SEBI CSCRF - Internal Audit Checklist v1.

0
Purpose & Objective
This CSCRF Compliance Audit Checklist is designed as a comprehensive internal audit guide to help
SEBI-regulated entities ensure full compliance with SEBI’s latest Cybersecurity and Cyber Resilience
Framework (CSCRF). It serves as a structured approach to validate the implementation of security controls,
identify compliance gaps, and enhance the overall cybersecurity posture of financial institutions operating in
the Indian securities market.

Cyber threats continue to evolve rapidly, posing significant risks to trading platforms, depositories, clearing
corporations, stock exchanges, brokers, asset management companies (AMCs), and financial service
providers. The SEBI CSCRF establishes a robust cybersecurity governance framework, mandating
organizations to adopt proactive risk management strategies, implement stringent security controls, and
ensure resilient cyber defenses.

This checklist enables internal audit teams to:

✅ Assess cybersecurity governance and risk management practices

✅ Validate security controls aligned with SEBI’s CSCRF requirements
✅ Identify compliance gaps and define corrective actions
✅ Ensure adherence to incident response and regulatory reporting mandates
✅ Strengthen cyber resilience against emerging threats such as ransomware, insider threats,
DDoS attacks, data breaches, AI-driven threats, and deepfake fraud

Applicability & Target Audience

This checklist applies to all SEBI-regulated entities, including:

✔ Stock Exchanges
✔ Clearing Corporations
✔ Depositories
✔ Brokers & Trading Members
✔ Asset Management Companies (AMCs)
✔ Registrars & Transfer Agents (RTAs)
✔ Investment Advisers & Research Analysts
✔ Mutual Funds & Portfolio Managers
✔ Any financial institution handling securities trading and capital markets

1
SEBI CSCRF - Internal Audit Checklist v1.0

Scope & Coverage

This comprehensive audit framework covers all critical security domains required for SEBI CSCRF
compliance, including but not limited to:

✅ Cyber Governance & Risk Management – Board-level security oversight, CISO roles, and risk
frameworks
✅ Identity & Access Management (IAM) – Role-based access, MFA, privileged account security
✅ Data Security & Privacy Compliance – Encryption, Data Loss Prevention (DLP), financial data
protection
✅ Network Security & Threat Protection – Firewalls, IDS/IPS, Zero Trust, cloud security
compliance
✅ Security Monitoring & Incident Response – 24/7 SOC monitoring, SIEM, incident reporting within
SEBI’s mandated 6-hour window
✅ Third-Party & Vendor Risk Management – Due diligence, cybersecurity contract clauses, vendor
access control
✅ DDoS Protection & Trading System Resilience – Market infrastructure security, high-frequency
trading safeguards
✅ AI & Emerging Threats Management – AI-driven fraud, quantum cryptography, insider collusion
detection
✅ Regulatory Compliance & Audit Readiness – SEBI-mandated security audits, continuous
monitoring, reporting frameworks
✅ Cybersecurity Awareness & Training – Phishing simulations, deepfake fraud training, employee
security culture

The checklist is structured in a way that ensures every security function is assessed in alignment with SEBI’s
evolving regulatory landscape.

Key Benefits of This Checklist

✔ Ensures regulatory compliance with SEBI’s latest cybersecurity directives
✔ Reduces cyber risks through proactive security validation
✔ Improves audit readiness for SEBI-mandated security audits
✔ Strengthens incident response capabilities for cyber resilience
✔ Enhances stakeholder confidence in cybersecurity governance
✔ Facilitates continuous improvement in cybersecurity frameworks

2
SEBI CSCRF - Internal Audit Checklist v1.0
Audit Execution & Compliance Rating Methodology
To ensure effective compliance tracking, this checklist is designed to provide a structured scoring system for
cybersecurity controls. Audit teams should evaluate each domain and assign a compliance rating based on
the following scale:

Compliance Level Score (%) Status Remedial Action

Level 5 - Optimized 96%-100% Fully compliant Continuous monitoring

& improvement

Level 4 - Managed 80%-95% Minor gaps, security Address minor findings

best practices followed

Level 3 - Defined 60%-79% Needs improvement, Implement corrective

critical gaps exist actions

Level 2 - Reactive 40%-59% Serious compliance Urgent remediation

risks, immediate action required
needed

Level 1 - Non-Compliant <40% High security risk, SEBI regulatory breach

urgent remediation risk – immediate
required corrective action
required

Internal auditors should use this compliance rating methodology to track cybersecurity maturity levels and
identify priority areas for remediation.

