CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
SEBI · Stock Exchanges · Clearing Corporations · Depositories

SEBI MII Cybersecurity Framework Audit

MII-grade cyber audit — 99.99% availability, capacity-tested, cross-MII coordinated.

Cybersecurity and cyber-resilience audit for Market Infrastructure Institutions — Stock Exchanges, Clearing Corporations and Depositories. Covers the SEBI MII cyber framework, the CSCRF MII tier, capacity planning, cyber-resilience drills and cross-MII coordination obligations.

Request AuditTalk to a consultant
Download sample audit report
CERT-In format · anonymised
Aligned to
  • SEBI Cybersecurity & Cyber Resilience Framework (CSCRF) — MII tier (SEBI/HO/MIRSD/CRADT/CIR/P/2024/113 dated 20-Aug-2024 and successors)
  • SEBI Cybersecurity & Cyber Resilience Framework for MIIs (SEBI/HO/MIRSD/CIR/P/2018/147)
  • SEBI Business Continuity Plan & Disaster Recovery for MIIs
  • SEBI Outsourcing by Stock Exchanges, Clearing Corporations & Depositories
  • IOSCO Principles for Financial Market Infrastructures (PFMI)
  • ISO 27001:2022 + ISO 22301 (BCP)
  • NIST CSF 2.0 (cross-mapped)
  • CERT-In incident-reporting obligations
Why this matters

Compliance is leverage, not paperwork.

MIIs sit at the apex of India's capital-market plumbing — a single outage propagates across every broker, AMC and investor. SEBI's MII cyber framework (originating with SEBI/HO/MIRSD/CIR/P/2018/147 and consolidated under CSCRF in 2024-25) mandates 99.99% availability, periodic capacity testing, red-team exercises, cross-MII cyber drills and quarterly SEBI reporting. Non-MII brokers run against the CSCRF Qualified / Mid-size / Small RE tiers — but MIIs face the strictest bar, with SEBI inspections, SOP-2 access reviews and ETP reporting layered on top. Macksofy's MII audit produces the cyber-resilience, capacity and cross-MII evidence pack SEBI's IT department reviews quarterly.

Applicability
  • Stock Exchanges (BSE, NSE, MSE, MCX, NCDEX, etc.)
  • Clearing Corporations (NSCCL, ICCL, MCCIL, NCCL, etc.)
  • Depositories (NSDL, CDSL)
  • MII subsidiaries running critical capital-market services
  • MII-style entities seeking IOSCO-aligned attestation
  • MII technology providers (where SEBI access extends)
Standards & frameworks

Aligned to the regulations that matter.

SEBI Cybersecurity & Cyber Resilience Framework (CSCRF) — MII tier (SEBI/HO/MIRSD/CRADT/CIR/P/2024/113 dated 20-Aug-2024 and successors)
SEBI Cybersecurity & Cyber Resilience Framework for MIIs (SEBI/HO/MIRSD/CIR/P/2018/147)
SEBI Business Continuity Plan & Disaster Recovery for MIIs
SEBI Outsourcing by Stock Exchanges, Clearing Corporations & Depositories
IOSCO Principles for Financial Market Infrastructures (PFMI)
ISO 27001:2022 + ISO 22301 (BCP)
NIST CSF 2.0 (cross-mapped)
CERT-In incident-reporting obligations
Methodology

How we run a SEBI MII engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

SEBI MII · Start
  1. Phase 01

    1 · MII tier scoping

    • Critical-system inventory (matching, clearing, settlement, depository)
    • RTO / RPO + 99.99% availability commitment baseline
    • Cross-MII dependency mapping
    • SEBI / IT-Committee + IOSCO PFMI alignment
    01
    Phase 01

    1 · MII tier scoping

    • Critical-system inventory (matching, clearing, settlement, depository)
    • RTO / RPO + 99.99% availability commitment baseline
    • Cross-MII dependency mapping
    • SEBI / IT-Committee + IOSCO PFMI alignment
  2. Phase 02

    2 · Cybersecurity controls

    • CSCRF MII-tier control assessment
    • Identity, access, privileged-access, MFA evidence
    • Network segmentation + microsegmentation
    • Cryptographic-control + HSM lifecycle
    02
    Phase 02

    2 · Cybersecurity controls

    • CSCRF MII-tier control assessment
    • Identity, access, privileged-access, MFA evidence
    • Network segmentation + microsegmentation
    • Cryptographic-control + HSM lifecycle
  3. Phase 03

    3 · Cyber resilience & capacity

    • Capacity-planning + stress-testing evidence
    • Cyber-resilience drill (matching engine failover)
    • Active-active / hot-DR validation
    • Recovery-time + recovery-point empirical evidence
    03
    Phase 03

    3 · Cyber resilience & capacity

    • Capacity-planning + stress-testing evidence
    • Cyber-resilience drill (matching engine failover)
    • Active-active / hot-DR validation
    • Recovery-time + recovery-point empirical evidence
  4. Phase 04

    4 · Threat operations

    • 24×7 SOC capability + use-case coverage
    • Threat-intel ingestion + TTP coverage (ATT&CK)
    • Red-team + purple-team exercise evidence
    • Vulnerability + patch SLA per criticality
    04
    Phase 04

    4 · Threat operations

    • 24×7 SOC capability + use-case coverage
    • Threat-intel ingestion + TTP coverage (ATT&CK)
    • Red-team + purple-team exercise evidence
    • Vulnerability + patch SLA per criticality
  5. Phase 05

