SEBI CSCRF Decoded: What Your Security Analyst Must Implement by Quarter-End
An iStreet field guide for India’s regulated capital market entities racing toward the next CSCRF audit window.
A quarter-end clock is ticking for India’s regulated entities, and the SEBI Cybersecurity and Cyber Resilience Framework is no longer a paper exercise.
The Securities and Exchange Board of India’s (SEBI) Cybersecurity and Cyber Resilience Framework, known across the market as CSCRF, has fundamentally reshaped how stockbrokers, depository participants, mutual funds, AMCs, KRAs, RTAs, custodians, clearing corporations, and other SEBI-regulated entities (REs) must operate their security programmes. Mandated through the August 2024 master circular and refined by subsequent amendments through 2025, the framework drags Indian capital market participants away from checklist-based compliance and into an outcomes-based, continuously audited posture.
With Q4 results season closing and IT audit cycles kicking off across regulated entities, security analysts and CISOs are racing to map their existing controls against CSCRF’s five cyber-resilience goals, Anticipate, Withstand, Contain, Recover, and Evolve, and to demonstrate maturity to SEBI before the next quarter-end submission window closes.
Anticipate
Predict threat events before they materialize.
Withstand
Strengthen defenses and resist attacks.
Contain
Limit the impact and prevent lateral spreads.
Recover
Restore critical operations swiftly.
Evolve
Improve continuously and adapt to threats.
REs Are Not Failing Tools, They Are Failing Evidence
Walk into the security operations room of a mid-tier Indian broker in May and you will see roughly the same picture: a SIEM licence procured two renewals ago, an EDR rollout that stalled at 78% coverage, a vulnerability scanner whose reports nobody reads end-to-end, and a CISO juggling four spreadsheets that pretend to be a controls register. That setup may have survived ISO 27001 audits and the older SEBI cybersecurity circulars. It will not survive CSCRF.
SIEM
ActiveLicence renewed. Coverage is highly uncertain.
EDR
78% DeployedRollout stalled. Vulnerable endpoints exposed.
Scanner
Unread ReportsVulnerabilities identified but never remediated.
Controls Register
SpreadsheetsManual files pretending to act as GRC.
The CSCRF’s most disruptive shift is its insistence on continuous cyber capability measurement through the Cyber Capability Index (CCI), Software Bill of Materials (SBOM) submissions, and near-real-time security data sharing with the SEBI Market SOC (M-SOC). For Tier-2 and Tier-3 REs, this is the first time their security posture is being measured continuously rather than annually.
Behind every statement there is a familiar set of pain points:
- Data sovereignty obligations that collide with foreign-hosted SIEM and SOAR platforms whose primary regions sit outside India.
- Log retention windows of 180 days hot and two years archival, a storage and indexing cost most teams underestimated by 3–4x.
- M-SOC integration timelines that assume the RE already operates standardised log schemas, mapped MITRE ATT&CK coverage, and a defined SOAR playbook library.
- Third-party and SBOM transparency where the RE must catalogue every component running in every production system, including transitive open-source dependencies.
- Auditor-grade evidence that ties each control assertion back to a specific telemetry source, ticket, or signed approval, not a screenshot.
Data Sovereignty
Foreign-hosted SIEM/SOAR localization conflicts.
Log Retention
180-day hot and 2-year archival log indexes.
M-SOC Pipeline
Standard schemas and ATT&CK log mappings.
SBOM Tracking
Cataloging transitive and open dependencies.
Auditor Proof
Queryable telemetry sources instead of screenshots.
A Sovereign, AI-Native CSCRF Compliance Layer
CSCRF is not a single deliverable. It is a continuously operating capability. Treating it as a project is what causes missed quarter-end submissions. Treating it as a platform, with sovereign infrastructure, AI-native detection, and a built-in evidence layer, is what closes the gap.
iStreet’s sovereign AI-native platform, infrastructure, and solution offerings are built specifically for the data-residency, audit-evidence, and continuous-assurance demands of the Indian capital markets. Three architectural choices matter:
1. Sovereign Deployment by Design
All telemetry, model weights, embeddings, and audit evidence stay within India, on infrastructure that complies with MeitY, RBI, SEBI, and CERT-In data-localisation directives. There is no transit to overseas regions for inference, indexing, or backup. The control plane, data plane, and AI plane are all sovereign, which matters when an auditor asks where the prompt that triggered an alert was processed.
