ChecklistUpdated 2026-02-15For: Stock brokers, depositories, AMCs, MIIs, KRAs, RTAs, clearing corps preparing for a SEBI cybersecurity audit

SEBI Cybersecurity Audit Checklist

SEBI's Cyber Security and Cyber Resilience Framework (CSCRF) is graded on evidence, not intent. Most failed CSCRF audits are not about missing controls — they're about controls that exist but can't be evidenced. This checklist is the exact one our auditors use when scoping a SEBI engagement, organised by CSCRF's IPDRR pillars and the additional resilience obligations for QSBs and MIIs.

Talk to an expert All resources

The Checklist

Identify (CSCRF IPDRR — Identify)

Asset inventory of all IT/OT systems, mapped to data classification (critical / sensitive / supporting)
Threat-model document per critical system (OMS, RMS, surveillance, mobile/web trading)
Risk register updated within last 6 months, signed by CISO + management
Vendor / third-party risk register including data-processing relationships
Business Impact Analysis (BIA) with RTO/RPO for each critical asset

Protect

Network segmentation between trading / surveillance / general IT — documented + tested
Identity & access management with MFA, JIT and quarterly access reviews
Encryption inventory: data-at-rest (DB-level + storage), data-in-transit (TLS 1.2+), key management evidence
Endpoint protection (EDR) deployment evidence across 100% of in-scope endpoints
Patch management evidence (scanner results, remediation tickets, SLA adherence)
Email security (SPF, DKIM, DMARC enforced; advanced threat-protection in place)
Mobile device management (MDM) for dealer terminals + executive devices

Detect

SIEM in place with at least 90-day log retention for in-scope systems
Use-case catalogue: critical detections written, tested, and tuned (top 30)
Threat intelligence feed integrated and consumed
User & entity behaviour analytics (UEBA) for trading desk anomaly detection
File integrity monitoring on critical configuration / trading-engine files

Respond

Incident response playbook (current version, dated within last 12 months)
SEBI CSIRT reporting templates ready and rehearsed (6-hour material-incident clock)
Tabletop exercise log — at least 2 in last 12 months, including market-abuse scenarios
Forensic readiness: log preservation, chain-of-custody procedures documented
External IR retainer in place (named provider + 24×7 contact)

Recover

Backup strategy with 3-2-1-1-0 rule (3 copies, 2 media, 1 offsite, 1 immutable, 0 errors)
Quarterly backup-restore test evidence
DR fire-drill report within last 12 months — full failover, timed against RTO/RPO
Business continuity plan with named owners and call-tree updated quarterly
Lessons-learned register from incidents and drills

QSB / MII additional obligations

Enhanced segregation between dealer / RMS / surveillance environments
Independent quarterly evidence reporting to SEBI
Cyber-resilience drills aligned to SEBI's expectations
Designated CISO + cyber-security committee with minute-of-meeting evidence
Customer disclosures and data-protection statements aligned to SEBI requirements

Frequently asked questions

How often must SEBI-regulated entities run cybersecurity audits?

At least annual for all critical systems; semi-annual for high-risk systems. Qualified Stock Brokers (QSBs) and Market Infrastructure Institutions (MIIs) typically run quarterly continuous VAPT plus the annual statutory audit.

Who can sign a SEBI cybersecurity audit?

A CERT-In Empanelled Information Security Auditor. SEBI relies on CERT-In's empanelment list — audits signed by non-empanelled auditors are typically rejected.

What's different for Qualified Stock Brokers (QSBs)?

QSBs have enhanced segregation, cyber-resilience drills, quarterly evidence reporting and stricter CISO accountability. Our QSB checklist adds a 'QSB-additional' section that mid-size brokers don't need.

Does the audit cover algo-trading systems?

Yes — input validation, kill-switch effectiveness, rate-limit handling, audit-trail integrity, exchange-side compliance and the SEBI algo-rules-2018 alignment are all in scope.

Can our existing CERT-In audit double as the SEBI audit?

Often yes — if the scope was mapped against CSCRF's IPDRR pillars and the SEBI-specific obligations. We frequently scope a single engagement to satisfy both regulators.

Related services

More resources

Need help executing this?

Talk to Digital Defense — India's CERT-In Empanelled cybersecurity team.

Book a consultation

Digital Defense

Online | Typically replies instantly

Hi there! 👋 Welcome to Digital Defense. I'm here to help you with your cybersecurity needs. How can I assist you today?