SEBI CSCRF Compliance: A Guide to Securing Financial Entities with CyberCube Services

Understanding SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF)

Security from cyber-attacks is the essence of contemporary operation of financial services in the digital world. The Securities and Exchange Board of India (SEBI) has formulated the Cyber Security and Cyber Resilience Framework (CSCRF) for Regulated Entities (REs) to safeguard themselves and stay resilient to cyber threats. It endeavors to implement improved security at the institutions that are liable for maintaining financial market security while allowing them to avoid, detect, and address cyber-attacks.

The Necessity of SEBI CSCRF Compliance

CSCRF compliance has been made mandatory by SEBI for the protection of the financial ecosystem from constantly emerging, more vicious cyber threats. Keeping in mind the intensifying frequency of cyberattacks, SEBI has mandated that REs adopt the most stringent cybersecurity measures to protect sensitive data regarding the financial domain from unauthorized access, given that its integrity is of utmost importance, loss of CSCRF compliance entails various threats to the financial, legal, and reputational stakes of an organization.

Entities Required to Follow SEBI CSCRF

The Cyber Security and Cyber Resilience Framework (CSCRF) for the entities regulated by SEBI in the financial sector includes Market Infrastructure Institutions like Stock Exchanges, Clearing Corporations, Depositories; Qualified, Mid-Size, Small-size and Self-Certification-Re entities, categorized according to operational risk and asset size. Each RE must self-classify at the start of the financial year based on the previous year’s data and maintain that classification throughout the year.

The category shall be validated by the respective reporting authority at the time of compliance submission. Further, the criteria given and their thresholds for different categories will continue to be updated as and when required.

Entity-wise categorization and corresponding thresholds shall be as follows:

• Alternative Investment Fund (AIF) –

Criteria and thresholds for AIFs categorization
S.No.	Criteria	Self-certification REs	Small-size REs	Mid-size REs	Qualified REs
1	AUM	Less than Rs. 100 crores than Rs. 500 crores	Rs. 100 crores and above but less than Rs. 500 crores	Rs. 500 crores and above but less than Rs. 1000 crores	Rs. 10 Lakh crores and above
Criteria and thresholds for Client-based and proprietary stock brokers’ categorization
2	Active Client-base as per UCC	Less than or equal to 10,000 active clients and not providing IBT or Algo trading facility	More than 10,000 and up to 50,000 Less than or equal to 10,000 active clients and providing IBT facility / Algo trading facility	More than 50,000 and up to 5,00,000	More than 5,00,000
Criteria and thresholds for Portfolio Managers categorization
3	AUM	Less than Rs. 1000 crores	Rs. 1000 crores and above but less than Rs. 3000 crores	Rs. 3000 Crores and above	N.A.
Criteria and thresholds for VCFs categorization
4	Sum of corpus of all schemes of the VCF	Less than Rs. 100 crores	Rs. 100 crores and above but less than Rs. 500 crores	Rs. 500 crores and above but less than Rs. 1000 crores	Rs. 1000 crores and above

• Banker to an Issue and Self-Certified Syndicate Banks (SCSBs) - Banker to Issue and Self-Certified Syndicate Banks shall submit a certificate of compliance with CSCRF to SEBI on the cybersecurity guidelines issued by RBI. Wherever the bank is a listed entity, the above-mentioned certificate of compliance shall also be intimated to Stock Exchanges.
• Collective Investment Scheme (CIS) - CIS shall be under Self certification REs category.
• Credit Rating Agency (CRA) - CRAs shall be under Self-certification REs category.

Criteria and Thresholds for Custodians Categorization
S.No.	Criteria	Small-size REs	Mid-size REs	Qualified REs
1	AUC	Less than Rs. 1 Lakh crores	Rs. 1 Lakh crores and above but less than Rs. 10 Lakh crores	Rs. 10 Lakh crores and above
Criteria and thresholds for DPs categorization
2	Type of DP	N.A.	Non-institutional DP	Institutional DP
Criteria and thresholds for MFs/ AMCs categorization
3	AUM	Less than Rs. 10,000 crores	Rs. 10,000 crores and above but less than Rs. 1 lakh crore	Rs. 1 lakh crores and above
Criteria and thresholds for RTA categorization
4	Servicing number of folios	10,000 and above but less than 1 crore	1 crore and above but less than 2 crore	N.A.

• Debenture Trustee (DT) - DTs which have not added any new issuer of listed debt security as client in the last three financial years shall be excluded from submission of compliance with CSCRF. Remaining DTs shall be under the Self-certification REs category.
• Designated Depository Participants (DDPs) - To get approval as a DDP, an entity, inter alia, is required to have valid SEBI registration as a Depository Participant (DP) as well as a Custodian. Therefore, As per SEBI circular SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/24 dated February 06, 2023, enhanced obligations and responsibilities have been casted upon Qualified Stock Brokers (QSBs) defined based on their size of operations, trading volumes, amount of client funds handled by them etc. Hence, such QSBs shall be categorized as Qualified REs.

