Many regulated firms must update governance, incident response and third‑party controls to meet SEBI’s 2026 mandates; you should align your policies, perform continuous monitoring and test recovery plans regularly. Noncompliance can trigger heavy penalties and business disruption, while robust resilience measures reduce outage risk and preserve market trust. Focus your efforts on asset inventories, encryption, access controls and supplier oversight to demonstrate compliance and sustain operations under attack.

Key Takeaways:

• Governance and accountability: SEBI expects board-level oversight, clear cybersecurity roles and responsibilities, and regular senior-management reporting on cyber posture.
• Incident reporting and response: Mandatory, time-bound reporting of material cyber incidents to regulators, supported by documented incident response plans, forensic capabilities, and post-incident reviews.
• Third-party and supply-chain risk: Enhanced vendor due diligence, contractual security obligations, continuous monitoring of critical suppliers, and periodic third-party audits.
• Continuous monitoring and resilience testing: Regular vulnerability management, penetration testing, tabletop exercises, business continuity and disaster-recovery plans to ensure operational resilience.
• Data protection and standards alignment: Requirements for data classification, encryption, secure cross-border handling, alignment with frameworks (NIST/ISO), transparent disclosures, and penalties for non-compliance.

SEBI 2026 framework: scope & objectives

Applicability across market participants (exchanges, intermediaries, listed entities)

The 2026 framework covers primary market infrastructure-stock exchanges, clearing corporations, depositories, custodians, registered intermediaries and listed entities-and extends to material third‑party vendors and cloud providers. If you run or depend on these services, expect mandatory governance, continuous monitoring, third‑party risk assessments and enhanced reporting; SEBI places special scrutiny on exchanges and clearinghouses because failures there can cascade across the entire market.

Core objectives: confidentiality, integrity, availability and systemic cyber resilience

At its center the regime enforces the CIA triad-confidentiality, integrity and availability-while adding explicit duties for systemic cyber resilience across interconnected participants. You must implement strong encryption, multi‑factor authentication, tamper‑evident logs and measurable recovery targets (RTO/RPO), plus threat‑sharing and stress‑testing to limit contagion risk.

SEBI expects concrete controls: annual red‑team assessments, regular tabletop exercises and continuous monitoring tied to KPIs; you should patch critical CVEs within 30 days, maintain immutable audit trails and keep recovery objectives (for critical trading systems often under 4 hours) documented and tested. Also focus on vendor concentration-many platforms rely on a handful of matching engines and cloud providers-so your contracts must enforce SLAs, incident‑response playbooks and cross‑border cooperation clauses to prevent a single supplier outage becoming a market‑wide shutdown.

Governance & risk management obligations

You must embed cybersecurity into corporate governance with documented policies, a sanctioned cyber strategy, and clear escalation paths. Create a monthly cyber subcommittee, maintain a live incident register, mandate an annual independent audit, and enforce vendor due diligence for your top 20 suppliers. SEBI-aligned governance requires quarterly board reports tied to remediation timelines, budget approvals, and measurable resilience outcomes.

Board accountability, CISO role and governance structures

You should appoint a CISO with direct board access and authority over incident response, third-party risk, and resilience testing. Structure reporting so the CISO briefs the board monthly, backed by a cyber subcommittee and at least one director with demonstrable cyber expertise. Provide the CISO with dedicated budget, SLAs, and a formal delegation matrix that allows them to escalate critical incidents within 1 hour.

Risk assessment, metrics, risk appetite and reporting cadence

You need formal risk assessments at least quarterly, continuous vulnerability scans, and annual penetration tests. Track KPIs like MTTD under 24 hours, MTTR under 72 hours, and patch SLAs (critical: 14 days; high: 30 days). Maintain a monthly metrics dashboard for the board, perform quarterly deep-dive reviews, and set a target of fewer than five active critical vulnerabilities at any time.

Operationalize risk appetite by inventorying assets, scoring impact and likelihood on a 1-5 scale, and running scenario stress tests (RTO/RPO). Use heat maps to translate appetite into thresholds – for example, downtime over 4 hours for critical trading systems triggers executive escalation and external notification; breaches affecting >5% of customers require immediate board brief and third-party forensics. Tie remediation to SLA-backed vendor contracts and run tabletop exercises every six months.

