In August 2024, the Securities and Exchange Board of India (SEBI) issued a landmark directive to overhaul the cybersecurity practices of all its regulated entities (REs). Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, dated August 20, 2024, marked the launch of SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF). The objective was clear: create a unified, robust security ecosystem capable of anticipating, withstanding, containing, recovering, and evolving in the face of cyberattacks.
Until this point, only Market Infrastructure Institutions (MIIs)—like stock exchanges and depositories—were subject to SEBI’s detailed cybersecurity mandates. The 2024 circular dramatically expanded the scope, bringing all SEBI-regulated entities under a common cybersecurity umbrella, including brokers, mutual funds, asset managers, portfolio managers, investment advisers, research analysts, RTAs, and AIFs.
Core Pillars of the Framework
At the heart of the CSCRF lies a five-pillar structure aligned with global best practices:
| Pillar | Description |
| Anticipate | Risk assessments, threat modeling, and intelligence sharing |
| Withstand | Deployment of security technologies like firewalls, MFA, and endpoint controls |
| Contain | Incident isolation, network segmentation, and policy-based restrictions |
| Recover | Data backups, disaster recovery planning, and continuity management |
| Evolve | Training, audits, periodic reviews, and updates to cyber protocols |
The framework also maps these pillars to cybersecurity functions such as Govern, Identify, Protect, Detect, Respond, and Recover, drawing heavily from ISO/IEC 27001, NIST, and CERT-In standards.
Classification of Entities
To ensure proportionality and ease of implementation, SEBI classified REs into four risk-based categories:
- Qualified REs – Large entities with critical operations (e.g., high AUM, large client base).
- Mid-size REs
- Small REs
- Self-Certified REs – Very small REs with under 100 clients.
Each category has specific cybersecurity expectations based on their scale and systemic importance.
Key Controls Mandated
For Qualified and Mid-size REs, the following became mandatory:
- Establishment of a Security Operations Centre (SOC) – in-house or through SEBI-approved Market SOCs (M-SOCs) such as those offered by NSE and BSE.
- Hardware Security Modules (HSM) for securing digital signatures and encryption keys.
- Multi-Factor Authentication (MFA) for all critical systems.
- Vulnerability Assessment and Penetration Testing (VAPT) and periodic red teaming.
- Incident Reporting within 6 hours of detection.
- Third-party risk management through contract clauses and vetting.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Compliance Timelines from Initial Circular (2024)
| Entity Type | Compliance Deadline |
| Qualified & Mid-size REs | January 1, 2025 |
| All other REs | April 1, 2025 |
| Submission of Implementation Report | Within 30 days of respective deadlines |
Entities were also required to assess themselves using a Cyber Capability Index (CCI) and report their maturity levels to SEBI.
June 30, 2025 Circular: Extension & Clarification
Recognizing the scale of transformation required, SEBI issued a follow-up circular on June 30, 2025 (Circular No. SEBI/HO/ITD‑1/ITD_CSC_EXT/P/CIR/2025/96). The circular provided additional time and flexibility for entities that were unable to fully implement the CSCRF by the original deadlines.
Key Highlights of the June Circular:
- New Deadline: Compliance deadline extended by 2 months, i.e., till August 31, 2025, for all regulated entities except:
- Market Infrastructure Institutions (MIIs)
- KYC Registration Agencies (KRAs)
- Qualified Registrars to an Issue and Share Transfer Agents (QRTAs)
(These entities are expected to have already complied.) - Scope of Circular: Applies to a vast range of regulated entities, including:
- AIFs, AMCs, Mutual Funds
- Portfolio Managers
- Stock Brokers and Depositories
- Research Analysts and Investment Advisers
- Custodians, Merchant Bankers, Debenture Trustees, etc.
- Immediate Effect: All provisions of the circular came into force with immediate effect on June 30, 2025.
- Compliance Enforcement: Stock Exchanges and Depositories have been directed to:
- Inform their members/participants of the updated timelines.
- Publish the circular on their respective websites.
Industry Impact and Way Forward
Industry experts have welcomed the CSCRF as a long-overdue modernization of India’s securities infrastructure. “SEBI’s risk-tiered approach is both pragmatic and progressive,” said a cybersecurity consultant advising mutual fund houses. “But implementation across thousands of REs will require continuous support and coordination with MIIs and tech providers.”
SEBI’s proactive stance comes amid a sharp rise in ransomware attacks, data breaches, and AI-powered phishing campaigns targeting the financial sector. By institutionalizing cyber hygiene across every level of market operation, SEBI aims to insulate the financial backbone of India from emerging digital threats.
With the initial roadmap issued in 2024 and reinforced by the June 2025 circular, SEBI’s Cybersecurity and Cyber Resilience Framework marks a decisive leap forward in India’s regulatory posture. Entities that delay implementation now risk not only cyber breaches but also regulatory consequences.