India Compliance Framework
Wealthy’s consolidated regulatory controls register β IRDAI Cyber Security Guidelines 2024, SEBI CSCRF Aug 2024, CERT-In Directions 2022, and DPDP Act 2023.
India Compliance Framework
Wealthy’s consolidated regulatory register. Lists every Indian regulation / circular / act that applies to Wealthy, plus a control-level register mapping each requirement onto an operational control.
Regulatory sources
Full list of regulations and circulars Wealthy operates under. Each new circular from a regulator lands here first; then, if it has operational controls, those controls are added to the register below.
| Short ID |
Source |
Issued |
Applicability to Wealthy |
Key obligations |
| IRDAI |
IRDAI Cyber Security Guidelines 2024 |
Updated 2024 |
Corporate Agent / Insurance Intermediary under IRDAI Corporate Agents Regulations 2015 |
ISRMC quarterly, CISO independent of IT, VAPT half-yearly, CERT-In-empaneled audit annual, Annexure-III submission, cryptographic asset inventory, immutable backup, MeitY/STQC-empaneled CSPs |
| SEBI CSCRF |
SEBI Cyber Security and Cyber Resilience Framework β Master Circular |
20 Aug 2024 (ref SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113) |
Broking / market entities |
Six CSCRF functions, Annexure-N SOC Efficacy half-yearly, Annexure-E risk register, Annexure-F vendor register, Annexure-O incident classification, CCI tracking, privileged access weekly verification |
| SEBI Accessibility |
SEBI Circular β Digital Accessibility for Persons with Disabilities |
31 Jul 2025 (ref SEBI/HO/ITD-1/ITD_VIAP/P/CIR/2025/111) |
All SEBI-Regulated Entities including Intermediaries |
Nodal Officer for digital accessibility, WCAG 2.1 / IS 17802 / GIGW conformance, annual IAAP-certified accessibility audit, grievance redressal, procurement clauses, annual compliance reporting |
| CERT-In |
CERT-In Directions April 2022 |
28 Apr 2022 |
All Indian service providers + intermediaries |
6-hour incident reporting, 180-day log retention, Indian NTP sync, designated PoC, 20 reportable incident categories |
| DPDP |
Digital Personal Data Protection Act 2023 |
2023 (Rules notification awaited) |
All Data Fiduciaries + Data Processors handling Indian personal data |
Consent management, data principal rights, Grievance Officer, 72-hour breach notification, data processing register, cross-border controls |
| RPwD |
Rights of Persons with Disabilities Act 2016 + Rules 2017 |
2016 (Act), 2017 (Rules) |
All service providers with digital platforms for public use |
Sections 40, 42, 46 β accessibility for persons with disabilities; baseline for SEBI Accessibility circular above |
| IT Act |
Information Technology Act 2000 |
2000 (amended 2008) |
All Indian service providers |
Base law for digital identity, electronic records, intermediary liability, data protection (pre-DPDP) |
| IT Rules 2021 |
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 |
2021 |
Significant intermediaries + social-media-like platforms |
Grievance officer, content takedown, user notification, safe harbour conditions β implemented via POL-014 |
Not currently in scope but monitored: RBI Outsourcing Guidelines (when loan-origination scope expands), PCI DSS 4.0 (if card data is stored in future, currently tokenised), SEBI Stock Broker Regulations 1992 (if broking license), Insurance Regulatory Framework (if underwriting license).
Status legend for the control register below: β¬ Pending review Β· β
Done Β· β οΈ Partial Β· N/A Not applicable
How this is maintained
| Artefact |
Purpose |
| This page |
Public reference: structure, control IDs, framework mapping, current status |
| Internal controls register (private) |
Full evidence links, verification commands, action owners β not published |
| Live Google Sheet (Security Drive folder) |
Operational tracker; quarterly updates reviewed at ISRMC |
| Quarterly PDF snapshot |
Attached to the matching ISRMC GitHub Issue as immutable audit evidence |
Each quarter the ISRMC meeting produces a PDF snapshot of the Sheet, attached to a GitHub Issue using the ISRMC Quarterly Review template. The resulting trail is what IRDAI / SEBI / CERT-In auditors walk through.