Technical controls & operational resilience

Integrate technical controls into resilience programs so your systems survive targeted attacks and operational failures; prioritize MFA, real‑time SIEM, immutable logging and automated failover. Adopt measurable targets-such as 99.95% availability for trading‑facing services-and tie controls to playbooks, vendor SLAs and board reporting to demonstrate continuous readiness.

Minimum technical controls: IAM, encryption, network segmentation and logging

You should enforce MFA, role‑based access and privileged access management, encrypt data at rest with AES‑256 and in transit using TLS 1.3, and deploy VLANs plus microsegmentation to block lateral movement. Centralize logs in a SIEM with immutable audit trails, UTC timestamps and searchable retention (commonly 12 months) to support forensics and regulator inquiries.

Business continuity, disaster recovery and resilience testing requirements

Your BC/DR program must specify RTO and RPO targets (for example RTO ≤60 minutes, RPO ≤15 minutes for critical systems), maintain offsite replicated backups, and execute layered testing: monthly restore checks, quarterly tabletop exercises and annual full failovers. Map third‑party dependencies and capture post‑test metrics to drive remediation.

Operationalize tests by automating failovers to a hot standby or cloud region and validating end‑to‑end transaction integrity within targets; for example, a mid‑tier brokerage reduced average recovery from 6 hours to 30 minutes after combining DNS automation, synchronous DB replication and weekly runbook drills. You must include third‑party failover clauses, checksum‑based backup verification, clear customer‑impact KPIs (latency, transaction loss), and mandatory after‑action reviews with tracked remediation deadlines.

Incident response, forensics & reporting

You must operate IR and forensics as operational controls, not paperwork: maintain an on-call SOC, documented escalation matrices, and a legal liaison to preserve privileged communications. SEBI expects you to keep immutable logs and forensic images for at least 180 days, run table-top exercises at least annually, and demonstrate containment and root-cause timelines when submitting post-incident reports to regulators and exchanges.

Incident response plans, playbooks and forensic readiness

Your IR plan should include role-based playbooks for ransomware, data exfiltration and DDoS with step-by-step containment, communication templates, and recovery SLAs. Ensure forensic readiness by centralizing time-synchronized logs, enabling EDR snapshots, enforcing chain-of-custody, and using immutable, access-controlled storage so you can produce admissible evidence within 24-72 hours of an audit request.

Mandatory reporting timelines, formats and public disclosure expectations

SEBI-aligned reporting is tiered: severe incidents require notification within 6 hours, high-impact within 24 hours, and less severe within 72 hours; reports should follow the regulator’s structured template (summary, affected assets, IOCs, mitigation, residual risk). Public disclosure is mandated when an incident is material to investors or market functioning, and you must coordinate messaging with the exchange to avoid conflicting statements.

In practice you will submit a technical annex (JSON/XML) with timestamps, affected system counts, CVE references and IOC hashes, plus a compliance annex with remediation dates and customer impact estimates. For ransomware, include the ransom note and ciphertext hashes; for data breaches, quantify records exposed. Failure to provide re‑constructable logs or timely reports can trigger inspections, mandatory audits and regulatory inquiries.

Third‑party & supply‑chain security

You must treat third parties as extensions of your estate: enforce network segmentation, minimum security baselines and contractual right‑to‑audit clauses, and map critical dependencies so a supplier outage doesn’t cascade. The 2020 SolarWinds compromise-impacting ~18,000 customers-shows why you should require vendor attestations, restrict privileged integrations, and maintain an inventory with risk tags and recovery plans for the top 10 suppliers by criticality.

Vendor due diligence, risk classification and contractual safeguards

Classify suppliers into high/medium/low risk tiers (e.g., custodial, cloud, outsourcing = high), require evidence like SOC 2 Type II or ISO 27001, and mandate contractual protections: 24‑hour incident notification, SLAs for patching, data‑handling rules, encryption, indemnities and right‑to‑audit with remediation timelines.

Ongoing monitoring, audits and supply‑chain incident management

Implement continuous telemetry (SIEM/EDR/partner portals), quarterly supplier risk scoring and annual penetration tests; set patch SLAs (e.g., critical CVEs remediated within 30 days), maintain playbooks and run tabletop exercises annually, and ensure escalation to your board or CRO within 72 hours of major supply‑chain incidents.

Operationalize monitoring by targeting MTTD <24 hours and MTTR <72 hours, integrating vendor APIs into your SOAR, and scheduling quarterly audits plus annual independent reviews; map transitive dependencies to limit blast radius and use contractual KPIs tied to service credits or termination rights to enforce remediation.