2. AI-Native Detection & Assurance
Large language models tuned on Indian regulatory text, CSCRF, RBI’s Cyber Security Framework, IRDAI guidelines, the DPDP Act, and CERT-In directions, translate control language directly into telemetry queries, SBOM checks, and auditor-grade narratives. Analysts no longer hand-write evidence from log searches; the platform proposes the evidence and links it to the source events.
3. M-SOC, CERT-In & NCIIPC Ready
Pre-built connectors and schema mappings for the SEBI Market SOC, CERT-In incident reporting, and NCIIPC submissions remove the integration backlog most REs spend a full quarter building from scratch. The platform speaks the regulator’s data language on day one.
The remainder of this guide walks security analysts through what to implement, in what order, before quarter-end.
1. Map Your RE Category to Your CSCRF Maturity Tier
CSCRF classifies regulated entities into five buckets, Market Infrastructure Institutions (MIIs), Qualified REs, Mid-sized REs, Small REs, and Self-Certification REs, each with different control depth, audit cadence, and submission obligations. The first job of the security analyst is to confirm which bucket the organisation falls into, because every downstream control selection follows from it.
MIIs
Qualified REs
Mid-sized REs
Small REs
Self-Cert REs
If the analyst gets this categorisation wrong, every gap analysis afterwards is wrong. Validate it against SEBI’s published thresholds and document the rationale, the auditor will ask.
2. The Must-Implement Controls Before Quarter-End
Across the CSCRF’s five goals, Anticipate, Withstand, Contain, Recover, Evolve, there is a tight cluster of controls that disproportionately determine the CCI score. These are the controls that, if missing, materially raise the risk of an adverse observation in the next audit cycle. Implement them in this order.
- Asset inventory with criticality tagging, every server, container, SaaS account, and OT/ATM endpoint, ranked CRITICAL/HIGH/MEDIUM/LOW.
- Data classification linked to DPDP Act categories and SEBI’s sensitive data definitions.
- Threat intelligence ingestion from
CERT-In, FS-ISAC India, and at least one commercial feed, mapped to MITRE ATT&CK techniques relevant to capital markets. - Third-party and vendor risk register with SBOM ingestion for the top 25 software dependencies.
- Privileged access management (PAM) for all admin pathways into trading, settlement, and KYC systems.
- Phishing-resistant MFA (FIDO2 or platform authenticators) for privileged users; OTP-based MFA for the rest.
- Data Loss Prevention (DLP) policies covering bulk export of client KYC, trade, and demat data.
- SIEM ingestion of authentication, network, EDR, DNS, proxy, and trading-application logs with 180-day hot retention.
- SOAR playbooks for the ten highest-frequency incident types (credential abuse, phishing, suspicious wire, ransomware, etc.).
- 24×7 monitoring, in-house, managed, or hybrid, with named accountable owners on each shift.
- Quarterly tabletop exercises for ransomware, insider abuse, and market-disruption scenarios.
- Annual full-DR drill for at least one
MII-equivalent business process, with auditor-witnessed evidence. - Crisis communications plan with
pre-approved templates for SEBI, exchanges, customers, and the press.
- Cyber Capability Index (CCI) scoring engine with quarterly self-assessment and half-yearly external audit.
- Software Bill of Materials (SBOM) automation for every production application, including third-party SaaS.
- Continuous control monitoring dashboard mapped to CSCRF, RBI, and DPDP control families.
Five controls anchor every category. If the analyst can produce a clean evidence trail for these by quarter-end, the CCI score will land in a defensible range and the M-SOC feed will look credible.
3. Build the Evidence Layer Before You Build the Report
The most common CSCRF failure mode is not weak controls, it is weak evidence. Auditors will accept a temporarily lower CCI score if the gap is documented; they will not accept claims of controls that cannot be substantiated. Build the evidence layer first.
