If you are a bank that owns an AMC, a broker-dealer that runs a payments subsidiary, or an NBFC moving into custodial services, you are sitting on two of India's strictest cyber regulations at the same time — RBI's Cyber Security Framework and SEBI's CSCRF. They overlap, they conflict in places, and getting the demarcation wrong is what triggers ₹1-25 crore monetary penalties at the next inspection. This guide draws the line between them for 2026.
- Regulator: Reserve Bank of India
- Applies to: Scheduled commercial banks, UCBs, NBFCs, payment system operators, ARCs
- Baseline + graded controls based on inherent risk score
- Mandatory Board-approved cyber security policy + CISO
- Annual VAPT + cyber crisis drills + SOC 24x7 for SCBs
- Penalty exposure: up to ₹1 crore per contravention (BR Act / PSS Act)
- Regulator: Securities and Exchange Board of India
- Applies to: Stock exchanges, depositories, clearing corps, AMCs, stockbrokers, KRAs, RTAs
- Five functional pillars (Govern/Identify/Protect/Detect/Respond/Recover) aligned to NIST CSF 2.0
- Mandatory M-SOC (Market SOC) integration for MIIs
- Annual third-party cyber audit + half-yearly VAPT + DR drills
- Penalty exposure: up to ₹25 crore or 3x of profits under SEBI Act s.15HB
Where each framework actually applies
The simple rule is regulator-of-record. If your principal business licence is granted by RBI (banking, NBFC, payment systems, prepaid instruments), RBI CSF is your primary framework. If your business is securities-side (broking, depository participation, asset management, investment advisory), SEBI CSCRF governs. Dual-licence entities — a bank-owned AMC, a broker subsidiary of a bank, a fintech holding both an NBFC and a stockbroker licence — must comply with both at the entity level holding each licence, which in practice means two CISOs (or a Group CISO with two reporting lines), two audit calendars and two incident reporting flows.
Clause-by-clause: where they overlap, where they diverge
| Control area | RBI CSF requirement | SEBI CSCRF requirement | Practical overlap? |
|---|---|---|---|
| Board-approved cyber policy | Mandatory, annual review | Mandatory, annual review | Yes — one document with dual-regulator annex usually works |
| CISO appointment | Required, reports to MD/CEO | Required, reports to MD/CEO + Board IT Committee | Partial — reporting lines differ |
| SOC | 24x7 for SCBs; risk-based for others | M-SOC integration mandatory for MIIs and Qualified REs | No — M-SOC feed is SEBI-specific |
| VAPT | Annual + on material change | Half-yearly for Qualified REs; annual for others | Frequency differs — pick the stricter |
| Incident reporting | RBI within 2-6 hours via CSITE portal | SEBI within 6 hours via SCORES + M-SOC | No — two parallel filings |
| DR / BCP testing | Annual unannounced + announced | Two unannounced drills/year for MIIs | Yes — can be co-scheduled |
| Data localisation | Payment data must reside in India (RBI 2018 circular) | Securities transaction data — India-resident (CSCRF 2024) | Yes — overlapping localisation |
| Third-party / outsourcing | RBI 2023 outsourcing master direction | SEBI Sep 2023 outsourcing of activities circular | Partial — both require but with different annexures |
| Cyber audit firm empanelment | CERT-In empanelled VAPT vendor | CERT-In empanelled + SEBI-recognised System Auditor | No — SEBI list is stricter |
Control mapping between RBI CSF and SEBI CSCRF (2026)
The dual-regulated entity problem
Take a typical case: a private bank that owns a 100% AMC subsidiary and a 75% broker-dealer subsidiary. The bank itself is RBI-regulated. The AMC and the broker fall under SEBI. The shared technology — ITSM, Active Directory, identity, SIEM, the data centre, even some banking apps used by the broker's RMs — needs to satisfy both. In practice this means:
- Separate logical segmentation for SEBI-regulated workloads, with documented data-flow diagrams shared with both regulators
- Two distinct incident classification trees so the same event can be filed to RBI CSITE and SEBI/M-SOC simultaneously without contradictions
- A cross-regulator audit calendar — typically RBI ISE / IT Examination in Q1, SEBI System Audit in Q3, with annual VAPT in Q2 satisfying both
- A 'demarcation policy' approved by both Boards explaining which controls apply to which legal entity
- Cyber insurance with explicit SEBI Section 15HB and RBI Section 47A penalty cover (most standard policies exclude regulatory fines — read the fine print)
Which inspection comes harder?
RBI's IT Examination (ISE 2.0) is broad, paperwork-heavy and depends on the inspecting officer's depth. Findings tend to focus on policy, governance and process maturity, with technical findings driven by IS audit reports. SEBI's System Audit, by contrast, is narrower but deeper — auditors are expected to walk specific transaction flows, sample logs and challenge the M-SOC feed integrity. Most dual-regulated CISOs we work with say SEBI is the harder cyber audit; RBI is the harder governance audit.
Incident reporting: the most common pitfall
| Trigger | RBI window | SEBI window | CERT-In window |
|---|---|---|---|
| Ransomware on shared infra | 2-6 hours (CSITE) | 6 hours (SCORES + M-SOC) | 6 hours (CERT-In 2022 directions) |
| DDoS on customer portal | Within 6 hours | Within 6 hours if trading impacted | Within 6 hours |
| Data breach (PII / customer data) | Within 2 hours for systemic banks | Within 6 hours + DPDP Board within 72h | Within 6 hours |
| Insider fraud with cyber element | Suspicious Transaction Report + cyber incident report | Cyber incident + Sec 11C suspicious activity | Optional unless systemic |
Three parallel reporting pipes — operationalise them before the incident, not during
UAE angle for cross-border BFSI
Indian banks operating DIFC/ADGM branches, or Indian brokers with DFSA-licensed subsidiaries in Dubai, layer DFSA's Cybersecurity Rulebook (CYB) and the UAE Information Assurance Standards (IAS) on top. The good news: NIST CSF 2.0 alignment means SEBI CSCRF maps cleanly to DFSA CYB. The bad news: data localisation in India (RBI/SEBI) and data residency in UAE (DIFC DP Law 2020) sometimes pull in opposite directions for the same data set. Plan dual-residency architecture, not single.
Decision tree
- Single RBI licence (bank / NBFC / PSO) → RBI CSF only, refresh annually
- Single SEBI licence (broker / AMC / depository participant) → SEBI CSCRF only, plus CERT-In direction
- Both licences in the same legal entity (rare) → unified policy with two annexures, two reporting lines
- Group with separate licensed subsidiaries → Group CISO + entity-level compliance officers, single CFL, parallel filings
- Cross-border (India + UAE) → add DFSA CYB / UAE IAS mapping to CFL, dual-residency data plan
Macksofy's RBI CSF and SEBI CSCRF readiness programmes is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.