SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF) has materially raised the bar for cybersecurity governance at India’s capital market intermediaries. The framework is no longer just about having an antivirus policy — it requires a risk-based, continuously monitored, and independently audited cybersecurity programme.
Here are 5 things every broker, AMC, or market participant must address before their next system audit.
5 KEY REQUIREMENTS
• 1. RISK-TIERED CLASSIFICATION — SEBI has classified intermediaries into Market Infrastructure Institutions (MIIs), Qualified Registered Entities (QREs), and other intermediaries with different control requirements for each tier. Know your classification and the specific controls applicable to your tier.
• 2. SOC REQUIREMENTS — Depending on your risk tier, you may be required to have an in-house SOC or subscribe to a managed SOC service. The SOC must provide 24×7 monitoring, threat detection, and incident response capabilities. System auditors will verify SOC coverage and effectiveness.
• 3. MANDATORY VAPT — Annual VAPT is mandatory under CSCRF for all intermediaries. The VAPT must be conducted by an independent, qualified cybersecurity firm. Trading portal, mobile app, APIs, and network infrastructure must be in scope. The VAPT report is submitted as part of the system audit.
• 4. DR TESTING — SEBI requires documented, tested DR drills. RTO/RPO must be within SEBI-prescribed limits. System auditors will review DR drill documentation, test results, and exception handling. A DR drill that exists only on paper is a high-risk finding.
• 5. LOG MANAGEMENT — SIEM deployment with coverage of all critical systems is now expected. Log retention (minimum 1 year online + 2 years archived), log review procedures, and alert management must be documented and operational. System auditors test log completeness and review effectiveness.
PREPARATION TIMELINE
For an intermediary approaching a system audit, Zorixx recommends beginning preparation 3–4 months in advance: Month 1 — gap assessment and VAPT. Month 2 — remediation of critical findings. Month 3 — DR drill and documentation. Month 4 — pre-audit readiness review and report preparation.
