Zerodha cyber security CSCRF SEBI cyber resilience broker obligations

Zerodha cyber-security and the SEBI CSCRF framework for brokers

From WebNotes, a public knowledge base. Last updated . Reading time ~13 min.

Zerodha is a SEBI-registered stock broker bound by the SEBI Cyber Security and Cyber Resilience Framework (CSCRF), issued by circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024, which sets cyber-security obligations on regulated entities around five resilience goals: anticipate, withstand, contain, recover, and evolve. The broker’s own posture, an in-house security team, external consultants, and a bug bounty programme, operates inside that regulatory floor rather than in place of it.

This article separates the two layers that determine how secure a Zerodha account is. The first is the regulatory layer: what SEBI requires of every broker through the CSCRF and the two-factor login mandate. The second is the broker layer: what Zerodha does on top of the floor, and where the protections end. It also sets the realistic boundary, what a framework can and cannot guarantee, so an investor knows which risks the broker carries and which remain their own. For the steps an account holder controls, see how to secure your trading account ; for the record of reported incidents, see Zerodha hack and security incidents .

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from anything described here.

The SEBI CSCRF: the governing framework

The rulebook that binds Zerodha on cyber-security is the Cyber Security and Cyber Resilience Framework. SEBI issued it through circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 on 20 August 2024. Before it, SEBI had built cyber-security requirements piecemeal: a 2015 framework for market infrastructure institutions, then separate circulars extending similar requirements to stock brokers, depository participants, mutual funds, asset management companies, KYC registration agencies, registrars, share transfer agents, and portfolio managers. The CSCRF replaced that scattered set with one consolidated framework spanning a wider pool of regulated entities, so a broker like Zerodha now reads one rulebook rather than reconciling several.

The CSCRF is structured around five cyber-resilience goals: Anticipate, Withstand, Contain, Recover, and Evolve. The framing matters. It treats cyber-security not as a static checklist of controls but as a cycle: foresee threats before they land, keep critical operations running under attack, limit the spread when something gets through, restore service after an incident, and feed the lessons back into the design. For a broker, that means controls across access management, monitoring, incident response, audit, and recovery, not just a firewall at the perimeter.

Compliance ran on a phased timeline. SEBI set an initial deadline of 1 January 2025 for entities that already had a cyber-security framework, and 1 April 2025 for entities newly brought under the rules. Those dates were extended through follow-up circulars dated 31 December 2024, 28 March 2025, 30 April 2025, and 30 June 2025, as entities worked through implementation. The extensions changed the timing, not the obligations.

The two-factor login mandate

The most visible cyber-security control on a Zerodha account is the one an investor meets every morning: two-factor login. That is a separate, earlier SEBI mandate. Circular SEBI/HO/MIRSD/DOP/CIR/P/2018/147, dated 3 December 2018, required two-factor authentication for login to online trading accounts, with the second factor being a one-time password or biometric. After extensions, it came into force on 30 September 2022. SEBI required the second factor; it left the form to the broker. Zerodha implements it through the Kite app code , an external authenticator TOTP , and SMS OTP, and steers clients toward the TOTP options because they are computed offline and resist the SIM-swap and interception that reach SMS. The framework sets the requirement; the broker’s choice of TOTP over SMS is where it goes beyond the floor.

Zerodha’s own security posture

On top of the regulatory floor, Zerodha runs its own security practice. The broker works with an in-house security team and external security consultants to keep its platforms secure, and it operates a bug bounty programme to surface vulnerabilities before attackers do. The programme rewards reports by the severity of their impact, decided case by case, paying more for unique, hard-to-find bugs and less for low-risk findings with complex prerequisites.

The programme runs on responsible disclosure with safe harbour. Researchers who follow the programme terms are granted legal protection, so a good-faith finding does not draw a lawsuit, and they commit in return to disclose privately and give Zerodha time to fix the issue before going public. Certain classes sit out of scope, including denial-of-service attacks, physical attacks on offices or data centres, third-party platforms outside Zerodha’s control, unconfirmed reports without a clear proof of concept, and social-engineering attacks such as spear-phishing. The structure, reward by severity plus safe harbour plus a defined scope, is the standard shape of a mature vulnerability-disclosure programme, and it is what you want a broker holding your funds and holdings to run.

What the framework protects, and what it does not

A framework binds the broker’s systems; it does not bind your behaviour, and that boundary is where most real-world account losses sit. The CSCRF and the bug bounty programme reduce the chance that Zerodha’s own infrastructure is breached. Neither stops a client who enters a live login code on a phishing page, shares an OTP with a vishing caller, or runs an unreviewed open-ended power of attorney that widens what a compromise can do. The broker’s strongest controls do not reach an attack that targets you rather than the platform.