3
SEBI CSCRF - Internal Audit Checklist v1.0

Conclusion
SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) sets a high standard for cyber risk
management in India’s financial markets. This checklist serves as a strategic tool for internal audit teams to
systematically validate cybersecurity compliance, enhance cyber resilience, and mitigate financial sector
cyber risks.

By following this checklist, organizations can demonstrate proactive regulatory compliance, improve
incident response readiness, and foster a cyber-aware culture across financial markets.

✔ Use this checklist as a living document, updating it based on evolving SEBI guidelines and
cybersecurity threats.
✔ Ensure all remediation actions are tracked and implemented within SEBI’s required timeframes.
✔ Leverage this guide to strengthen your organization’s cybersecurity framework and achieve
operational resilience.

4
SEBI CSCRF - Internal Audit Checklist v1.0
Section 1: Governance & Risk Management Compliance
Has the entity established a formal Information Security Committee (ISC)?
Does the ISC include senior management and IT security personnel?
Are cybersecurity policies and procedures formally documented, approved, and regularly updated?
Is there an appointed Chief Information Security Officer (CISO) responsible for cybersecurity governance?
Does the entity conduct regular cybersecurity risk assessments (at least annually)?
Are cyber risks integrated into the enterprise risk management (ERM) framework?
Are third-party/vendor risks considered in cybersecurity risk assessments?
Are periodic cybersecurity awareness training programs conducted for employees?
Section 2: Asset Management & Access Control Compliance
Does the entity maintain an updated IT asset inventory (hardware, software, applications, and cloud
services)?
Is an asset classification system in place to categorize critical systems and data?
Are access control policies implemented (Role-Based Access Control - RBAC, Least Privilege Access, etc.)?
Is Multi-Factor Authentication (MFA) enforced for privileged users and critical applications?
Are user accounts reviewed periodically to ensure inactive accounts are disabled?
Are privileged access logs maintained and reviewed periodically?
Section 3: Network & Infrastructure Security Compliance
Are network segmentation and zoning implemented to isolate critical systems?
Are firewall rules regularly reviewed and updated?
Are Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) deployed and monitored?
Is end-to-end encryption enforced for sensitive data in transit and at rest?
Are secure VPN configurations implemented for remote access users?
Is endpoint security protection (antivirus, EDR, etc.) installed and updated across all devices?
Are removable storage devices restricted and monitored?
Section 4: Data Security & Privacy Compliance
Are data classification policies defined and enforced (sensitive, confidential, public, etc.)?
Are data protection controls (Data Loss Prevention - DLP, encryption, secure storage) implemented?
Are backup policies defined, and are backups stored securely and tested regularly?
Are data retention and disposal policies aligned with SEBI’s requirements?
Is encryption enforced for customer and financial data (both at rest and in transit)?
Are personal and financial data access restricted to authorized personnel only?
Section 5: Security Monitoring & Threat Management Compliance

