SEBI CSCRF 2024: Complete Compliance Guide for Brokers and DPs

What Is SEBI CSCRF 2024?

SEBI's Cyber Security and Cyber Resilience Framework 2024 is the most comprehensive cybersecurity mandate ever issued by SEBI. It applies to all SEBI-regulated entities: stock brokers, DPs, AMCs, portfolio managers, KRAs, and MIIs.

Who Must Comply?

• Stock Brokers (all categories)
• Depository Participants (NSDL and CDSL)
• Asset Management Companies
• Portfolio Managers
• KYC Registration Agencies
• Market Infrastructure Institutions

Governance Requirements

• Board-approved Cyber Security Policy (reviewed annually)
• Designated CISO with direct board access
• Cyber Security Committee at Board level
• Annual cybersecurity review by Board
• Annual documented employee awareness training

Technical Controls Required

• Multi-Factor Authentication for all privileged users
• Network segmentation with documented DMZ architecture
• Endpoint Detection and Response (EDR) on all managed devices
• Web Application Firewall for internet-facing applications
• SIEM with 180-day log retention (CERT-In compliant)
• Data Loss Prevention (DLP)
• Privileged Access Management (PAM)

VAPT Requirements

• Annual VAPT of all internet-facing applications by CERT-In empanelled vendor
• Quarterly vulnerability assessments
• Critical findings remediated within 30 days
• VAPT report available to SEBI on request

Incident Management

• Documented Incident Response Plan reviewed annually
• Report to SEBI within 6 hours of significant incidents
• Annual IR drill or tabletop exercise

6-Month Compliance Roadmap

1. Month 1: Gap assessment against all CSCRF requirements
2. Month 2: Board approval of policy, designate CISO, form committee
3. Month 3: Deploy MFA, EDR, SIEM. Engage CERT-In VAPT vendor
4. Month 4: Complete VAPT, implement WAF, remediate critical findings
5. Month 5: Vendor risk assessments, IR tabletop exercise, DLP
6. Month 6: Close critical findings, internal audit, board review