Cybersecurity and Cyber Resilience Framework (CSCRF)

CSCRF is a structured set of policies, processes and technical controls that enable a securities market participant to prevent, detect, respond to and recover from cyber incidents while maintaining business continuity.

The framework is not limited to IT security; it integrates risk governance, incident management, third‑party oversight and regular testing to build cyber resilience, i.e., the ability to continue operations despite attacks.

For the NISM exam, questions often present a breach scenario and ask which CSCRF component must be activated. Remember that resilience implies both protection and rapid recovery.

SEBI issued Circular No. 04/2020 on "Cyber Security and Cyber Resilience Framework" for all listed entities, mutual funds, stock‑brokers and research analysts. The circular makes it mandatory to adopt a documented CSCRF and to file an annual compliance report with the SEBI registrar.

The framework must be reviewed at least once a year or after any major cyber incident. Failure to comply can attract penalties up to 5% of the net worth of the entity, as per SEBI's enforcement powers.

Exam questions may ask for the reporting frequency or the penalty range; keep the 5% figure in mind and link it to the circular number.

The CSCRF is built around five pillars: Identify, Protect, Detect, Respond and Recover. Each pillar contains specific controls that together create a layered defence.

Identify covers asset inventory, data classification and cyber‑risk assessment. Protect includes access management, encryption and secure coding practices. Detect focuses on continuous monitoring, intrusion detection systems and anomaly analytics.

Respond defines the incident‑response plan, communication protocols and escalation matrix. Recover ensures business‑continuity plans, backup restoration and post‑incident lessons learned are in place.

Risk assessment quantifies the potential impact of cyber threats on the firm. SEBI requires a risk‑score matrix that combines the likelihood of a threat occurring with its financial impact.

The likelihood is usually rated on a scale of 1 (rare) to 5 (almost certain). Impact is rated on a scale of 1 (insignificant loss) to 5 (catastrophic loss exceeding ₹10 crore). Multiplying the two gives a risk score ranging from 1 to 25.

In the exam, you may be given likelihood and impact values and asked to classify the risk as Low (1‑5), Medium (6‑15) or High (16‑25). Remember the thresholds.

When a cyber incident is detected, the organization must activate its Incident Response Plan (IRP) within 30 minutes. The IRP outlines containment, eradication, and recovery steps.

SEBI mandates that a breach affecting client data or market integrity be reported to the SEBI registrar within 72 hours of discovery, along with a preliminary impact assessment.

Exam scenarios often test the timeline: if an analyst discovers a phishing breach at 10:00 AM, the first internal escalation must happen by 10:30 AM and the regulator notified by 10:00 AM two days later.

SEBI expects periodic testing of the CSCRF. This includes vulnerability scanning quarterly, penetration testing annually, and red‑team exercises every two years for larger entities.

Testing results must be documented, gaps remediated within 45 days, and a summary filed with the regulator. The maturity of a firm's resilience is often graded as Basic, Intermediate, or Advanced based on test frequency and remediation speed.

In multiple‑choice questions, you may be asked which test is mandatory annually – the answer is penetration testing.

The Board of Directors holds ultimate responsibility for cyber resilience. They must approve the CSCRF, allocate resources and review periodic risk reports.

A Chief Risk Officer (CRO) or a dedicated Cybersecurity Officer oversees day‑to‑day implementation, conducts risk assessments and ensures testing schedules are met.

Research analysts are required to follow the firm’s data‑handling policies, report any suspicious activity immediately, and refrain from sharing client‑level data on unsecured platforms.

Most market participants use cloud‑based analytics platforms. SEBI mandates that third‑party service providers undergo a cyber‑risk assessment and sign a Service Level Agreement (SLA) covering data encryption, breach notification and audit rights.

Vendor risk scores are calculated using the same likelihood‑impact matrix, but the impact rating is adjusted for data sensitivity and contractual exposure.

Exam questions may present a scenario where a cloud vendor suffers a breach; you need to identify the firm’s responsibility to report and remediate under the CSCRF.

Cyber insurance is encouraged as a risk‑transfer mechanism. Policies typically cover incident response costs, legal fees, regulatory fines (subject to SEBI caps) and business‑interruption losses.

When calculating the insured amount, firms use the maximum probable loss derived from the risk‑score matrix multiplied by an exposure factor (e.g., 1.5 for high‑growth firms). This ensures coverage exceeds the worst‑case scenario.

Remember that the premium is a deductible expense and must be disclosed in the firm’s financial statements as per Indian Accounting Standards (Ind AS 38).