Cyber Security & Cyber Resilience framework (CSCRF) for Stock Brokers / Depository Participants

The Cyber Security & Cyber Resilience Framework (CSCRF) was introduced by SEBI to create a uniform baseline for protecting electronic trading infrastructure. It applies to all entities that participate in the clearing and settlement chain, notably stock brokers and depository participants (DPs). The framework mandates preventive, detective, and corrective controls to safeguard against cyber‑threats that could disrupt market operations.

Why it matters for the exam: SEBI frequently asks candidates to match a regulatory requirement with the appropriate control (e.g., multi‑factor authentication for access control). Knowing the framework’s structure enables quick elimination of wrong options. How it works: CSCRF is built around five pillars – Governance, Risk Management, Secure Architecture, Incident Management, and Resilience Testing – each with specific duties for the entity.

Common mistake: Confusing CSCRF with the broader ISO/IEC 27001 standards. While the two share concepts, CSCRF is a SEBI‑specific mandate with distinct reporting timelines and audit frequencies. Remember that the exam focuses on SEBI‑defined expectations, not generic international standards.

• CSCRF is mandatory for all SEBI‑registered brokers and DPs.
• Non‑compliance can lead to penalties, suspension of trading licences, or increased supervisory scrutiny.

1. Governance: Establishes a cyber‑security policy, appoints a Chief Information Security Officer (CISO), and defines reporting lines. The policy must be reviewed annually and approved by the board.

2. Risk Management: Requires periodic cyber‑risk assessments, vulnerability scanning, and a documented risk‑treatment plan. The assessment must cover both internal systems and third‑party service providers.

3. Secure Architecture: Mandates network segmentation, encryption of data at rest and in transit, and strong access controls such as multi‑factor authentication (MFA). All critical applications must run on hardened servers with regular patch management.

4. Incident Management: Defines a formal incident response plan (IRP) with defined roles, escalation matrix, and timelines for detection, containment, eradication, and recovery. The IRP must be tested at least twice a year.

5. Resilience Testing: Includes penetration testing, red‑team exercises, and business‑continuity drills. Results are reported to SEBI within 30 days of a significant breach.

The CISO holds ultimate accountability for implementing CSCRF. Their duties include overseeing risk assessments, ensuring compliance with encryption mandates, and coordinating incident response drills. The IT Operations team executes day‑to‑day controls like patch management and log monitoring.

Business units (e.g., client onboarding) must embed security checks into their processes. For instance, Know‑Your‑Customer (KYC) data must be stored in encrypted databases, and any data transfer to third‑party vendors must be protected by secure APIs.

From an exam perspective, remember the hierarchy: Board → CISO → IT Operations → Business Units. Questions often ask which role should approve a new security tool – answer: the CISO, not the line manager.

Risk assessment under CSCRF follows a qualitative scoring model: each identified threat is rated for Likelihood (how often it could occur) and Impact (potential loss). The product of these two scores yields a Risk Score that drives mitigation priority.

Why the metric matters: SEBI expects entities to maintain a risk register where any item with a score above a defined threshold (e.g., 15 on a 5 × 5 scale) must have a remediation plan within 30 days.

Exam tip: When a question provides Likelihood = 4 (high) and Impact = 3 (moderate), the correct Risk Score is 12. If the threshold is 10, the item requires immediate action.

The incident response lifecycle defined by CSCRF consists of four phases: Detection, Containment, Eradication, and Recovery. Each phase has a target time‑frame – for example, detection must occur within 15 minutes of an anomaly, and containment within 30 minutes.

During Detection, security information and event management (SIEM) tools generate alerts. Containment involves isolating affected systems, often by disabling network ports or revoking credentials. Eradication removes malicious code, and Recovery restores services to normal operation, followed by a post‑incident review.

For the exam, remember the sequence and the typical SLA times. Questions may ask which step follows ‘Isolation of compromised server’; the correct answer is ‘Eradication of malware’."

Resilience goes beyond preventing attacks; it ensures the firm can continue operations during and after a cyber event. Key practices include regular data backups stored offline, redundant network paths, and a business‑continuity plan that aligns with the clearing‑house settlement cycles.

SEBI requires that backup restoration tests be performed quarterly, with a Recovery Point Objective (RPO) of no more than 4 hours for critical trading systems. The Recovery Time Objective (RTO) should not exceed 8 hours to avoid settlement delays.

Exam relevance: A scenario may ask which RPO is acceptable for a broker’s order‑matching engine. The correct answer is 4 hours, as stipulated by CSCRF.

SEBI circulars require brokers and DPs to file a quarterly cyber‑risk compliance report (CRCR) that details risk scores, control gaps, and remediation status. The report must be signed by the CISO and the board chair.

In case of a breach that impacts client assets or market integrity, a mandatory incident notification must be sent to SEBI within 24 hours, followed by a detailed forensic report within 30 days.

Exam tip: If a question asks for the reporting deadline after a data breach, the correct answer is 24 hours for initial notification.

CSCRF obliges brokers and DPs to undergo both internal and external audits. Internal audits are conducted semi‑annually by the firm’s compliance team, focusing on control effectiveness. External audits, performed by SEBI‑approved auditors, occur annually and cover the entire cyber‑security program.

During an audit, auditors verify evidence such as patch logs, access‑control matrices, and incident‑response drill records. Any deviation results in a corrective action plan that must be closed within 45 days.

Exam relevance: A multiple‑choice question may ask which audit frequency is correct for external SEBI‑approved audits – the answer is ‘annual’.