOK support, ensuring MeitY compliance.
- M-SOC for Small Res
Small REs can enroll in Market-SOC (M-SOC) by NSE/BSE instead of maintaining an in-house SOC. (FAQ Q59-Q60, Page 20)
Action: Contact NSE/BSE for M-SOC enrolment (e.g., NSE Circular: https://nsearchives.nseindia.com/content/circulars/MSD66154.pdf) or prepare SOC efficacy reports.
Example: Small REs can leverage M-SOC for 24/7 monitoring at a lower cost.
- Shared Audit Reports Allowed
Group companies may submit a single audit report for shared infrastructure if controls and documentation align. (FAQ Q63, Page 20)
Action: Ensure shared reports include evidence of uniform controls across affiliates.
Example: Use a shared GRC platform to document controls.
- Mandatory SBOM
REs must obtain a Software Bill of Materials (SBOM) for all critical apps, including in-house or COTS tools. (FAQ Q35-Q37, Page 13)
Action: Request SBOMs from vendors or document risk mitigation plans for legacy systems.
Example: Use SBOM generation tools supporting CycloneDX or SPDX formats.
- Strict RTO/RPO Requirements
Recovery Time Objective (RTO) = 2 hours, Recovery Point Objective (RPO) = 15 minutes for critical systems. These are non-negotiable. (FAQ Q71, Page 22)
Action: Align DR plans with these timelines and test via live drills.
Example: Use DR solutions for near-zero RPO backups.
- Open-Source Tools Permitted
Auditors may use open-source tools if legally licensed for commercial use. (FAQ Q28, Page 11)
Action: Verify auditor tools’ licensing to avoid compliance risks.
Example: Use licensed open-source security testing tools.
- CCI and Dashboard Automation
MIIs: Cyber Capability Index (CCI) assessed by third-party every 6 months. Qualified REs: Annual self-assessment. Dashboards recommended. (FAQ Q30-Q32, Page 12)
Action: Develop dashboards using log aggregators and ensure decimal scoring (up to two places).
Example: Use SIEM solutions for CCI dashboards with automated scoring.
- Inventory of Cryptographic Assets Required
Maintain a list of keys, certificates, and algorithms, and prepare for Post-Quantum Cryptography (PQC) migration. (FAQ Q13, Page 7-8)
Action: Document assets and assess PQC readiness (e.g., reference NIST PQC standards like CRYSTALS-Kyber).
Example: Use key management platforms to inventory cryptographic assets.
- Forensic Audits Mandatory for Critical Incidents
CERT-In empanelled third-party auditors must handle forensic audits for High/Critical incidents. (FAQ Q75-Q76, Page 23)
Action: Engage CERT-In empanelled auditors and establish forensic audit protocols.
Example: Partner with CERT-In empanelled auditors for forensic investigations.
- Live DC-DR Drills Required
Tabletop exercises are not enough. Drills must simulate real events with stakeholders. (FAQ Q68-Q70, Page 22)
Action: Schedule live drills covering all incident scenarios within one audit period.
Example: Simulate a ransomware attack with Red/Blue team exercises.
- Patch Testing in Non-Prod
All patches must be tested in staging environments before deployment. (FAQ Q19, Page 9)
Action: Set up staging environments and document patch testing results.
Example: Use virtualization platforms for isolated staging environments.
- Cloud Subcontractor Audits
REs must audit material subcontractors of their Cloud Service Providers (CSPs). (FAQ Q42, Q47, Page 15, 17)
Action: Include subcontractor audit clauses in CSP agreements and verify MeitY empanelment.
Example: Use CSP compliance reports to audit subcontractors.
- Log Management Requirements
REs must collect system, application, network, and security logs, ensuring integrity and confidentiality per MeitY guidelines. (FAQ Q54, Page 18)
Action: Implement a SIEM solution to aggregate logs, encrypt logs in transit/storage, and retain per CSCRF policies (e.g., 12 months).
Example: Use SIEM tools for log aggregation and AES-256 encryption.
- Mobile App Security Standards
Baseline security for mobile apps includes MFA, secure session handling, and OWASP Mobile Top 10 compliance. (FAQ Q57, Page 19)
Action: Conduct DAST/SAST via CERT-In empanelled auditors and enforce OWASP Mobile Top 10 standards.
Example: Use mobile app testing tools to ensure MFA via OAuth 2.0.
- ISO 27001 for Third-Party Providers
Third-party providers must have ISO 27001 certification or align with CSCRF controls. (FAQ Q58, Page 19)
Action: Verify vendor certifications or conduct gap assessments for CSCRF alignment.
Example: Use vendor risk management tools to assess compliance.
- Threat Intelligence Sources
REs must use credible threat intelligence sources for proactive monitoring. (FAQ Q67, Page 21)
Action: Subscribe to threat feeds and integrate with SOC workflows.
Example: Use threat intelligence platforms for real-time feeds.
- VAPT Reporting Format
VAPT reports must follow CSCRF-prescribed formats, including risk ratings and remediation plans. (FAQ Q16-Q17, Page 8)
Action: Ensure auditors submit reports in CSCRF format with CVSS scores and timelines.
Example: Use vulnerability scanning tools to generate standardised reports.
How to Scope Your Audit
Use this decision path to define audit boundaries:
- Does your RE operate in multiple domains? Yes: Audit only SEBI-linked IT infrastructure. No: Include all interconnected systems in scope.
- Are ancillary systems connected? Yes: Include them in the audit scope. No: Exclude non-critical systems.