5
SEBI CSCRF - Internal Audit Checklist v1.0
Is a Security Operations Center (SOC) established or outsourced for 24/7 monitoring?
Is a Security Information and Event Management (SIEM) system in place for log monitoring?
Are cybersecurity incidents logged, categorized, and investigated within defined timelines?
Are threat intelligence feeds integrated into security monitoring processes?
Are proactive threat-hunting exercises conducted periodically?
Are vulnerability scanning and penetration testing conducted at least twice a year?
Are patches and security updates applied in a timely manner (as per a patch management policy)?
Section 6: Incident Response & Cyber Resilience Compliance
Is a documented Incident Response Plan (IRP) in place and periodically tested?
Is a defined incident escalation matrix available, with roles and responsibilities assigned?
Are all security incidents reported to SEBI within the mandated timeline (6 hours of detection)?
Are regular incident response drills and tabletop exercises conducted?
Are cybersecurity incidents documented, analyzed, and lessons learned incorporated into policies?
Is Business Continuity Planning (BCP) integrated with cybersecurity requirements?
Are disaster recovery (DR) plans tested at least annually?
Are RTO (Recovery Time Objective) and RPO (Recovery Point Objective) defined and met?
Section 7: Vendor & Third-Party Risk Compliance
Are third-party vendors and service providers assessed for cybersecurity compliance?
Are third-party access controls defined, reviewed, and monitored regularly?
Are cybersecurity clauses included in vendor contracts and Service Level Agreements (SLAs)?
Are periodic security audits conducted on third-party vendors?
Is remote access to the entity’s network for vendors securely configured?
Section 8: Compliance Audits & Reporting Requirements
Are internal cybersecurity audits conducted at least annually?
Are external cybersecurity audits performed as per SEBI’s mandated frequency?
Are audit findings documented, and remediation plans tracked to closure?
Are cybersecurity compliance reports submitted to SEBI within prescribed deadlines?
Are all cybersecurity policies aligned with SEBI’s CSCRF framework?
Are key performance indicators (KPIs) and cybersecurity metrics reported to senior management?
Section 9: Awareness, Training & Security Culture Compliance
Are periodic cybersecurity awareness training sessions conducted for employees?
Are phishing simulations and social engineering attack drills performed?
Are cybersecurity roles and responsibilities clearly communicated to employees?

6
SEBI CSCRF - Internal Audit Checklist v1.0
Is there a mechanism for employees to report security concerns or incidents?
Is there a cybersecurity reward or recognition program in place?
Section 10: Cloud Security & Virtual Infrastructure Compliance
Does the entity use cloud services (SaaS, PaaS, IaaS) for financial transactions or data processing?
Has a cloud security framework been implemented in alignment with SEBI’s CSCRF guidelines?
Are cloud service providers (AWS, Azure, GCP, etc.) assessed for cybersecurity compliance?
Are cloud data storage locations reviewed to ensure compliance with data residency requirements?
Are Identity & Access Management (IAM) policies enforced for cloud access?
Is encryption enabled for cloud-stored data at rest and in transit?
Are cloud logs (API calls, access logs, system events) monitored in a SIEM system?
Are cloud configurations reviewed periodically to detect misconfigurations?
Are cloud-based workloads protected against threats (WAF, DDoS mitigation, etc.)?
Are backups of cloud-based systems tested regularly for data recovery?
Section 11: Secure Software Development & DevSecOps Compliance
Are all applications and software developed internally following Secure Software Development Lifecycle
(SDLC) principles?
Are secure coding standards (OWASP, SEBI guidelines, etc.) implemented to prevent vulnerabilities?
Are application security assessments (Static & Dynamic Application Security Testing - SAST/DAST)
conducted before deployment?
Are third-party/open-source components used in applications reviewed for security vulnerabilities
(Software Bill of Materials - SBOM)?
Are API security policies enforced to prevent data breaches and unauthorized access?
Are DevSecOps best practices integrated into CI/CD pipelines (automated security testing)?
Are containerized applications (Docker, Kubernetes) secured and regularly scanned?
Are proper authentication and authorization mechanisms implemented for microservices-based
architectures?
Section 12: Emerging Threats & Advanced Security Compliance
Are AI-based cybersecurity solutions (threat intelligence, behavior analytics) implemented?
Is Zero Trust Architecture (ZTA) enforced for network and data access?
Are Behavioral Analytics and User Entity Behavior Analytics (UEBA) used to detect anomalies?
Are ransomware protection and incident response playbooks defined and tested?
Is a dark web monitoring strategy in place to identify potential data leaks?
Are financial fraud monitoring tools integrated with cybersecurity controls?
Are blockchain-based securities transactions protected against cyber threats?
Are quantum-safe cryptographic measures considered for future-proofing security?

