Cyber Security and Cyber Resilience Framework (CSCRF) for Stock Brokers and Depository Participants

CSCRF is a comprehensive set of policies, processes and technical controls prescribed by SEBI to ensure that stock brokers and depository participants can prevent, detect, respond to and recover from cyber incidents. The framework aligns with global standards such as ISO/IEC 27001 but is tailored to the Indian securities market environment.

The primary aim is to protect client data, transaction integrity and the overall stability of the trading ecosystem. It requires entities to adopt a risk‑based approach, meaning that the depth of controls should correspond to the level of cyber risk identified.

For the NISM exam, candidates must know the definition, the regulatory basis (SEBI (Stock Brokers) Regulations, 1992 and SEBI (Depositories) Regulations, 1996), and why cyber resilience is treated as a systemic risk factor.

• Regulatory compliance – non‑adherence can attract penalties or suspension.
• Investor confidence – robust cyber controls enhance market credibility.

The framework is divided into six inter‑linked components: Governance, Risk Management, Asset Management, Threat Management, Incident Management and Recovery. Each component has defined responsibilities for senior management, IT teams and compliance officers.

Governance establishes the cyber‑security policy, appoints a Chief Information Security Officer (CISO) and defines escalation matrices. Risk Management requires periodic cyber‑risk assessments and the maintenance of a risk register.

During the exam, expect scenario‑based questions that ask which component addresses a particular activity, such as patch management (Asset Management) or post‑incident review (Recovery).

While both entities fall under CSCRF, their exposure differs. Stock brokers handle order flow, client portals and trading platforms, making them prime targets for phishing and transaction manipulation. Depository participants, on the other hand, maintain electronic holdings (demat accounts) and thus focus heavily on data integrity and unauthorized access prevention.

Regulatory expectations reflect this distinction. Brokers must implement two‑factor authentication for trade execution, whereas depositories must enforce strict segregation of duties for account creation and modification.

Exam questions may present a breach scenario and ask which entity bears primary responsibility for a specific control – recall the functional split above.

The risk score helps prioritize remediation. A score of 12, as in the example, would be classified as ‘High’ and trigger immediate corrective actions under the Incident Management component.

SEBI requires brokers and depositories to perform this assessment at least annually and whenever a significant change to the IT environment occurs (e.g., new trading platform launch).

In the exam, you may be asked to calculate the risk score for a given likelihood‑impact pair or to identify the appropriate remediation tier based on the score.

When a cyber incident is detected, the Incident Management component mandates a predefined response workflow: detection, containment, eradication, recovery, and post‑incident review. The timeline for reporting to SEBI is within 24 hours of confirming a material breach.

Key elements of the report include the nature of the incident, affected systems, impact assessment, remedial steps taken and recommendations to prevent recurrence.

Exam candidates should memorize the 24‑hour reporting rule and the five‑step response process, as they frequently appear in multiple‑choice questions.

SEBI circulars (e.g., Circular No. 12/2021) mandate that all stock brokers and depository participants must implement CSCRF by a specified compliance date and undergo annual third‑party audits. Non‑compliance can lead to monetary penalties, suspension of trading permissions, or even cancellation of registration.

NISM’s syllabus emphasizes that candidates should be able to identify the key regulatory documents, the audit frequency (annual) and the minimum content of the cyber‑risk register.

Typical exam questions may present a statement about audit frequency and ask whether it is true or false – recall the annual audit requirement.

Resilience goes beyond prevention; it ensures continuity of critical services during and after an attack. Measures include redundant data centres, regular backups, disaster‑recovery drills and real‑time replication of trading data.

For brokers, resilience also means maintaining alternative order routing paths to avoid market disruption. Depository participants focus on immutable audit trails for demat transactions.

In the exam, you may be asked to match a resilience measure with the entity that primarily implements it – keep the broker‑vs‑depository distinction in mind.

Annual penetration testing, vulnerability scanning and compliance audits are compulsory under CSCRF. The audit report must be submitted to SEBI and any critical findings must be remediated within 30 days.

Continuous improvement is driven by lessons learned from incident post‑mortems, changes in threat intelligence feeds and periodic updates to the risk register.

Exam candidates should know the audit timeline (annual) and the remediation window (30 days for critical findings).