Regulatory Compliance

SEBI Compliance Audit (CSCRF)

Overview
Clients
FAQs

Guidelines of SEBI - A Complete Overview

“Cyber Security & Cyber Resilience Framework for Regulated Entities”.

SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF), introduced in Aug 2024, mandates robust cybersecurity measures for all SEBI-regulated entities, including risk management, regular VAPT, ISO 27001 (for larger entities), and periodic cyber audits. The framework aims to enhance the ability of entities to anticipate, withstand, recover from, and adapt to cyber threats. The audit applies to a broad range of categories such as Stock brokers, Mutual Funds and Asset Management Companies, Investment banks, Portfolio managers and much more. The CSCRF audit divides REs into 5 categories i.e. MIIs, Qualified REs, Mid size and small size REs, Self Certification REs, based on asset size, trading volume and client base.

Who all are Involved?

A diverse set of financial entities are integral to the functioning and regulation of India’s securities and investment ecosystem. From stockbrokers and depositories to mutual funds and asset management companies, each plays a vital role in ensuring operational efficiency, investor protection, and regulatory compliance.

To explore detailed guidelines and responsibilities,click here (Ref: SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/45)

Stockbrokers

Depositories

Wealth Management

Asset Management

Mutual Funds

Trustee Companies

Asset Management Company

Association of Mutual Funds in India

Methodology

The Purpose of the Audit is to pick out the discrepancies or inadequacies of the system, if any, by the compliance desiderata and the consequences of such hiatuses. The checklist, also known as the Cyber Resilience Framework checklist, highlights several domains that must be taken into consideration while auditing the Stock Market, Exchanges Depositories and Intermediaries.

Our Approach

Finally, all the information and understandings are compiled in a well-documented scope, determining the boundaries and applicability of the SEBI Cyber Security & Cyber Resilience Framework for Regulated Entities (CSCRF) audit, referring to the pain point and the requirements of the stakeholders. The Scope encompasses the work systems, number of departments and location of the organization.

Our Approach

Scope Drafting

Finally, all the information and understandings are compiled in a well-documented scope, determining the boundaries and applicability of the SEBI Cyber Security & Cyber Resilience Framework for Regulated Entities (CSCRF) audit, referring to the pain point and the requirements of the stakeholders. The Scope encompasses the work systems, number of departments and location of the organization.

Creating an Audit Plan

Once the scope, objective and criteria for the audit have been defined, the board members must draft an audit plan.
The board members (auditee) along with auditors should streamline the nature, timing and extent of tests of controls and substantive procedures, along with examining the network security measures.

Finalizing the Audit Schedule

After defining what and what not has to be audited, a proper audit schedule must be published with the approval of both parties. The audit schedule includes a proper timeline suggesting which departments must be audited within a time range.

Auditing

Once the audit schedule is published, the auditors will examine the pre-implemented documents and controls in the auditee’s organization. The purpose of the audit is to determine if there are any discrepancies or certain observations in the depository’s organization.

Report

After conducting the audit, the auditing body will nail down their observations, areas of improvement, and minor and significant Non-conformities against the departments which were being audited. All of these observations will be further compiled in a summary report along with the standard checklist that had been followed.

What Constitutes Critical Assets?

Our Clients

Kratikal Insights

Enterprise
Customers

Organizations’ Security
Compliant

K+

Small and mid-size
enterprises (SMEs)

K+

Threats Recorded in
GCTx Database

FAQs

Will SEBI hold RE accountable if a third-party vendor breaches contract and violates CSCRF guidelines?

Regulated Entities (REs) shall bear full responsibility for all aspects related to third-party services, including—but not limited to—the confidentiality, integrity, availability, non-repudiation, and security of their data and logs. They must also ensure full compliance with all applicable laws, regulations, circulars, and directives issued by SEBI or the Government of India. REs will be held liable for any breaches or violations arising from these obligations.

What is prohibited under SEBI?

SEBI strictly prohibits fraudulent and unfair practices in the securities market, such as insider trading, market manipulation, and the use of deceptive schemes. These restrictions are intended to uphold market integrity and safeguard the interests of investors.

Who should follow the SEBI CSCRF guidelines?

The CSCRF covers various financial entities like stock brokers, mutual funds, AMCs, investment bankers, portfolio managers, and AIFs. It provides tiered, risk-based cybersecurity guidelines tailored to each entity’s specific requirements.