7
SEBI CSCRF - Internal Audit Checklist v1.0
Section 13: Supply Chain & Third-Party Risk Compliance
Are all vendors assessed for cybersecurity risks before onboarding?
Are third-party software and IT service providers required to comply with SEBI’s CSCRF?
Are vendor access and privileges reviewed periodically?
Is data shared with vendors encrypted and access-restricted?
Are cyber risk contracts and SLAs enforced for all third-party vendors?
Are third-party incident response procedures defined in case of vendor data breaches?
Are offshore vendors reviewed for compliance with India’s cybersecurity laws?
Are third-party security audits mandated and periodically conducted?
Section 14: Mobile Security & Endpoint Protection Compliance
Are mobile devices accessing corporate financial systems protected with MDM (Mobile Device
Management)?
Are BYOD (Bring Your Own Device) security policies enforced?
Are financial apps developed for mobile transactions secured using encryption?
Are endpoints (laptops, workstations, trading terminals) protected with EDR (Endpoint Detection &
Response)?
Are phishing-resistant authentication mechanisms (hardware security keys, biometrics) deployed for
high-risk users?
Section 15: Physical Security & Insider Threat Compliance
Are physical access controls (biometric authentication, key cards) implemented for data centers?
Are server rooms, data centers, and IT infrastructure secured against unauthorized access?
Are cybersecurity and physical security teams aligned on risk management strategies?
Are employee background verification and insider threat detection mechanisms in place?
Are behavioral monitoring solutions deployed for insider threat detection?
Section 16: Incident Forensics & Regulatory Investigations Compliance
Are forensic investigation capabilities in place to analyze security breaches?
Are logs stored and retained as per SEBI-mandated log retention policies?
Are chain-of-custody procedures followed when handling digital evidence?
Are internal investigations conducted for any suspected cybersecurity violations?
Are regulatory audits conducted in compliance with SEBI-mandated forensic procedures?
Section 17: Continuous Improvement & Compliance Maturity
Is the cybersecurity program continuously updated based on new threats?
Is an external benchmarking assessment conducted (e.g., NIST, ISO 27001, etc.)?
Are lessons learned from past cybersecurity incidents documented and integrated into policies?

8
SEBI CSCRF - Internal Audit Checklist v1.0
Are cybersecurity policies periodically tested through red teaming exercises?
Are all security awareness programs evaluated for effectiveness?
Are audit recommendations acted upon, with timelines for remediation?
Section 18: AI & Machine Learning Security Compliance
Are AI/ML models used for trading, risk assessment, or fraud detection protected from adversarial attacks?
Is AI bias monitoring conducted to prevent manipulative trading strategies?
Are AI/ML-based security tools (such as UEBA, AI-driven SOC) deployed for anomaly detection?
Are AI models continuously monitored for drift and performance degradation?
Are AI data sources vetted to prevent poisoning attacks (data integrity attacks on ML training sets)?
Section 19: Threat Intelligence & Threat Sharing Compliance
Is the organization subscribed to cybersecurity threat intelligence feeds (e.g., CERT-In, FS-ISAC)?
Is a threat intelligence platform (TIP) integrated with SIEM and SOC operations?
Are Indicators of Compromise (IOCs) actively monitored and shared internally?
Are cyber threat advisories from SEBI and regulatory bodies promptly acted upon?
Are cyber kill-chain analysis techniques used for proactive threat detection?
Section 20: Distributed Denial of Service (DDoS) Protection Compliance
Has a DDoS risk assessment been conducted for financial services?
Is a DDoS mitigation plan in place, including on-prem and cloud-based solutions?
Are Web Application Firewalls (WAF) configured to prevent volumetric attacks?
Are trading platforms, brokerage applications, and critical infrastructure protected against DDoS attacks?
Are automated detection systems in place for botnet and volumetric attack behaviors?
Section 21: Trading & Financial Market System Security Compliance
Are stock exchange trading platforms hardened against algorithmic and high-frequency trading cyber risks?
Are security measures in place to detect spoofing, front-running, and market manipulation?
Are encryption and cryptographic measures enforced on electronic trading systems?
Are stock order processing systems monitored for insider trading indicators?
Are API security and access control measures implemented for trading bots and applications?
Are trade settlement systems (Clearing & Settlement) protected against unauthorized access?
Are smart contract-based trading mechanisms (if applicable) tested for security vulnerabilities?
Section 22: Secure Email & Communication Compliance
Is Domain-based Message Authentication, Reporting & Conformance (DMARC) implemented for email
security?
Are phishing-resistant authentication measures (SPF, DKIM, DMARC) enabled for email security?
Are advanced email security tools (email filtering, anti-malware solutions) deployed?

