SEBI CSCRF Compliance: VAPT and Cyber Audit Requirements for Brokers, Exchanges, and Mutual Funds

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) is the most prescriptive cybersecurity regulation ever imposed on India's capital markets. Published in August 2024 with compliance deadlines in January and April 2025, it mandates quarterly VAPT, strict vulnerability remediation timelines, and continuous security monitoring for every regulated entity — from stock exchanges and depositories down to individual stock brokers and mutual fund houses.

If you are a SEBI Regulated Entity (RE), this is not optional. Non-compliance can result in penalties, trading restrictions, and reputational damage. This article explains every technical requirement and how to implement them efficiently.

Who Must Comply with SEBI CSCRF

The CSCRF categorises regulated entities into tiers based on operational risk and asset size:

• Market Infrastructure Institutions (MIIs): Stock exchanges (NSE, BSE), clearing corporations (NSCCL, ICCL), and depositories (NSDL, CDSL) — highest compliance burden
• Qualified REs: Large brokers, mutual fund AMCs, portfolio managers, and investment advisers above the specified threshold
• Mid-Size REs: Medium stock brokers, registrar and share transfer agents, debenture trustees
• Small-Size REs: Smaller brokers and intermediaries
• Self-Certification REs: Entities below the minimum threshold — still must comply with baseline requirements

Core Technical Requirements

1. Quarterly VAPT (Vulnerability Assessment and Penetration Testing)

All REs must conduct VAPT at least quarterly. This is not a box-ticking exercise — SEBI specifies comprehensive scope including external infrastructure, internal networks, web applications, APIs, mobile applications, database security, OS hardening, and cloud deployments. The VAPT must be conducted by a CERT-In format auditor.

2. Vulnerability Remediation Deadlines

This is where SEBI gets strict. All vulnerabilities identified during VAPT must be remediated within 3 months of the VAPT report submission. High-severity vulnerabilities resulting from missing patches must be fixed within 1 week. These timelines are monitored — failure to remediate is a compliance violation.

3. Continuous Security Monitoring

MIIs and Qualified REs must operate or outsource a 24/7 Security Operations Centre (SOC) with real-time monitoring, incident detection, and response capabilities. SIEM deployment is mandatory for MIIs.

4. Cyber Drills and Incident Response

Regular cyber drills — essentially breach and attack simulations — are required to test detection and response capabilities. MIIs must participate in SEBI-coordinated drills. All REs must have documented incident response plans and conduct annual tabletop exercises.

5. Cloud Security

REs using cloud services must conduct regular security audits of cloud deployments, ensure data residency requirements are met, and maintain visibility into the cloud service provider's security posture. CSPs must provide audit reports and compliance evidence to SEBI upon request.

The VAPT Challenge for Stock Brokers

For stock brokers and mid-size REs, the quarterly VAPT requirement creates an operational and financial burden. Traditional VAPT engagements involve scoping calls, scheduling, manual testing, report generation, and remediation tracking — easily consuming 4-6 weeks per cycle. When you need to do this every quarter, the cost and coordination overhead becomes significant.

The more efficient approach is a continuous vulnerability assessment platform that runs automated scans on a regular schedule, provides real-time dashboards, and automatically tracks remediation progress. This gives you quarterly VAPT compliance as a byproduct of continuous security monitoring — rather than a separate project each quarter.

How Breach and Attack Simulation Satisfies Cyber Drill Requirements

SEBI's cyber drill requirement is best addressed through Breach and Attack Simulation (BAS). A BAS platform allows you to deploy a lightweight agent on your network, select from real-world adversary profiles mapped to the MITRE ATT&CK framework, and run simulated attacks that test your SIEM rules, firewall policies, and SOC response procedures.

The output is a detailed report showing which attack techniques were detected, which were blocked, and which bypassed your controls entirely — exactly the evidence SEBI wants to see during audits. Running these simulations monthly or quarterly provides continuous validation of your security posture.

Building a Cost-Effective CSCRF Compliance Stack

For most Qualified and Mid-Size REs, the optimal compliance stack includes:

• Continuous vulnerability assessment: Automated scanning platform with sensor-based deployment — covers the quarterly VAPT requirement with daily visibility
• Breach and attack simulation: Satisfies cyber drill requirements and validates SOC detection capabilities against real ATT&CK techniques
• Threat intelligence feeds: Real-time IOC feeds integrated into SIEM/firewall — proactive defence against known threats targeting the financial sector
• Compliance reporting: Automated generation of VAPT reports, remediation tracking, and audit evidence in SEBI-compliant format

This approach replaces expensive quarterly consulting engagements with platform-based continuous compliance — lower cost, better coverage, and always audit-ready.

Ogma Consulting helps SEBI-regulated entities achieve and maintain CSCRF compliance through our integrated platform — combining continuous vulnerability assessment, breach simulation, and threat intelligence. Contact us for a free compliance gap assessment.