SEBI’s CSCRF: What it Means for Your Password Security

India’s securities market has a new set of rules, and if you work in financial services, there’s a good chance they apply to you. SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF), issued in August 2024, sets uniform cybersecurity and resilience standards for SEBI-regulated entities. It replaces a patchwork of previous circulars and guidelines with one consolidated framework.

Who needs to comply?

The CSCRF applies to a wide range of SEBI-regulated entities (REs), including:

• Market Infrastructure Institutions (Stock Exchanges, Depositories, Clearing Corporations)
• Stock brokers and trading members
• Fund-management entities such as Asset Managers, Mutual Funds, and Portfolio Managers
• Other intermediaries including Custodians, KYC Registration Agencies (KRAs), Registrar and Share Transfer Agents (RTAs), and Credit Rating Agencies (CRAs)

In short: if you’re operating in India’s securities market in any meaningful capacity, this framework likely covers you.

Why does it matter?

SEBI is actively enforcing this framework, and the penalties are real. After a 2025 inspection, Anand Rathi Share and Stock Brokers was fined ₹10 lakh when weak password controls and gaps in multi-factor authentication were found, as well as a failure to report a cyber incident within the required six-hour window. The violations were discovered during a routine thematic inspection, not following a major breach. That’s worth noting: SEBI doesn’t need to wait for something to go wrong to act.

Beyond fines, non-compliance brings enhanced supervision, formal inquiries, reputational damage, and operational risk. SEBI has previously taken action for systemic IT and disaster recovery failures, so this isn’t a framework that gets filed away and forgotten.

What the CSCRF says about passwords

The CSCRF dedicates specific attention to password and authentication controls under principle 3.1.PR.AA (Identity Management, Authentication & Access Control). The requirements for internet-facing customer applications handling sensitive data are clear:

• Enforce a sensible minimum password length
• Allow long passphrases without overly strict character rules
• Educate customers on strong passphrase practices
• Do not enforce frequent, arbitrary password changes
• Focus instead on strong MFA and passphrase education
• Periodically remind users to update passwords, MFA credentials, and out-of-band recovery information

There’s also a requirement under 3.3.PR.DS (Data Security) that passwords and PINs must never be stored in plain text: they must be one-way hashed using strong functions such as bcrypt or PBKDF2.

Building a compliant password policy

So what does a CSCRF-compliant password policy actually look like in practice? Based on the framework requirements, we recommend the following baseline configuration:

The passphrase requirement is worth highlighting. Passphrases: think three random, unconnected words. This tends to be both more secure and easier for users to remember than short, complex passwords. Specops Password Policy supports passphrase creation natively, blocks repeated words and patterns, and gives users real-time feedback during the password change process through dynamic rules.

On the topic of expiry: the CSCRF actively discourages forcing frequent password changes. The more practical approach is to drop the expiry timer entirely and instead continuously check passwords against a constantly updated breached password database. If a password turns up in a breach, you remediate it rather than waiting for an arbitrary cycle to force a reset that may or may not address the actual risk.

Account lockout and brute-force protection

Two more requirements are worth calling out. After repeated failed login attempts, accounts must be locked and unlocked only through a secure out-of-band method, not just a simple password reset link. Specops uReset can handle this, offering multiple secure verification options (e.g. OTTPs & biometrics) for authentication resets, with the ability to score different methods and steer users toward the most secure ones.

On the brute-force side, the CSCRF also requires logging of both successful and failed logins, and the use of CAPTCHAs or rate-limiting to prevent enumeration attacks. Specops uReset supports CAPTCHAs, geo-blocking, and IP range blocking to further limit exposure on the self-service password reset surface.

Getting started

The CSCRF’s password-related requirements are addressable without a complete overhaul of your existing Active Directory infrastructure. To see how Specops Password Policy and uReset map to your specific setup, book a demo with an expert.