9
SEBI CSCRF - Internal Audit Checklist v1.0
Are executives trained to recognize and report Business Email Compromise (BEC) threats?
Is email content encryption enforced for sensitive financial data?
Are social engineering simulations conducted regularly to assess email-based attack risks?
Section 23: Dark Web Monitoring & Data Leak Prevention (DLP) Compliance
Are dark web monitoring tools deployed to detect leaked financial data, credentials, and sensitive company
information?
Are DLP solutions configured to prevent unauthorized sharing of sensitive financial data?
Is there an escalation plan for detecting SEBI-regulated data leaks?
Are anomaly detection algorithms used to monitor data exfiltration attempts?
Section 24: Secure Remote Work & Work-from-Anywhere (WFA) Compliance
Are Virtual Private Network (VPN) or Zero Trust Network Access (ZTNA) solutions deployed for remote
users?
Are remote access authentication policies enforced with Multi-Factor Authentication (MFA)?
Are remote employees’ endpoints secured with endpoint detection and response (EDR/XDR) solutions?
Are remote workstations monitored for unauthorized software installations?
Are home Wi-Fi security recommendations enforced for remote employees accessing trading systems?
Section 25: Insider Threat Management & Employee Behavior Analysis Compliance
Are privileged user activities monitored using User and Entity Behavior Analytics (UEBA)?
Are access logs for C-level executives, brokers, and IT admins regularly reviewed?
Are employees required to declare conflicts of interest related to trading or financial operations?
Are whistleblower policies in place for reporting insider cybersecurity violations?
Are sensitive transactions monitored for abnormal behavioral patterns?
Section 26: Incident Response for Regulatory Breaches & Data Breach Notification Compliance
Are regulatory breach scenarios pre-defined with clear incident response protocols?
Are legal and compliance teams involved in cyber breach response plans?
Are SEBI-mandated breach reporting guidelines (6-hour reporting window) strictly followed?
Are cross-border data breach notification requirements (e.g., GDPR, DPDP Act) considered?
Are forensic readiness policies in place to investigate cyber breaches effectively?
Is SEBI formally notified in case of any cyberattack affecting financial markets?
Section 27: Cryptographic Controls & Key Management Compliance
Are encryption keys stored in a secure hardware security module (HSM)?
Are key rotation policies implemented for cryptographic keys used in financial transactions?
Are digital signatures and secure cryptographic protocols enforced in financial transactions?
Are outdated cryptographic algorithms (MD5, SHA-1) phased out in favor of stronger encryption?