There is also a structural protection that sits outside the broker’s systems entirely: your securities are held in your demat account with a depository, CDSL in Zerodha’s case, not on the broker’s books. A demat holding is recorded against your beneficial-owner identity at the depository, so it does not vanish with a broker-side event in the way a balance in a single company’s database might. That separation is part of why the broader question of whether the platform is safe, addressed in is Zerodha safe , turns as much on the market’s architecture as on any single broker’s code. The practical conclusion is that the framework, the broker’s posture, and the depository structure together raise the floor, while the account holder’s own login hygiene and monitoring, covered in how to secure your trading account , remain the deciding layer for the attacks that target individuals.

How this connects to investor protection more broadly

Cyber-security is one strand of SEBI’s investor-protection architecture, and it interlocks with the others. The SEBI investor charter and Zerodha investor charter set out the service standards and rights an investor can hold the broker to. When a security or service failure causes a dispute, the escalation runs through SEBI SCORES and the Smart ODR platform, mapped in the grievance escalation matrix . And the same regulator that mandates the CSCRF also mandates the risk disclosure at every Kite login , a different kind of protection aimed at conduct risk rather than cyber risk. The CSCRF is the piece that addresses the systems; the charter and grievance machinery address the relationship; the risk disclosure addresses the trading behaviour. An investor relying on Zerodha sits inside all three.

See also

External references

References

  1. SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, dated 20 August 2024, Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities.
  2. SEBI circular SEBI/HO/MIRSD/DOP/CIR/P/2018/147, dated 3 December 2018, on two-factor authentication for login to online trading accounts (in force from 30 September 2022 after extensions).
  3. SEBI follow-up circulars extending CSCRF compliance timelines, dated 31 December 2024, 28 March 2025, 30 April 2025, and 30 June 2025.
  4. Zerodha bug bounty programme terms (responsible disclosure, safe harbour, scope and reward structure), as of 20 June 2026.

Related articles

  • Zerodha investor charter

    Zerodha's SEBI-mandated investor charter sets out client rights, Zerodha's obligations, and the grievance path. What it covers and how to …

  • Zerodha email: multiple accounts share the same mobile or email

    Zerodha emails you when one mobile number or email ID is linked to several trading accounts. SEBI requires unique contact details. Here is …

  • Zerodha weekly statement email

    Zerodha emails a weekly statement of funds and securities to every client, an exchange-mandated record of ledger balances, holdings and …

  • Electronic Contract Note (ECN)

    An electronic contract note is the digitally signed legal record of a trade that a stockbroker delivers by email under the SEBI framework. …

  • Most Important Terms and Conditions (MITC)

    The Most Important Terms and Conditions is a SEBI mandated, standardised summary of the key terms between a stockbroker and client. Covers …

  • Risk Disclosure Document (RDD)

    The Risk Disclosure Document is a SEBI and exchange mandated disclosure a stockbroker gives every client at account opening, setting out the …

Frequently asked questions

What cyber-security rules apply to Zerodha?
As a SEBI-registered stock broker, Zerodha is bound by the SEBI Cyber Security and Cyber Resilience Framework (CSCRF), issued by circular dated 20 August 2024. It consolidates the earlier broker cyber-security circulars and sets obligations across five goals: anticipate, withstand, contain, recover, evolve.
What is the SEBI CSCRF?
The Cyber Security and Cyber Resilience Framework is SEBI’s consolidated rulebook on cyber-security for its regulated entities, including stock brokers. Issued on 20 August 2024, it replaced the separate earlier circulars and built the requirements around five resilience goals.
Does Zerodha run a bug bounty programme?
Yes. Zerodha runs a bug bounty programme with safe-harbour responsible disclosure, working with an in-house security team and external security consultants. It rewards reported vulnerabilities by severity and asks researchers to disclose privately and allow time to fix.
Is my money and data safe with Zerodha?
Client funds and securities are protected by the broader market structure: securities sit in your demat account with a depository, and SEBI’s CSCRF binds the broker to cyber-security controls. No system is risk-free, so your own login hygiene and account monitoring still matter.
What are the five CSCRF resilience goals?
Anticipate, Withstand, Contain, Recover, and Evolve. They frame cyber-security as a cycle: foresee threats, keep operating under attack, limit the blast radius, restore service, and learn from incidents to improve, rather than a one-off checklist.
Was Zerodha ever hacked?
Zerodha has publicly addressed security incidents and the broader question of platform safety. The dedicated record of reported incidents and the broker’s responses is covered separately; client securities held with a depository sit outside the broker’s own systems.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed
Conflicts of interest
WebNotes is independent. No relationship with any broker, registrar or bank named in this article.