CDSL Circular on Submision of VAPT Report
8 views
Skip to first unread message
secmarkupdates
Jun 11, 2026, 5:07:03 AMJun 11
to UPDATES from SecMark
Date of Issue: 10-06-2026
Highlights of the Circular :
DPs are advised to refer to SEBI circular No: SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 August 20, 2024 & CDSL communique no. CDSL/OPS/DP/POLCY/2024/468 August 21, 2024 on ‘Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) and subsequent clarification circulars issued by SEBI dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and Frequently Asked Questions (FAQ) dated June 11, 2025.
As per point no 4.3.2 of the CSCRF circular dated August 20, 2024, RE / Depository Participants shall plan their VAPT activity in the beginning of the financial year. RE / Depository Participants shall ensure that no audit cycle shall be left unaudited (if any) due to the change in categorization. In all such cases, the unaudited period shall be included in the upcoming/next audit cycle.
For the implementation of CSCRF guidelines for VAPT audit, following timelines have been prescribed in consultation with SEBI, for the conduct & submission of VAPT Report for Depository Participants falling under Self-certification RE’s, Small-size RE’s, Mid-size RE’s and Qualified RE’s (not categorized as QSB’s).
Highlights of the Circular :
DPs are advised to refer to SEBI circular No: SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 August 20, 2024 & CDSL communique no. CDSL/OPS/DP/POLCY/2024/468 August 21, 2024 on ‘Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) and subsequent clarification circulars issued by SEBI dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and Frequently Asked Questions (FAQ) dated June 11, 2025.
As per point no 4.3.2 of the CSCRF circular dated August 20, 2024, RE / Depository Participants shall plan their VAPT activity in the beginning of the financial year. RE / Depository Participants shall ensure that no audit cycle shall be left unaudited (if any) due to the change in categorization. In all such cases, the unaudited period shall be included in the upcoming/next audit cycle.
For the implementation of CSCRF guidelines for VAPT audit, following timelines have been prescribed in consultation with SEBI, for the conduct & submission of VAPT Report for Depository Participants falling under Self-certification RE’s, Small-size RE’s, Mid-size RE’s and Qualified RE’s (not categorized as QSB’s).
RE / Depository Participants should note that, the modified timelines mentioned above for conduct of VAPT & Closure of vulnerabilities along with approval by IT Committee are as per Pt no- 4.3.4 (Page No- 49) of CSCRF, which states that “any open vulnerabilities after 3 months of VAPT activity shall be approved by IT Committee for REs and shall be closed before start of next VAPT exercise”.
The comprehensive scope of VAPT shall include all critical assets and infrastructure components including (not limited to) Networking systems, Security devices, Servers, Databases, Storage Systems, Applications, Cloud deployments, Systems accessible through WAN, LAN as well as with public IP’s, websites, etc. The detailed scope of VAPT and testing methodologies for conduct of VAPT activity (Half Yearly/Yearly) shall be in accordance with Annexure – L of the SEBI CSCRF circular dated August 20, 2024, same is enclosed as Annexure–1.
The updated formats of VAPT Audit report/Summary, Declaration from REs and Auditor, Assessment Details in accordance with SEBI CSCRF has been enclosed as Annexure–2. Further as per SEBI Circular no- SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/119 dated August 28, 2025- on Technical Clarifications to CSCRF for SEBI Regulated Entities (REs), REs shall NOT submit details of explicit vulnerabilities (detailed report) unless and otherwise asked for the details by SEBI/Depositories.
The comprehensive scope of VAPT shall include all critical assets and infrastructure components including (not limited to) Networking systems, Security devices, Servers, Databases, Storage Systems, Applications, Cloud deployments, Systems accessible through WAN, LAN as well as with public IP’s, websites, etc. The detailed scope of VAPT and testing methodologies for conduct of VAPT activity (Half Yearly/Yearly) shall be in accordance with Annexure – L of the SEBI CSCRF circular dated August 20, 2024, same is enclosed as Annexure–1.
The updated formats of VAPT Audit report/Summary, Declaration from REs and Auditor, Assessment Details in accordance with SEBI CSCRF has been enclosed as Annexure–2. Further as per SEBI Circular no- SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/119 dated August 28, 2025- on Technical Clarifications to CSCRF for SEBI Regulated Entities (REs), REs shall NOT submit details of explicit vulnerabilities (detailed report) unless and otherwise asked for the details by SEBI/Depositories.
Reply all
Reply to author
Forward
0 new messages