SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), issued via circulars SEBI/HO/MRD/MRD_DRAMNP/P/CIR/2023/048 and related advisories from 2023, establishes mandatory cybersecurity standards for stock exchanges, depositories, clearing corporations, and RTAs. The framework mandates adoption of ISO 27001 standards, implementation of Security Operations Centers (SOCs), periodic Vulnerability Assessment and Penetration Testing (VAPT), mandatory incident reporting within 6 hours for critical incidents, and board-level cyber risk oversight. It prescribes specific technical controls including multi-factor authentication, encryption standards, network segmentation, and cyber resilience testing including simulation exercises. The framework aligns with global standards while addressing India-specific capital market risks, requiring annual cyber audits and compliance certification to SEBI.

• Establishes standardized cybersecurity baseline across all Market Infrastructure Institutions (MIIs) including NSE, BSE, NSDL, and CDSL, ensuring uniform protection for investor data and market integrity
• Mandatory 6-hour incident reporting creates rapid response mechanism, enabling SEBI to coordinate sectoral threat intelligence and prevent cascading failures across interconnected market entities
• Board-level accountability requirements with designated Chief Information Security Officers (CISOs) elevate cybersecurity from IT function to strategic governance priority with C-suite visibility
• Periodic cyber resilience testing and simulation exercises ensure business continuity capabilities, reducing potential market disruption from ransomware or DDoS attacks on trading infrastructure
• Vendor and third-party risk management provisions address supply chain vulnerabilities, particularly critical given extensive outsourcing by RTAs and smaller intermediaries

• Smaller Registrar and Transfer Agents struggle with resource constraints to implement SOCs and 24×7 monitoring, often relying on inadequate outsourced solutions without proper oversight
• Lack of standardized threat intelligence sharing platform among market participants leads to siloed incident responses, with exchanges and depositories not effectively coordinating on emerging threats
• Ambiguity in defining 'critical' versus 'significant' incidents creates inconsistent reporting, with some entities over-reporting minor events while others delay reporting material breaches
• Limited guidance on cloud security controls as MIIs increasingly adopt hybrid cloud models, particularly for disaster recovery and analytics, creating compliance interpretation challenges
• Inadequate skilled cybersecurity workforce availability in tier-2 and tier-3 cities where many RTAs operate, leading to superficial compliance with checklist approach rather than substantive security posture

• In January 2024, SEBI imposed penalties on multiple stock brokers for inadequate cybersecurity controls following audits that revealed weak access management and delayed incident reporting, reinforcing compliance with CSCRF requirements.
• NSE and BSE enhanced their Security Operations Centers (SOCs) in 2024-2025 following SEBI directives, implementing AI-driven threat detection and expanding third-party vendor risk assessments after ransomware attacks targeted smaller depositories.
• CDSL reported multiple phishing attempts targeting demat account holders in late 2024, prompting SEBI to issue additional guidelines on mandatory multi-factor authentication and investor awareness programs for all depositories and brokers.

• Implement continuous threat intelligence sharing mechanisms among Market Infrastructure Institutions (MIIs) and create a centralized SEBI-CERT for real-time incident coordination by Q2 2026.
• Mandate quarterly tabletop exercises and red team penetration testing for all Qualified MIIs, with results reported to SEBI, especially focusing on API security and cloud infrastructure vulnerabilities.
• Strengthen third-party and supply chain risk management protocols with mandatory cybersecurity clauses in vendor contracts and periodic audits of critical technology service providers including cloud and fintech partners.
• Expand cybersecurity governance requirements to include board-level cyber risk committees for all MIIs, with mandatory cyber insurance coverage and incident response retainer agreements with CERT-empanelled agencies by December 2026.