Three layers of evidence to operationalise
Telemetric evidence
the raw log, EDR detection, or scan result that proves the control fired. This must be queryable on demand for the full retention period.
Procedural evidence
the ticket, change request, or approval that shows a human-driven process happened (e.g., a quarterly user access review).
Narrative evidence
the auditor-grade summary that links the telemetric and procedural artefacts back to the specific CSCRF control statement. This is where
AI-native generation cuts weeks off audit preparation.
On the iStreet platform, every control in the CSCRF register has all three layers attached by default. When the auditor asks “Show me evidence for AN-04: continuous attack surface management,” the analyst clicks once and sees the scan history, the ticket trail, and the natural-language narrative, not a dozen tabs.
4. M-SOC Integration: Get it Right Before the Submission
The SEBI Market SOC is the regulator’s view into the security posture of the market as a whole. For Qualified REs and MIIs, an M-SOC feed is no longer optional. The integration is where most teams burn weeks unnecessarily, because the work is mostly schema and identity, not analytics. Pre-built M-SOC connectors on a sovereign platform collapse it into days, not months, freeing the analyst to focus on the analytics that actually move the CCI score.
5. Where Sovereign AI-Native Compounds the Advantage
Compliance teams have historically been short on hands and long on regulators. Generative AI does not change that equation by itself, but a sovereign AI-native compliance platform does, because it pairs domain-specific models with a controlled data plane that auditors can trust.
Four CSCRF workflows where AI-native compounds outcomes
- Control-language translation. Natural-language CSCRF clauses are converted into SIEM queries, EDR detections, and IAM policy checks the same day they are issued.
- Audit-narrative generation. Evidence artefacts are summarised into auditor-grade narratives with citations to the source events, turning a five-day documentation sprint into a five-minute review.
- SBOM enrichment. Raw CycloneDX or SPDX outputs are matched against CVE feeds, exploit prediction scores, and Indian-context advisories so the SBOM becomes a risk view, not a list.
- CCI gap explanation. Each control gap is explained in business language to the board, in operational language to engineering, and in regulator-grade language for the submission, from a single source of truth.
Because every inference runs on Indian sovereign infrastructure, there is no awkward conversation with the auditor about cross-border model calls,
no DPDP-flag on prompt logs, and no offshore vendor escalation when an issue surfaces at 2 a.m. on settlement day.
6. The Quarter-End Implementation Checklist
If the security analyst has only one quarter to materially improve CSCRF readiness, the work breaks down cleanly across the three months.
Foundation
- Confirm RE category and CSCRF maturity tier; document the rationale.
- Complete a 25-control gap analysis with named owners and target dates.
- Inventory every log source; normalise schemas; freeze a retention plan.
Build
- Close the top five highest-impact control gaps (typically EDR coverage, PAM, SBOM, immutable backups, MFA).
- Wire up the M-SOC feed in a staging mode; validate against the regulator’s heartbeat.
- Generate the first internal CCI score and circulate to the board.
Sustain
- Flip the M-SOC feed to production; confirm regulator acknowledgement.
- Submit the CCI and SBOM artefacts within the SEBI window.
- Lock in continuous control monitoring, the next quarter’s audit starts the day this one closes.
A team that finishes this 90-day plan does not just pass an audit. It builds the operating muscle CSCRF was designed to demand, and avoids the perpetual fire-drill that has become the default for many Indian regulated entities.
Closing: CSCRF Is a Capability, Not a Checkbox
The most consequential change CSCRF brings to the Indian capital markets is the move from compliance-as-event to compliance-as-capability. The regulator is no longer auditing the snapshot, it is watching the stream. Security analysts who internalise that shift, and CISOs who fund the platforms that make it sustainable, will spend their next quarter building competitive advantage rather than re-doing last quarter’s evidence.
iStreet’s sovereign AI-native platform, infrastructure, and solution offerings exist precisely for this moment in Indian financial services, where regulation, sovereignty, and AI maturity converge into a single operating requirement. The architecture is purpose-built for the SEBI cybersecurity framework India’s regulators have chosen, and for the operational tempo Indian capital markets actually run at.