Most regulated entities rely on external partners. They handle hosting, application development, cloud services and support. These connections help operations run smoothly. But they also introduce significant cyber risk.
SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) recognise this reality. It sets clear, practical expectations for third-party risk assessment to strengthen resilience across the ecosystem.
Look at these recent real-world examples:
- In June 2025, procurement vendor Chain IQ Group AG was hacked and data of at least 19 of its clients exposed.
- In July 2025, Allianz Life Insurance Company of North America reported a breach via a third-party cloud system that compromised personal data of the majority of its 1.4 million customers.
These incidents highlight the risk of vendor relationships and the importance of structured assessments, contracts and monitoring. This shows that you can outsource services, but you cannot outsource responsibility. This guide helps you build a third-party risk assessment process that follows CSCRF rules and protects your organisation.
Understanding the core third-party risk requirements
CSCRF expects REs to manage vendor risk with discipline. The approach changes based on category, but the responsibility remains the same.
Key rules include:
- Mid-size REs must conduct detailed Third-Party Due Diligence.
- All REs must review systems managed by third parties annually.
- All vulnerabilities found through VAPT must be fixed within three months, even if the vendor owns the system.
- REs remain accountable for confidentiality, integrity and availability at all times.
These rules help organisations stay in control, even when systems or services sit outside their environment.
Requirements for due diligence and agreements
Due diligence is a central part of third-party risk assessment. It ensures vendors follow security standards that match or exceed your own.
1. Mid-size REs
Due diligence and formal vendor agreements are mandatory. These agreements must include:
- Security standards the vendor must follow
- Controls for managing data, logs and access
- Timelines for VAPT finding closures
- Rights to audit vendor systems
- Reporting expectations for incidents
2. Self-certified and small-size REs
Due diligence is not mandatory. But many still perform basic checks to reduce risk.
Supply chain risk management
CSCRF expects every RE to maintain a structured cybersecurity supply chain risk strategy. It must include:
- Vendor criticality assessment
- Security evaluation based on the service’s risk
- Contractual controls
- Periodic monitoring and revalidation
This ensures third-party ecosystems remain aligned with business and regulatory expectations.
Accountability and oversight
CSCRF leaves no ambiguity. The RE remains fully responsible. Even when the vendor hosts the data. Even when the provider manages the infrastructure.
This means the RE is accountable for:
- Data confidentiality
- System integrity
- Service availability
- Regulatory compliance
- Log security and access
- Evidence for audits
If a third-party error creates a violation, the RE answers to SEBI. This rule pushes organisations to build stronger governance and tighter controls over vendors and partners.
Annual review of systems managed by vendors
Every RE category must conduct an annual review of systems managed by third-party service providers. This includes:
- Reviewing access logs
- Checking compliance with contract terms
- Ensuring data handling matches policy
- Validating VAPT closure timelines
- Running security checks on hosted systems
- Confirming operational performance
We encourage REs to create a structured checklist for this annual process. It helps teams stay consistent and avoids missing critical areas.
Requirements for cloud and outsourced critical systems
Cloud Service Providers and other hosting partners come with higher expectations. CSCRF sets very specific rules because these services often house critical systems.
1. ISO 27001 certification
Any provider that hosts critical facilities like these must be ISO 27001 certified:
- PDC
- DR
- NDR
- SOC
- Colocation
2. Patch and vulnerability responsibilities
Your contract must make patch responsibilities clear. The vendor and the RE must know:
- Who applies patches
- Who tests patches
- Who verifies stability before release
3. Source code and escrow requirements
If a vendor builds a critical system for you:
- You must obtain the source code, or
- Maintain a source code escrow arrangement
This ensures you can still update or maintain the system even if the vendor relationship ends.
4. Audit rights and visibility
Your contract must allow:
- System audits
- Cybersecurity audits
- Access to dashboards
- Access to logs
- Sharing of audit reports with SEBI if needed
CSPs must also extend these audit obligations to material subcontractors.
How to structure Third-Party Risk Assessment under CSCRF
Here is a practical structure that works across RE categories:
1. Identify all vendors and their criticality
Start with a simple inventory. List every vendor. Mark systems they support. Identify who handles critical services and who handles non-critical ones.
2. Review contractual obligations
Ensure every contract includes:
- Security responsibilities
- Audit rights
- Roles and access
- Incident reporting timelines
- VAPT closure timelines
3. Conduct due diligence (mandatory for mid-size)
Evaluate the vendor’s:
- Certifications
- Security posture
- Infrastructure
- Access models
- Policies
- Incident history
4. Evaluate controls and risks
Check how the vendor protects:
- Data
- Systems
- Logs
- Backups
- User access
This helps you spot gaps early.
5. Assess cloud-specific risks when applicable
Cloud vendors require extra attention. Use CSCRF guidelines to check:
- Multi-tenancy risks
- Isolation
- Patch flows
- Log availability
- Backup rules
- Disaster recovery
6. Track remediation of vulnerabilities
All vulnerabilities must be closed within three months. This timeline is non-negotiable. Many REs add this requirement directly into the SLA.
7. Maintain audit trails and documentation
Clear documentation supports compliance and reduces friction during audits.
Tips to improve third-party oversight
From our experience, small changes often make the biggest impact.
- Use a central register for vendor risks.
- Review contract terms before renewing any service.
- Create a simple escalation matrix for vendor-related incidents.
- Hold quarterly meetings with critical vendors.
- Request security updates from them at regular intervals.
- Track access of vendor personnel to your systems.
These steps build strong, confident oversight without adding heavy workloads.
Conclusion
Third-party risk sits at the heart of modern cybersecurity. SEBI’s CSCRF recognises this and provides clear rules to help organisations stay protected. A structured Third-party risk assessment helps you remain in control. It supports compliance. And it strengthens your resilience even when services move outside your environment.
We’ve helped many REs create vendor management frameworks that match CSCRF expectations. We work with teams to simplify contracts, design due diligence steps and improve review cycles.
If you want support building a SEBI CSCRF-aligned third-party risk framework, our team is ready to assist. We can help you bring clarity, confidence and consistency to vendor oversight.
Third-party risk assessment under SEBI CSCRF FAQs
Does CSCRF require vendors to match our security standards?
Yes. Under SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF), vendors are required to maintain the same or higher level of security controls as the Regulated Entity (RE). This ensures there are no weak links in your extended security ecosystem, especially when critical functions or data are managed by third parties.
Do cloud providers need to be ISO certified?
Yes. Any Cloud Service Provider (CSP) hosting critical systems or sensitive data must be ISO 27001 certified. This certification validates that the CSP follows globally recognized standards for information security management, risk assessment, and data protection practices in line with CSCRF compliance.
Are vendors responsible for VAPT closure?
Yes. All vendors must remediate VAPT (Vulnerability Assessment and Penetration Testing) findings within three months or within the timelines defined in your SLA. The RE should closely monitor closure status and obtain confirmation from vendors to ensure continuous compliance and cyber resilience.
Can REs shift responsibility to the vendor?
No. CSCRF explicitly states that the Regulated Entity (RE) retains full accountability for all outsourced or third-party functions. While vendors must comply with the framework and your internal security standards, the ultimate responsibility for compliance, oversight, and risk management lies with the RE.
