Interlynk Expands SBOM Automation to Support CSCRF – SEBI’s Cybersecurity & Resilience Framework

Interlynk now supports SEBI’s CSCRF, enabling SBOM automation, third-party risk management, and continuous cybersecurity compliance for India’s financial institutions.

Interlynk Inc., a leader in SBOM (Software Bill of Materials) automation and vulnerability intelligence, today announced expanded support for the Securities and Exchange Board of India (SEBI) Cybersecurity and Cyber Resilience Framework (CSCRF).

As financial institutions and intermediaries operating under SEBI face heightened expectations around transparency, resilience, and rapid cyber-incident response, Interlynk’s platform enables seamless alignment with CSCRF’s structured requirements.

CSCRF: Cyber Resilience in India’s Financial Sector

SEBI’s CSCRF introduces a comprehensive set of technical, operational, and reporting requirements aimed at strengthening software supply-chain resilience.

CSCRF key mandates include:

• Complete inventory of IT assets and software components
  Including visibility into open-source and third-party software dependencies.
  
  
• Continuous monitoring and identification of vulnerabilities
  With timely remediation and tracking of risk exposure.
  
  
• Software change management and configuration governance
  Ensuring traceability and integrity of all deployed systems.
  
  
• Third-party and vendor risk oversight
  Including assurance of secure development and maintenance practices.
  
  
• Incident detection, response, and mandatory reporting
  With emphasis on rapid containment and recovery.
  
  
• Audit-ready cybersecurity documentation
  Covering governance, risk assessments, vulnerabilities, and system changes.
  
  

The CSCRF was issued by SEBI via circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024. The framework is to be implemented in a phased manner, with many sources indicating January 1, 2025 as the primary effective date for compliance obligations. SEBI subsequently extended the deadline for certain regulated entities, setting 31 August 2025 as the extended compliance deadline for many Regulated Entities (REs), while systemically important entities (such as Market Infrastructure Institutions) continue to adhere to the original timeline.

CSCRF: Audit & Reporting Requirements

Under CSCRF, regulated entities must undertake structured audit and reporting activities to demonstrate compliance:

• Cyber-audit obligation: Almost all REs (except those in “self-certification” category) must undergo formal cyber-audits conducted by auditors empanelled with Indian Computer Emergency Response Team (CERT‑In).
  
• Scope of audit: The audit must cover 100% of “critical systems” and at least a sample (e.g., 25%) of non-critical systems.
  
• Frequency:
  
  
  • Market Infrastructure Institutions (MIIs) and “Qualified REs” must typically undergo an audit twice per year.
    
  • Mid- and small-size REs may be audited at least once per year.
    
• Submission timelines: Audit reports and compliance certifications must be submitted to SEBI or appropriate authority within specified timelines post-audit.
  
• Auditor qualifications: Audits must be conducted by CERT-In empanelled auditing organisations, with independence from operational departments and prior consulting engagements.
  
• Consequences of non-compliance: Entities that fail to meet audit or reporting requirements risk regulatory action, reputational impact, and operational restrictions.

Interlynk Capabilities to meet CSCRF

Interlynk’s SBOM automation and vulnerability-intelligence platform now maps directly to CSCRF’s mandatory controls, enabling regulated entities to:

• Automatically generate and digitally sign SBOMs for every build
  Providing complete software inventory transparency required for asset identification and change management.
  
  
• Receive continuous, real-time vulnerability intelligence
  Supporting CSCRF’s requirements for early detection, tracking and timed remediation of risks.
  
  
• Manage third-party and open-source components with structured oversight
  Ensuring alignment with CSCRF’s vendor risk and dependency-governance expectations.
  
  
• Maintain versioned, immutable compliance records
  Delivering audit-ready evidence for cybersecurity governance and regulatory reporting.
  
  
• Monitor exposure and remediation timelines through unified dashboards
  Helping organizations demonstrate resilience, recovery capability, and adherence to mandated SLAs.
  
  
• Automate reporting workflows
  Supporting CSCRF’s structured reporting expectations with machine-readable output formats aligned to regulatory review.
  
  

“Financial institutions and market intermediaries regulated by SEBI are under increasing pressure to demonstrate real-time monitoring, software component transparency, and rapid incident response,” said Surendra Pathak, Co-Founder & CEO of Interlynk. “Our SBOM automation platform is built for exactly this: it gives organizations a machine-readable, signed SBOM, continuous vulnerability intelligence, and an audit-ready compliance trail – now with explicit support for CSCRF’s mandatory services and reporting formats.”

Interlynk Tools are the Choice of SBOM Community

Interlynk’s tools and platform – free for developers and early-stage teams – has seen rapid organic adoption, with over 200 companies and more than 6,000 developers using the platform to generate SBOMs, analyze dependency risks, and build foundational software-transparency practices. This broad adoption demonstrates both the accessibility of Interlynk’s tooling and the growing industry demand for automated supply-chain security across regulated sectors.

Modern Software Transparency for Indian Financial Sector

India’s financial sector is undergoing rapid digital transformation, relying on increasingly complex stacks of custom, open-source, and third-party software components. CSCRF sets a new benchmark for operational resilience, requiring organizations to anticipate, withstand, respond to, and recover from cyber-incidents.

By embedding SBOM-driven automation and continuous monitoring into their software-supply-chain workflows, Interlynk enables regulated entities to reduce systemic risk while ensuring ongoing compliance with CSCRF’s cybersecurity and resilience mandates.

---

About Interlynk

Interlynk offers a SaaS cybersecurity, SBOM automation, and third-party risk-management platform designed for software-enabled products in regulated industries. Its real-time visibility and continuous compliance workflows support adherence to FDA cybersecurity regulations, DORA, NIS2, the Cyber Resilience Act (CRA), and now India’s SEBI Cybersecurity and Cyber Resilience Framework (CSCRF), along with other global regulations.