Control IDs here are the anchors referenced from the Security Governance Calendar (Framework column) and from individual Policies, Standards, and SOPs.
A. Governance
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| A1 |
Board-approved Cyber Security Policy |
β |
β |
- |
- |
β¬ |
| A2 |
Appoint CISO (no IT-reporting line, no business targets) |
β |
β |
- |
- |
β¬ |
| A3 |
Appoint CTO / Head of IT Function |
β |
- |
- |
- |
β¬ |
| A4 |
ISRMC meeting β quarterly |
β |
- |
- |
- |
β¬ |
| A5 |
IT Steering Committee (ITSC) β quarterly, CTO convener |
β |
- |
- |
- |
β¬ |
| A6 |
RMC must include Independent External Expert (IEE) |
β |
- |
- |
- |
β¬ |
| A7 |
Functional Head responsibilities documented |
β |
- |
- |
- |
β¬ |
| A8 |
Scenario-based Incident Response plans |
β |
β |
- |
- |
β¬ |
| A9 |
Designated Grievance Officer (DPDP) |
- |
- |
- |
β |
β¬ |
| A10 |
Designated CERT-In Point of Contact |
- |
- |
β |
- |
β¬ |
| A11 |
Six CSCRF Functions (Govern / Identify / Protect / Detect / Respond / Recover) |
- |
β |
- |
- |
β¬ |
| A12 |
Exception Management process (CISO / RMC / Board tiers) |
β |
- |
- |
- |
β¬ |
| A13 |
Cybersecurity budget proportional to risk appetite |
β |
β |
- |
- |
β¬ |
| A14 |
Training budget tracked and spent |
- |
β |
- |
- |
β¬ |
B. Risk & Asset Management
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| B1 |
Risk Register (SEBI Annexure-E) |
β |
β |
- |
- |
β
|
| B2 |
Asset classification register (critical / client / regulatory) |
β |
β |
- |
- |
β¬ |
| B3 |
Cryptographic asset inventory (post-quantum readiness) |
β |
- |
- |
- |
β¬ |
| B4 |
Data classification scheme |
β |
β |
- |
β |
β¬ |
| B5 |
Data processing activity register (DPDP) |
- |
- |
- |
β |
β¬ |
| B6 |
Third-party / vendor risk register (SEBI Annexure-F) |
β |
β |
- |
- |
β
|
| B7 |
Cyber Capability Index tracking (SEBI Annexure-K) |
- |
β |
- |
- |
β¬ |
C. Access Control
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| C1 |
Role-Based Access Control (RBAC) |
β |
β |
- |
- |
β¬ |
| C2 |
Multi-Factor Authentication (MFA) |
β |
β |
- |
- |
β¬ |
| C3 |
Privileged Access Management (PAM) |
β |
β |
- |
- |
β οΈ |
| C4 |
Privileged access weekly verification |
- |
β |
- |
- |
β¬ |
| C5 |
Quarterly access reviews |
β |
β |
- |
- |
β¬ |
| C6 |
MeitY / STQC empaneled CSP |
β |
- |
- |
- |
β¬ |
| C7 |
NDA with CSP (privacy / confidentiality / security / BC) |
β |
- |
- |
- |
β¬ |
| C8 |
Data elimination clause on CSP contract termination |
β |
- |
- |
- |
β¬ |
| C9 |
Prior written permission for further outsourcing |
β |
- |
- |
- |
β¬ |
D. Detection β SIEM / SOC / EDR
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| D1 |
SIEM (centralised log collection + correlation) |
β |
β |
β |
- |
β
|
| D2 |
EDR on endpoints |
β |
β |
- |
- |
β
|
| D3 |
Anti-virus / Endpoint Protection Platform |
β |
β |
- |
- |
β
|
| D4 |
File Integrity Monitoring (FIM) |
β |
β |
- |
- |
β
|
| D5 |
Vulnerability Detection |
β |
β |
- |
- |
β
|
| D6 |
Database Activity Monitoring (DAM) |
β |
β |
- |
β |
β¬ |
| D7 |