    5 · Cross-MII & ecosystem

    • Cross-MII cyber-drill participation evidence
    • Member / broker connectivity security audit
    • Outsourcing + third-party risk per SEBI outsourcing circular
    • Incident-reporting to SEBI + CERT-In (6h)
    05
    Phase 05

    5 · Cross-MII & ecosystem

    • Cross-MII cyber-drill participation evidence
    • Member / broker connectivity security audit
    • Outsourcing + third-party risk per SEBI outsourcing circular
    • Incident-reporting to SEBI + CERT-In (6h)
  6. Phase 06

    6 · Reporting & SEBI pack

    • Quarterly SEBI cyber-report format
    • CSCRF System Audit Report draft
    • IT-Committee + Board cybersecurity dashboard
    • Remediation tracker + 30-day retest
    06
    Phase 06

    6 · Reporting & SEBI pack

    • Quarterly SEBI cyber-report format
    • CSCRF System Audit Report draft
    • IT-Committee + Board cybersecurity dashboard
    • Remediation tracker + 30-day retest
Closure + retest
Deliverables

Everything you need to satisfy auditors.

  • CSCRF MII-tier compliance attestation
  • Capacity + cyber-resilience drill evidence pack
  • Red-team + purple-team executive report
  • Cross-MII coordination evidence file
  • Quarterly SEBI cyber-report template + first submission
  • IT-Committee + Board cybersecurity dashboard
  • Member-connectivity security audit pack
  • Free retest within 30 days + closure letter
Recent engagements
Tier-1 Depository

CSCRF MII-tier audit + cross-MII drill facilitation

Outcome: Cross-MII drill cleared end-to-end; 99.99% availability empirically evidenced; SEBI quarterly report cycle reduced from 14 to 5 working days

National Stock Exchange (commodity segment)

Capacity test + cyber-resilience drill

Outcome: Matching-engine failover validated under simulated DDoS + insider scenarios; recovery-time empirical evidence accepted by SEBI without queries

At a glance

The shape of a SEBI MII engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

0
Methodology phases
0
Documented activities
0
Auditor-ready deliverables
0 day
Day retest window
Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

18CONTROLS MAPPEDacross 6 pillars
Coverage breakdown
  • MII availability & capacity3 pts
  • Cyber resilience drills3 pts
  • MII-tier security controls3 pts
  • Threat operations & red-team3 pts
  • Ecosystem & cross-MII3 pts
  • SEBI reporting & governance3 pts
Pillar 01
MII availability & capacity

99.99% is not a marketing target — SEBI tests it quarter on quarter.

  • Capacity-planning + stress-test evidence
  • Active-active / hot-DR validation
  • Latency + jitter monitoring at matching layer
Pillar 02
Cyber resilience drills

Tested failover under cyber-incident scenarios, not just hardware faults.

  • Annual cyber-resilience drill participation
  • Cross-MII coordinated drill evidence
  • Recovery-time empirical proof per critical system
Pillar 03
MII-tier security controls

CSCRF MII tier — the strictest control baseline in the SEBI universe.

  • Privileged-access + MFA + JIT controls
  • Network segmentation + microsegmentation
  • Crypto + HSM lifecycle management
Pillar 04
Threat operations & red-team

Continuous threat detection plus periodic adversary-emulation testing.

  • 24×7 SOC use-case + ATT&CK coverage
  • Threat-intel ingestion + sharing
  • Red-team + purple-team annual exercise
Pillar 05
Ecosystem & cross-MII

The MII is only as resilient as the brokers, clearing members and inter-MII links it touches.

  • Member-connectivity security audit
  • Cross-MII drill + information sharing
  • Outsourcing + third-party risk evidence
Pillar 06
SEBI reporting & governance

What the IT Committee, Board and SEBI see — in the cadence SEBI sets.

  • Quarterly SEBI cyber report
  • IT-Committee + Board cyber dashboard
  • Incident reporting (SEBI + CERT-In 6h)
Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a SEBI MII engagement. Click any station for detail in the methodology section above.

01
Week 1
MII tier scoping
02
Week 2
Cybersecurity controls
03
Week 3
Cyber resilience & capacity
04
Week 4
Threat operations
05
Week 5
Cross-MII & ecosystem
06
Week 6
Reporting & SEBI pack
What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

Google
4.9 · 612 reviews
Trustpilot
4.8 · 412 reviews
LinkedIn
20K+ · followers
CERT-In Empanelled
Govt of India · MeitY
EC-Council ATC
Authorized Training
ISO 27001 Certified
Info Security Mgmt
We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.
AK
Aisha Khan
Information Security Manager · Listed Fintech · BKC, Mumbai
The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.
IK
Inspector K. Joshi
Cyber Cell · Maharashtra Police · Mumbai
Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.
VI
Vivek Iyer
DevSecOps Lead · Healthcare SaaS · Hyderabad
Read all 612 reviews on Google →
FAQ

Things compliance leads ask before signing.

No. The MII tier is the apex tier — stricter controls than Qualified REs, with availability, capacity-testing and cross-MII obligations layered on top.
Other audit engagements

Cybersecurity Audit Services

An honest mirror to your security posture.

Learn more

Compliance & Regulatory Audits

Compliance, simplified.

Learn more

Cybersecurity Risk Assessment

Know what to fix first. With math.

Learn more
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.