Categorization of highest category among DPs and Custodians shall be applicable to DDPs for submission of compliance with CSCRF.

• Foreign Portfolio Investors (FPIs) - FPIs shall be excluded from submission of compliance with CSCRF.
• Foreign Venture Capital Investors (FVCI) - FVCI shall be excluded from submission of compliance with CSCRF.
• Investment Advisors (IAs) / Research Analysts (RAs)
• Investment Advisors (IAs)

Criteria and Thresholds for IAs Categorization
Individual IAs	Non-individual IAs
Individual IAs shall be excluded from submission of compliance with CSCRF.	Non-individual IAs shall be categorized as Small-size REs.

• Research Analysts (RAs) -

Criteria and thresholds for RAs categorization
All RAs who are not registered in other category of REs	Institutional RAs who are registered in other category of REs
All RAs who are not registered in other categories of REs shall be excluded from submission of compliance with CSCRF. However, SEBI SaaS circular titled “Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions” dated November 03, 2020 is applicable to RAs under which a declaration shall be submitted in respect of SaaS for managing their governance, risk compliance functions, and to improve their cybersecurity posture.	Institutional RAs who are registered with SEBI in other category of REs shall be classified as Qualified REs/ Mid-size REs/ Small size REs based on their categorization in their respective other REs/ group entity category.

• KYC Registration Agencies (KRAs) - KRAs shall be treated at par with MIIs category for the applicability of the CSCRF.
• Limited Purpose Clearing Corporation (LPCC) - LPCC shall be excluded from submission of compliance with CSCRF.
• Merchant Bankers (MBs) -

Criteria and thresholds for MBs categorization
S.No.	Merchant Banker	Category for CSCRF
1	An entity or its parent/ subsidiary/ associate company which is a part of a conglomerate/ Systemically Important Financial Institutions	Qualified REs
2	MBs which are engaged in any activity pertaining to issue management inter alia Public Issues (IPOs, FPOs, IPOs by SME), Public Offers by REITs/InvITs, Buy-Back of Securities, Delisting of Equity Shares, Open Offer under SEBI (Substantial Acquisition of Shares and Takeovers) Mid-size REs Regulations, 2011	Mid-size REs
3	All other MBs which are not covered in clause 1 & 2 of this table above.	Small-size REs

Wherever the MB is a listed entity, the compliance requirement shall also be intimated to Stock Exchanges.

• Qualified Depository Participants (QDPs) - QDPs shall be excluded from CSCRF compliance.
• Real Estate Investment Trust (REIT)/ Infrastructure Investment Trust (InvIT) -REITs/ InvITs shall be excluded from submission of compliance with CSCRF.
• RTAs servicing less than 10,000 folios shall be excluded from submission of compliance with CSCRF.
• Vault Managers -Vault Managers shall be excluded from submission of compliance with CSCRF.

In case an RE is registered under more than one category of REs, then the provision of highest category under which such an RE falls shall be applicable to that RE.

Consequences of Non-Compliance with SEBI CSCRF

• Regulatory fines and legal consequences
• Suspension or revocation of operating licenses
• Loss of customer trust and market reputation
• Increased vulnerability to cyber threats and financial fraud

How CyberCube Services Ensures CSCRF Compliance

CyberCube Services provides end-to-end cybersecurity solutions tailored for SEBI-regulated entities. Our comprehensive compliance approach includes:

• SEBI-Aligned Audit Framework
• Expertise in Regulated Entities
• Full Compliance Support
• Certifies Cybersecurity Auditors

CyberCube’s CSCRF Audit Services

• Cyber Risk and Governance Audits: documentation of operational governance structures and risk framework assignments.
• Vulnerability Assessment & Penetration Testing (VAPT): identifying and eliminating security risks.
• Security Operations Center (SOC) Assessment: Ensuring real-time threat detection and response.
• Review of Incident Response & Crisis Management: Testing and verifying strategy deployment.
• Cyber Capability Index: Measuring resilience levels according to SEBI standards
• Data Security & Compliance Checks: Ensuring encryption, classification, and localization compliance.
• Audit Reporting and Compliance Assistance: Providing structured audit reports and advisory services for SEBI compliance.

Stay Ahead with CyberCube - Get your SEBI CSCRF Compliance Checklist

CSCRF compliance sounds complex, but it becomes quite easy with CyberCube Services. We offer a SEBI CSCRF Compliance checklist that allows financial institutions to confirm compliance with all the regulatory requirements well before the deadline.