Key Takeaways
- SEBI Cyber Security and Cyber Resilience Framework applies to MIIs (stock exchanges, clearing corporations, depositories), stock brokers, mutual funds, AMCs, and other capital market intermediaries with tiered obligations.
- Critical systems definition shapes RTO and RPO expectations. Trading systems, settlement systems, risk management systems are typically critical.
- Cyber audit annually, by qualified independent auditor. VAPT cadence per the framework and material change.
- SOC and SIEM expected for MIIs and larger brokers. Smaller brokers have proportionate monitoring expectations.
- Incident reporting to SEBI within prescribed timelines (typically 6 to 24 hours by category). Parallel CERT-In and DPDP notifications.
Framework Scope and Applicability
SEBI's cyber framework has been published through several circulars over time, with the SEBI/HO/ITD-1 series being the foundational document and subsequent circulars extending and refining. Applicability covers Market Infrastructure Institutions (stock exchanges, clearing corporations, depositories), stock brokers (with tiered expectations by size and risk), mutual funds and AMCs, portfolio managers, custodians, RTAs (Registrars and Transfer Agents), and several other capital market intermediaries.
Larger entities (MIIs, top-tier brokers, top AMCs) have more demanding obligations including 24x7 SOC, frequent VAPT, formal cyber audit, dedicated CISO function, board oversight. Smaller entities have proportionate obligations.
Critical Systems and Resilience Requirements
The framework defines Critical Systems as those whose failure would significantly impact the entity's operations or market functioning. For brokers: trading systems, order management, risk management, payment systems, customer-facing portals. For MIIs: matching engines, settlement systems, surveillance systems, market data distribution.
RTO (Recovery Time Objective) and RPO (Recovery Point Objective) expectations are stricter for critical systems. Typical expectations: RTO measured in minutes to hours, RPO measured in seconds for transaction-critical systems. Documented and tested DR is expected.
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →VAPT and Audit Obligations Under SEBI
VAPT cadence under SEBI: at least annually for all regulated entities, more frequently for MIIs and critical systems, on material changes. Independent third-party VAPT with the report retained for inspection and shared with the Information Security Committee.
Annual cyber audit by qualified independent auditor covers framework implementation, control effectiveness, incident handling, vendor management, and overall maturity. Audit findings tracked through corrective action with timelines. Codesecure delivers SEBI-aligned VAPT and supports cyber audit firms with technical evidence.
SOC and Monitoring
MIIs and larger regulated entities are expected to operate 24x7 SOC capability with SIEM, EDR, threat intelligence integration, and SOAR. Detection content tuned to capital market threats (insider trading patterns, fraud signals, anomalous trading behaviour) alongside generic cyber detection.
Smaller brokers have proportionate monitoring expectations. Many adopt managed SOC arrangements that meet the regulatory expectation at appropriate scale. Codesecure delivers SEBI-aligned managed SOC for capital market intermediaries.
Data Localisation Considerations
SEBI guidance on data localisation has evolved. Investor data, trading data and certain other categories typically must be stored in India. International data flows may be permitted under specific conditions or require regulator approval. Cloud usage by regulated entities must respect these localisation considerations alongside the broader cloud guidance.
Practical implication: SEBI-regulated entities using cloud should default to India-region deployment for in-scope data, with documented data flow diagrams that demonstrate localisation. Cross-border replication for DR purposes may be permissible with proper documentation.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →Incident Reporting to SEBI
Cyber incidents affecting regulated entities must be reported to SEBI within prescribed timelines. Categories of incident drive timing: critical incidents (typically 6 hours), high-severity (typically 24 hours), others (within prescribed windows). The reporting includes nature, scope, impact assessment, immediate actions, customer communication plan, remediation plan.
Parallel notifications fire to CERT-In (6 hours per April 2022 directions) and DPDP Data Protection Board where personal data is involved. Material incidents at MIIs may also trigger market disclosures. The IR plan must handle these simultaneously without missing any clock.
MII vs Trading Member Obligations
MIIs (BSE, NSE, NSDL, CDSL, MCX, NCDEX, etc.) carry the heaviest cyber obligations: full framework implementation, 24x7 SOC with sector-specific detection, frequent VAPT, formal cyber audit, dedicated CISO with team, board oversight, NCIIPC designation potentially.
Trading members and intermediaries have proportionate obligations scaled to size. Smaller brokers focus on baseline framework implementation: documented cyber policy, MFA, EDR, backup, awareness training, annual VAPT, basic monitoring, IR plan, vendor management. Mid-size brokers add SOC, more frequent VAPT, dedicated CISO function.
Codesecure supports both MII-scale programmes and smaller broker baseline programmes. Engagements are structured to match the regulated entity's size and the SEBI obligations that apply.
Frequently Asked Questions
Does SEBI cyber framework apply to research analysts and investment advisors?
Yes, with proportionate obligations. Smaller RIAs and RAs have lighter requirements focused on baseline controls; larger firms have more demanding expectations. Recent SEBI circulars have extended cyber expectations to broader categories of capital market intermediaries.
Is SOC mandatory for stock brokers?
Larger brokers yes. Smaller brokers have proportionate monitoring expectations that often translate to managed SOC arrangements at appropriate scale. Codesecure delivers SEBI-aligned managed SOC for capital market intermediaries.
How does SEBI cyber relate to ISO 27001?
ISO 27001 is the recognised baseline that satisfies many SEBI framework expectations. Many SEBI-regulated entities pursue ISO 27001 certification as the structural foundation, then layer SEBI-specific requirements on top. Codesecure delivers integrated ISO 27001 plus SEBI programmes.
What about NCIIPC designation?
Major MIIs are typically designated as Critical Information Infrastructure under NCIIPC, which adds additional obligations including sector-specific guidance and inspection. NCIIPC and SEBI obligations operate in parallel for designated entities.
How often does SEBI inspect cyber controls?
SEBI inspections cover cyber as part of broader inspection cycles. Frequency varies by entity category. Special inspections may be triggered by incidents, complaints or risk-based selection. Inspections include cyber specialists for regulated entities of meaningful scale.
Can Codesecure deliver SEBI-aligned programmes?
Yes. Codesecure delivers SEBI cyber framework implementation, VAPT, managed SOC, cyber audit support and IR readiness for stock brokers, depository participants, mutual funds, AMCs and other capital market intermediaries.
Pass SEBI Cyber Inspection With Operational Confidence
Codesecure delivers SEBI cyber framework programmes, VAPT, managed SOC and cyber audit support for Indian stock brokers, depositories, AMCs and other capital market intermediaries. ISO/IEC 27001:2022 certified delivery, named consultants.