Data Loss Prevention (DLP) |
- |
β |
- |
β |
β¬ |
| D8 |
Web Application Firewall (WAF) |
β |
β |
- |
- |
β
|
| D9 |
DDoS protection |
β |
β |
- |
- |
β
|
| D10 |
Email gateway security |
β |
β |
- |
- |
β
|
| D11 |
Web gateway / Secure proxy |
- |
β |
- |
- |
β¬ |
| D12 |
Intrusion Prevention System (IPS) |
- |
β |
- |
- |
β οΈ |
| D13 |
DNS Security |
- |
β |
- |
- |
β οΈ |
| D14 |
Encrypted traffic management |
- |
β |
- |
- |
β¬ |
| D15 |
User and Entity Behaviour Analytics (UEBA) |
- |
β |
- |
- |
β¬ |
| D16 |
Sandboxing solution |
- |
β |
- |
- |
β¬ |
| D17 |
Decoy / Honeypot |
- |
β |
- |
- |
β¬ |
| D18 |
Threat Intelligence integration with SIEM |
- |
β |
- |
- |
β
|
| D19 |
SOAR actions configured |
- |
β |
- |
- |
β
|
| D20 |
MITRE ATT&CK mapping |
- |
β |
- |
- |
β
|
| D21 |
Cloud audit logs (GCP + AWS) |
- |
β |
β |
- |
β
|
| D22 |
GitHub audit logs |
- |
β |
β |
- |
β οΈ |
| D23 |
API misuse detection rules |
- |
β |
- |
- |
β
|
| D24 |
Insurance / trading API log ingestion |
β |
β |
- |
- |
β¬ |
E. Logging & Retention
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| E1 |
Log retention β 180 days minimum |
β |
- |
β |
- |
β
|
| E2 |
Log retention β 2 years (broking) |
- |
β |
- |
- |
β
|
| E3 |
NTP synchronisation |
- |
- |
β |
- |
β οΈ |
| E4 |
Logs of all ICT systems |
β |
β |
β |
- |
β
|
| E5 |
SIEM alert retention with defined rollover |
β |
β |
- |
- |
β
|
F. Incident Response
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| F1 |
Incident detection β ticket (case management) |
β |
β |
- |
- |
β
|
| F2 |
Report within 6 hours to regulator |
β |
β |
β |
- |
β¬ |
| F3 |
SEBI Incident Reporting Portal within 24 hours |
- |
β |
- |
- |
β¬ |
| F4 |
Data breach notification within 72 hours |
- |
- |
- |
β |
β¬ |
| F5 |
Interim Report β 3 days |
- |
β |
- |
- |
β¬ |
| F6 |
Mitigation measures report β 7 days |
- |
β |
- |
- |
β¬ |
| F7 |
Root Cause Analysis (RCA) |
β |
β |
- |
- |
β¬ |
| F8 |
Forensic capability |
- |
β |
- |
- |
β¬ |
| F9 |
Incident severity classification (SEBI Annexure-O) |
- |
β |
- |
- |
β οΈ |
| F10 |
Stakeholder communication plan |
β |
β |
- |
- |
β¬ |
| F11 |
Lessons learned / post-incident review |
β |
β |
- |
- |
β¬ |
G. Audit & Testing
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| G1 |
VAPT β Grey/White box penetration test every 6 months |
β |
- |
- |
- |
β¬ |
| G2 |
VAPT β Quarterly vulnerability assessment + annual PT |
- |
β |
- |
- |
β¬ |
| G3 |
Test environment resembles production |
β |
- |
- |
- |
β¬ |
| G4 |
Annual cyber audit |
β |
β |
- |
- |
β οΈ |
| G5 |
CERT-In empaneled auditor only |
β |
- |
- |
- |
β¬ |
| G6 |
Annexure-III compliance submission to Insurer |
β |
- |
- |
- |
β¬ |
| G7 |
ISO 27001 certification |
β |
β |
- |
- |
β¬ |
H. Infrastructure / Protection
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| H1 |
Encryption at rest |
β |
β |
- |
β |
β
|
| H2 |
Encryption in transit (TLS) |
β |
β |
- |
β |
β
|
| H3 |
Environment segregation (prod / staging / dev) |
β |
β |
- |
- |
β
|
| H4 |