Compliance, audits & enforcement

Your firm must sustain continuous compliance posture through scheduled and risk‑based audits, with the regulator expecting annual attestations plus ongoing supervisory reporting. Common practices include ISO 27001 certification, third‑party audits every 12-24 months, and maintaining evidence for 3-7 years. SEBI‑style inspections increasingly focus on supply‑chain and cloud controls.

Compliance evidence, audit cycles, certifications and supervisory reporting

Keep tamper‑evident system logs, incident tickets, change records and third‑party SLA reports as primary evidence; regulators expect you to produce them on demand. Typical audit cycles are annual internal audits with third‑party audits every 12-24 months. You should aim for certifications like ISO 27001 or SOC 2, and submit structured supervisory reports-often quarterly, sometimes monthly for high‑risk entities.

Enforcement regime, penalties, remediation timelines and remediation monitoring

Enforcement follows show‑cause notices, directions, monetary fines, suspension of activities and, in severe cases, prosecution; fines in notable cases have been in lakhs to crores of INR. You will typically receive remediation windows-often 30-180 days-and be required to provide progress updates. Enforcement escalates for repeat failures and systemic gaps.

After a notice, you must submit a detailed remediation plan with timelines and resource commitments; regulators frequently demand independent validation-external auditor sign‑off-before case closure. Persistent gaps trigger escalations such as restrictions on client onboarding, mandatory appointment of an independent CISO, and public disclosure. Monitoring normally combines on‑site inspections with remote attestations and progress reports every 15-30 days until closure.

To wrap up

With these considerations you should align your governance, threat detection, incident response, and third-party oversight with SEBI’s 2026 cybersecurity and cyber resilience standards; invest in continuous monitoring, staff training, and periodic audits to demonstrate compliance; document policies and test controls regularly so your board and regulators can verify readiness and minimize operational and reputational risk.

FAQ

Q: Which entities fall under SEBI’s 2026 Cybersecurity & Cyber Resilience requirements and what high-level obligations apply?

A: SEBI’s framework covers market infrastructure institutions and regulated intermediaries (stock exchanges, clearing corporations, depositories, mutual funds, asset managers, registrars, brokers, depository participants and other registered entities). High-level obligations include board-level governance and documented cyber risk policy; designation of senior responsibility for cyber (e.g., CISO or equivalent); periodic enterprise cyber risk assessments; implementation of technical controls (identity & access management, endpoint protection, patch management, encryption, secure configuration); continuous monitoring and logging (SIEM/SOC); regular vulnerability assessment and penetration testing; formal incident response, forensic readiness and business continuity / disaster recovery plans; third-party/security-of-outsourced-services management; periodic independent audits and reporting to SEBI as required by the applicable circulars.

Q: What practical steps should an organization take to achieve and demonstrate compliance?

A: Start with a gap assessment mapping current controls to SEBI requirements and to a recognised standard (ISO 27001 or NIST CSF). Establish or update governance (board reporting, policy suite, roles & responsibilities), appoint a senior cyber lead, and document a multi-year remediation roadmap with prioritized technical fixes (patching cadence, MFA, network segmentation). Build operational capabilities: 24×7 monitoring, centralized logging, incident response playbooks, tabletop exercises, vulnerability management and regular penetration testing. Implement supplier/security-of-outsourced-services due diligence, SOC reporting and evidence retention practices. Maintain artefacts for compliance reviews: policies, risk registers, test reports, incident reports, audit findings, remediation logs and board minutes.

Q: How does SEBI enforce these requirements, what are the typical compliance expectations during an incident or audit, and what best practices reduce enforcement risk?

A: SEBI enforces via supervisory checks, directives and penalties under securities law where non-compliance impacts market integrity or investor protection; enforcement actions can include fines, restrictions on operations or remediation orders. During an incident, organisations should follow prescribed reporting channels and timelines in SEBI circulars, provide forensic evidence, root-cause analysis and a documented remediation plan with milestones. For audits, expect evidence of governance, independent test reports, incident logs, change records and third-party due diligence. Best practices to reduce enforcement risk: align controls to ISO/NIST, maintain forensic-ready logging, perform independent audits, run regular red-team/blue-team exercises, enforce least privilege and MFA, keep board-level cyber reporting current, and ensure contractual clauses and continuous monitoring for suppliers.