SEBI CSCRF – Scope Your Audit
Compliance Timelines at a Glance
Control | RE Type | Frequency | Deadline | FAQ Ref |
VAPT | QSB | Half-yearly | Sep 30, Mar 31 | Q14 |
Cyber Audit | Most REs | Annually | Post Mar FY | Q22 |
CCI Assessment | MIIs | Biannual | Sep 30, Mar 31 | Q31 |
Live DC-DR Drill | All REs | Annual | Before FY end | Q69 |
CSCRF Compliance Timelines
Visualizing Compliance Obligations by RE Category
To further clarify obligations, here’s a chart comparing requirements across RE categories:
Compliance Obligations by RE Category
Notes:
- VAPT Frequency: QSBs (Qualified) and MIIs require half-yearly VAPT (Q14). Others are annual.
- CCI Assessment: MIIs (biannual, third-party), Qualified REs (annual, self-assessed) (Q31). Others exempt.
- SOC Requirement: Scored as 3 (mandatory own/global SOC for MIIs/Qualified REs), 2 (optional M-SOC for Mid-size), 1 (M-SOC or minimal for Small/Self-certification) (Q59-Q60).
How Tools Can Help with CSCRF Compliance
Various tools and categories can assist REs in meeting CSCRF requirements:
FAQ Topic | Control Requirement | Tool Category | Examples |
Q15: Virtual Patching | Zero-day protection | Web Application Firewalls (WAFs) | SiteWALL, Imperva |
Q26: Data Sovereignty | Indian hosting + BYOK | Key Management Services | AWS KMS, Azure Key Vault, CtrlS |
Q30: CCI Reporting | SOC log integration | SIEM Solutions | Splunk, QRadar, ArcSight |
Q53: DAST Testing | OWASP/DAST scanning | Application Security Testing | Veracode, Checkmarx, OWASP ZAP |
Q28: Open-Source Tools | Licensed tools | Security Testing Tools | OWASP ZAP Burp Suite, Nikto |
Disclaimer: These tools and categories support CSCRF compliance, but REs must verify alignment with their specific needs, budgets, and SEBI requirements. For a full list of CERT-In empanelled auditors and MeitY-compliant CSPs, visit https://www.cert-in.org.in and https://www.meity.gov.in
How SiteWALL Helps
Ready for CSCRF Compliance?
SiteWALL provides WAF solutions that support virtual patching, log integration, BYOK architecture, and OWASP scanning. However, compliance requires a tailored approach.
Need support? Request a CSCRF readiness session with SiteWALL, your CSP, or a CERT-In empanelled auditor today.
Final Thoughts
SEBI’s FAQ signals a shift toward continuous governance, automation, and real-time risk mitigation. Compliance is an operational discipline, not a checkbox.
Checklist for REs:
- Document your SEBI-specific infrastructure
- Segregate and scope audits appropriately
- Use certified tools and auditors (e.g., CERT-In empanelled)
- Prepare for quantum-resilient security (e.g., PQC migration)
- Simulate incidents with live drills
- Retain logs per CSCRF policies (e.g., 12 months)
- Secure mobile apps with OWASP standards
- Verify third-party ISO 27001 certifications
- Integrate credible threat intelligence feeds
- Submit VAPT reports in CSCRF format
Additional Topics to Explore:
- Incident Reporting (Q55): Report High/Critical incidents to SEBI within 6 hours (Page 18).
- Cyber Insurance (Q65): MIIs and Qualified REs must maintain cyber insurance (Page 21).
- Third-Party Risk (Q33): Assess third-party risks annually for MIIs (Page 12). For these and other topics, refer to the full FAQ on SEBI’s website.
Quick Summary for Decision-Makers If you are short on time, here’s a snapshot of the most important CSCRF obligations that SEBI-regulated entities need to act on:
Topic | RE Obligation Summary |
CISO Role | Must appoint a full-time CISO; group-level CISO allowed if shared only within group entities. |
VAPT | Half-yearly for MIIs and Qualified Stock Brokers (QSBs); others as per category. |
Cloud Sovereignty | Data, encryption keys, and processing must stay within India. Use BYOK strategies. |
SBOM | Mandatory for all critical software—in-house and third-party. |
Forensic Audits | Mandatory for High/Critical incidents and certain Medium/Low ones with inconclusive RCA. |
CCI Dashboard | MIIs require 3rd-party assessment biannually; Qualified REs do annual self-assessment with automation. |
Log Retention | Minimum 12-month retention of all relevant logs with integrity and confidentiality safeguards. |
Live Drills | DC-DR drills must simulate real incidents; tabletop drills are not sufficient. |
Selecting Tools and Auditors: Choose tools based on your RE category, budget, and compliance needs. Small REs may prefer free tools (e.g., OWASP ZAP for Q28) or M-SOC enrolment (Q59-Q60), while MIIs may opt for enterprise solutions (e.g., SIEM solutions for Q30).
For auditors, refer to CERT-In’s empanelled list: https://www.cert-in.org.in/PDF/Empanel_org.pdf
For the full FAQ, visit SEBI’s website or circular https://www.sebi.gov.in/sebi_data/factiles/jun2025/1749647139924.pdf (June 11, 2025).
Additional resources:
- NIST PQC Standards: https://csrc.nist.gov/projects/post-quantum-cryptography
- OWASP Mobile Top 10: https://owasp.org/www-project-mobile-top-10/
- CERT-In Guidelines: https://www.cert-in.org.in
Learn more about CSCRF compliance strategies and SiteWALL’s support offerings at https://www.sitewall.net
Need help with CSCRF compliance? Contact SiteWALL today.