Group company infrastructure logical / physical segregation |
β |
- |
- |
- |
β¬ |
| H5 |
Data localisation (India) |
β |
β |
- |
β |
β
|
| H6 |
API security controls (SEBI Annexure-G) |
β |
β |
- |
- |
β¬ |
| H7 |
Immutable backup for critical hardware |
β |
- |
- |
- |
β¬ |
| H8 |
Failover / resilient components for critical hardware |
β |
- |
- |
- |
β¬ |
| H9 |
Patch management |
β |
β |
- |
- |
β οΈ |
| H10 |
Endpoint hardening (screen lock, disk encryption, firewall) |
β |
β |
- |
- |
β οΈ |
I. Business Continuity / DR
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| I1 |
Business Continuity Plan (BCP) |
β |
β |
- |
- |
β
|
| I2 |
Disaster Recovery (DR) Plan |
β |
β |
- |
- |
β
|
| I3 |
RTO / RPO tracking (SEBI Annexure-C) |
- |
β |
- |
- |
β¬ |
| I4 |
DR drill documented |
β |
β |
- |
- |
β¬ |
| I5 |
Backup integrity verification |
β |
β |
- |
- |
β¬ |
J. SOC Efficacy (SEBI Annexure-N)
SEBI CSCRF mandates half-yearly Annexure-N SOC Efficacy scoring. Final score Ζ©S is weighted across five domains.
Ζ©S = (C Γ 25 + Y Γ 25 + P Γ 20 + H Γ 15 + E Γ 15) / 100
| Domain |
Weight |
Score variable |
| Asset Coverage (Table 30) |
25% |
C |
| SOC Operations (Table 31) |
25% |
Y |
| Personnel Competency (Table 32) |
20% |
P |
| SOC Governance (Table 33) |
15% |
H |
| SOC Enrichments (Table 34) |
15% |
E |
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| J1 |
Half-yearly SOC Efficacy Report (Annexure-N) |
- |
β |
- |
- |
β¬ |
| J2 |
Asset Coverage Score (Domain 1, 25%) |
- |
β |
- |
- |
β¬ |
| J3 |
SOC Operations Score (Domain 2, 25%) |
- |
β |
- |
- |
β¬ |
| J4 |
Personnel Competency Score (Domain 3, 20%) |
- |
β |
- |
- |
β¬ |
| J5 |
SOC Governance Score (Domain 4, 15%) |
- |
β |
- |
- |
β¬ |
| J6 |
SOC Enrichments Score (Domain 5, 15%) |
- |
β |
- |
- |
β¬ |
| J7 |
Log ingestion latency < 5 min |
- |
β |
- |
- |
β
|
| J8 |
Threat intelligence processing < 60 min |
- |
β |
- |
- |
β
|
| J9 |
Threat hunting β quarterly |
- |
β |
- |
- |
β¬ |
| J10 |
Playbooks defined per use case |
- |
β |
- |
- |
β οΈ |
| J11 |
Native SOC tech dashboard |
- |
β |
- |
- |
β
|
| J12 |
Custom SOC dashboard |
- |
β |
- |
- |
β οΈ |
| J13 |
False positive rate tracking |
- |
β |
- |
- |
β¬ |
| J14 |
False negative rate tracking |
- |
β |
- |
- |
β¬ |
K. Privacy (DPDP Act 2023)
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| K1 |
Consent management system |
- |
- |
- |
β |
β¬ |
| K2 |
Right to access / correction / erasure |
- |
- |
- |
β |
β¬ |
| K3 |
Grievance redressal mechanism |
- |
- |
- |
β |
β¬ |
| K4 |
Data retention limits per category |
- |
- |
- |
β |
β οΈ |
| K5 |
Personal data breach 72h notification |
- |
- |
- |
β |
β¬ |
| K6 |
Cross-border data transfer controls |
- |
- |
- |
β |
β
|
| K7 |
Significant Data Fiduciary obligations (if notified) |
- |
- |
- |
β |
N/A |
L. CERT-In Incident Categories
CERT-In Directions April 2022 prescribe 20 incident categories with a 6-hour reporting obligation. Wealthy detects these through the SIEM ruleset and alerts surface in the Incident Response runbook.