10
SEBI CSCRF - Internal Audit Checklist v1.0
Is encryption enforced on mobile trading apps and payment gateways?
Section 28: Financial Fraud Detection & Transaction Monitoring Compliance
Are real-time fraud detection systems deployed for transaction monitoring?
Are SEBI-mandated fraud indicators (unusual trading patterns, bulk order anomalies) actively monitored?
Are trade surveillance mechanisms in place to prevent pump-and-dump schemes?
Are ML-driven fraud prevention techniques used to flag suspicious transactions?
Are SEBI’s anti-money laundering (AML) requirements integrated with cybersecurity controls?
Section 29: Advanced Security Architecture & Zero Trust Compliance
Has the organization implemented a Zero Trust Architecture (ZTA) for financial data access?
Are micro-segmentation and least-privilege access enforced for all critical systems?
Are privileged access sessions recorded and monitored for anomalies?
Are security policies enforced at the application layer (Application-Aware Security Controls)?
Are network security policies dynamically updated based on real-time risk scores?
Section 30: Quantum-Resistant Cryptography Compliance
Is the organization assessing the impact of quantum computing on cryptographic security?
Are post-quantum cryptographic algorithms being considered for future implementation?
Are legacy encryption algorithms (RSA-2048, ECC) reviewed for post-quantum risks?
Are cryptographic key lengths reviewed for alignment with SEBI’s evolving security mandates?
Are secure key distribution methods being tested for resistance to quantum attacks?
Section 31: RegTech (Regulatory Technology) & Compliance Automation
Has the organization implemented RegTech solutions to automate SEBI compliance?
Are compliance reports auto-generated for SEBI submissions?
Is AI-driven compliance monitoring used to detect policy violations in financial transactions?
Are automated alerts triggered for non-compliance with cybersecurity controls?
Are compliance dashboards updated in real-time for board-level reporting?
Section 32: Insider Collusion & Market Abuse Detection
Are behavioral analytics tools deployed to detect insider collusion and trade manipulation?
Are employees’ financial transactions monitored for unusual trading patterns?
Is an ethical trading policy enforced for brokerage and financial service employees?
Are access logs analyzed to detect unauthorized access to market-sensitive data?
Are third-party entities (e.g., investment firms, hedge funds) monitored for regulatory violations?
Section 33: Cybersecurity Budgeting & Investment Compliance
Is a dedicated cybersecurity budget allocated annually?

11
SEBI CSCRF - Internal Audit Checklist v1.0
Is the budget aligned with SEBI’s mandatory security control investments?
Are security investments prioritized based on a risk-based approach?
Is cybersecurity training funded adequately for continuous staff education?
Are external cybersecurity experts engaged for periodic independent assessments?
Section 34: Ethical Hacking & Continuous Security Testing Compliance
Are periodic red team/blue team exercises conducted to test defenses?
Are ethical hackers engaged through a SEBI-compliant bug bounty program?
Are penetration testing reports reviewed, and remediation steps implemented?
Are adversarial attack simulations performed for real-world financial threat scenarios?
Are critical vulnerabilities patched within SEBI’s mandated timelines?
Section 35: Cryptocurrency & Blockchain Security Compliance (if applicable)
Are cryptocurrency transactions (if permitted) monitored for compliance with SEBI and RBI guidelines?
Are blockchain-based smart contracts audited for security vulnerabilities?
Are cryptographic wallet security controls enforced (hardware wallet, multi-signature)?
Is an anti-money laundering (AML) compliance framework implemented for crypto transactions?
Are blockchain network nodes secured against Sybil and 51% attacks?
Section 36: Adverse Media & Reputation Risk Monitoring
Is media monitoring conducted to track cyber incidents impacting financial markets?
Are automated tools deployed to detect brand impersonation and fake financial news?
Are deepfake video and voice fraud detection tools implemented for financial security?
Is social media activity monitored for phishing campaigns targeting customers?
Are takedown services used for fraudulent domains impersonating the financial institution?
Section 37: Customer Cybersecurity & Digital Hygiene Compliance
Are customers educated on secure online banking and trading practices?
Are account takeover (ATO) fraud detection measures in place for customer logins?
Are financial mobile apps tested against OWASP Mobile Top 10 vulnerabilities?
Are strong authentication mechanisms (biometric, FIDO2) enforced for customer access?
Are fraud response teams trained to handle customer financial cybersecurity complaints?
Section 38: Social Engineering & Deepfake Attack Readiness
Are employees trained to recognize deepfake-based cyber threats?
Are deepfake detection tools used to verify voice/video-based financial transactions?
Are identity verification processes enhanced to prevent deepfake fraud?
Are social engineering attack simulations conducted for executive staff?

12
SEBI CSCRF - Internal Audit Checklist v1.0
Are board members briefed on emerging risks related to synthetic identity fraud?

13