| # |
Category |
| L1 |
Targeted scanning / probing |
| L2 |
Compromise of critical systems |
| L3 |
Unauthorised access to IT systems |
| L4 |
Website defacement / intrusion |
| L5 |
Malicious code (malware, ransomware) |
| L6 |
Attacks on servers (DB, mail, DNS) |
| L7 |
Identity theft, spoofing, phishing |
| L8 |
DDoS attacks |
| L9 |
DNS and BGP hijacking |
| L10 |
Attacks on critical infrastructure |
| L11 |
Data breach / data leak |
| L12 |
Fintech / payments attacks |
| L13 |
Fake mobile apps |
| L14 |
Social media account compromise |
| L15 |
Cloud attacks |
| L16 |
IoT device attacks |
| L17 |
Supply chain attacks |
| L18 |
Data centre attacks |
| L19 |
Cyber espionage |
| L20 |
Zero-day exploits |
M. Personnel (SEBI Annexure-N Domain 3)
| # |
Control |
IRDAI |
SEBI |
CERT-In |
DPDP |
Status |
| M1 |
L1 SOC Engineer (CEH, 2-4 YoE) |
- |
β |
- |
- |
β¬ |
| M2 |
L2 SOC Engineer (CEH + OEM cert, 5-7 YoE) |
- |
β |
- |
- |
β¬ |
| M3 |
L3 SOC Engineer (CEH + CISM, 8-12+ YoE) |
- |
β |
- |
- |
β¬ |
| M4 |
Security awareness training |
β |
β |
- |
β |
β
|
| M5 |
Training budget tracked |
- |
β |
- |
- |
β¬ |
N. Digital Accessibility (SEBI Accessibility Circular 2025/111 + RPwD Act 2016)
Implements SEBI Circular 2025/111 (31 Jul 2025) and Rights of Persons with Disabilities Act 2016 §§40, 42, 46. Owned primarily by Product + Compliance; security’s touchpoint is in vendor procurement (STD-015).
| # |
Control |
SEBI Access. |
RPwD |
Status |
| N1 |
Nodal Officer for digital accessibility designated |
β |
β |
β¬ |
| N2 |
Grievance redressal mechanism specific to accessibility |
β |
β |
β¬ |
| N3 |
WCAG 2.1 / IS 17802 / GIGW conformance for digital platforms |
β |
β |
β¬ |
| N4 |
Annual accessibility audit by IAAP-certified professional |
β |
- |
β¬ |
| N5 |
Accessibility training for staff + content creators |
β |
β |
β¬ |
| N6 |
Accessibility clauses in RFPs + SaaS procurement |
β |
- |
β οΈ |
| N7 |
KYC / e-KYC alternatives for users with disabilities |
β |
β |
β¬ |
| N8 |
Annual compliance report to SEBI (within 30 days of FY end) |
β |
- |
β¬ |
| N9 |
Disability status captured as a KYC field + human override |
β |
β |
β¬ |
- Security Governance Calendar β every calendar event maps to a control ID here
- Policies β each board-approved policy cites the controls it operationalises
- Standards β each standard cites the controls it implements
- SOPs β each procedure cites the controls it evidences
Reviewed quarterly at ISRMC; full-year review in the Annual Risk Assessment Report. Status updates are applied after each quarterly review. This page is the public (audit-facing) snapshot; internal evidence trail is maintained separately.